[R-pkg-devel] Ensuring permanence and SHA consistency of released CRAN packages for validated software

Duncan Murdoch murdoch@dunc@n @end|ng |rom gm@||@com
Thu Mar 17 11:17:18 CET 2022 

On 17/03/2022 5:14 a.m., Borini, Stefano wrote:
> 
>      If you want to guarantee that a CRAN package can be re-installed years
>      from now, *you* should be archiving a copy of it.
> 
> We do, in fact, but that's beside the point. The success of an opensource project depends on the user base. I don't control the budget of the company I work for, or how that money is allocated. All I can say is that I found an issue and I am reporting it, and it's an issue that in the python world has been dealt with. It does not require more effort. It actually requires less. Just don't rebuild a package that has already been built.

It's hard to convey tone in an email, but to me your post read more like 
a demand than a report of an issue.  I apologize for my misreading if 
that wasn't your intention.

> That said, I do have some budget of my own time, which I can use (and in fact I do use) to collaborate with opensource projects during my working hours, but as I don't have the keys to CRAN build system I can't really fix the issue myself.

Offering to track down the issue and fix it is a good thing.  You can't 
commit your change, but you could write it.  However, I'd guess it's not 
as easy as you suggest:  the build time entry is not the only place a 
timestamp could slip into a package.  From Dirk's message, it sounds as 
though he knows a lot about this, so you could work with him to propose 
a change to the R build process.

>    You may be negligent
>      by not doing so:  there's no guarantee that CRAN will still be
>      distributing *any* version of MASS when the auditors show up.
> 
> As I said, we do, but when you decide to host what is basically the official package index for a language, you acquire some responsibilities (if not contractual, at least moral), regardless if you are an opensource developer or not.

Now it sounds as if you are accusing CRAN of shirking its 
responsibilities.  CRAN is not responsible for your workflow, you are. 
If your workflow doesn't fit with CRAN's practices, you could fix your 
workflow.

As I said before, I don't know how it happened that there were two 
builds of MASS on CRAN, built 50 seconds apart.  But a guess is that it 
was built and published, but something appeared to indicate that things 
failed, or someone accidentally repeated some keystrokes, and the 
process was repeated.  You were unlucky enough to download it during 
that 50 second window.  It is not reasonable to suggest that errors like 
that should be impossible, but Dirk's project seems intended to reduce 
their impact.

Duncan Muroch

More information about the R-package-devel mailing list