[R-pkg-devel] Submission to CRAN when package needs personal data (API key)

Spencer Graves @pencer@gr@ve@ @ending from effectivedefen@e@org
Sat Sep 8 22:47:27 CEST 2018 


On 2018-09-08 14:02, Joshua Ulrich wrote:
> Hi Rainer,
>
> On Wed, Sep 5, 2018 at 2:28 AM, Rainer Krug <Rainer using krugs.de> wrote:
>> Hi
>>
>> I have a package at GitHub (https://github.com/rkrug/ROriginStamp) which I am
>> pre[paring for CRAN.
>>
>> It creates a trusted timestamp using the API fro OriginStamp
>> (https://originstamp.org/home) which requires an API key. Now this API should
>> not be made public, as to much traffic through one API key will lead to it’s
>> blocking.
>>
>> I have stored the key encrypted in the travis.yml, and the package passes all
>> tests.
>>
>> But if I send it to CRAN, it would fail the tests, as the api key is not in
>> the package itself.
>>
>> I could disable all tests for CRAN which need the API key, but I think it
>> would be better tu run the tests there as well (as an additional check to
>> travis).
>>
>> My question:
>>
>> Is there a way of storing the API key encrypted, so that only the CRAN test
>> servers can decrypt it, or is there another way can steal with this?
>>
> I have a similar issue with quantmod.  I need API keys to test some
> functionality and I would like the tests run regularly, so I can know
> when something breaks without having to wait for a user to report the
> change.
>
> I store the API keys in encrypted environment variable in TravisCI,
> and I check for those environment variables before running the tests
> that require them.
>
> Then I added a cron job on TravisCI to run the build if there hasn't
> been a build in the past 24 hours.  That solves the problem adequately
> for my purposes without adding any burden to CRAN.  Hopefully it works
> for your purposes too.


       So those tests don't run if the required environment variables 
are not there?


       Rainer's problem was getting a secure time stamp.  For his case, 
rather than skip the tests if the API keys were not there, one might 
take the time stamp from someplace else, perhaps with a note of the 
source of the time stamp.


       Spencer

> Best,
> Josh
>
>> Thanks,
>>
>> Rainer
>>
>>
>>
>> --
>> Rainer M. Krug, PhD (Conservation Ecology, SUN),
>> MSc (Conservation Biology, UCT), Dipl. Phys. (Germany)
>>
>> University of Zürich
>>
>> Cell:       +41 (0)78 630 66 57
>> email:      Rainer using krugs.de
>> Skype:      RMkrug
>>
>> PGP: 0x0F52F982
>>
>>
>>
>>
>> ______________________________________________
>> R-package-devel using r-project.org mailing list
>> https://stat.ethz.ch/mailman/listinfo/r-package-devel
>>
>
>

More information about the R-package-devel mailing list