[R-pkg-devel] Submission to CRAN when package needs personal data (API key)

Rainer M Krug R@iner @ending from krug@@de
Tue Sep 11 08:49:45 CEST 2018 

Hi Josh,


> On 8 Sep 2018, at 21:02, Joshua Ulrich <josh.m.ulrich using gmail.com> wrote:
> 
> Hi Rainer,
> 
> On Wed, Sep 5, 2018 at 2:28 AM, Rainer Krug <Rainer using krugs.de> wrote:
>> Hi
>> 
>> I have a package at GitHub (https://github.com/rkrug/ROriginStamp) which I am
>> pre[paring for CRAN.
>> 
>> It creates a trusted timestamp using the API fro OriginStamp
>> (https://originstamp.org/home) which requires an API key. Now this API should
>> not be made public, as to much traffic through one API key will lead to it’s
>> blocking.
>> 
>> I have stored the key encrypted in the travis.yml, and the package passes all
>> tests.
>> 
>> But if I send it to CRAN, it would fail the tests, as the api key is not in
>> the package itself.
>> 
>> I could disable all tests for CRAN which need the API key, but I think it
>> would be better tu run the tests there as well (as an additional check to
>> travis).
>> 
>> My question:
>> 
>> Is there a way of storing the API key encrypted, so that only the CRAN test
>> servers can decrypt it, or is there another way can steal with this?
>> 
> I have a similar issue with quantmod.  I need API keys to test some
> functionality and I would like the tests run regularly, so I can know
> when something breaks without having to wait for a user to report the
> change.

Same motivation here.

> 
> I store the API keys in encrypted environment variable in TravisCI,
> and I check for those environment variables before running the tests
> that require them.

I am using the same approach for TravisCI and it works perfectly.

> 
> Then I added a cron job on TravisCI to run the build if there hasn't
> been a build in the past 24 hours.  That solves the problem adequately
> for my purposes without adding any burden to CRAN.  Hopefully it works
> for your purposes too.

I haven’t thought about the CRON job for TravisCI - good point. I will activate it straight away.

Thanks,

Rainer

> 
> Best,
> Josh
> 
>> Thanks,
>> 
>> Rainer
>> 
>> 
>> 
>> --
>> Rainer M. Krug, PhD (Conservation Ecology, SUN),
>> MSc (Conservation Biology, UCT), Dipl. Phys. (Germany)
>> 
>> University of Zürich
>> 
>> Cell:       +41 (0)78 630 66 57
>> email:      Rainer using krugs.de
>> Skype:      RMkrug
>> 
>> PGP: 0x0F52F982
>> 
>> 
>> 
>> 
>> ______________________________________________
>> R-package-devel using r-project.org mailing list
>> https://stat.ethz.ch/mailman/listinfo/r-package-devel
>> 
> 
> 
> 
> --
> Joshua Ulrich  |  about.me/joshuaulrich
> FOSS Trading  |  www.fosstrading.com
> R/Finance 2018 | www.rinfinance.com

--
Rainer M. Krug, PhD (Conservation Ecology, SUN), MSc (Conservation Biology, UCT), Dipl. Phys. (Germany)

University of Zürich

Cell:       +41 (0)78 630 66 57
email:      Rainer using krugs.de
Skype:      RMkrug

PGP: 0x0F52F982




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <https://stat.ethz.ch/pipermail/r-package-devel/attachments/20180911/1323a6ca/attachment.sig>

More information about the R-package-devel mailing list