[R-pkg-devel] Ensuring permanence and SHA consistency of released CRAN packages for validated software
Gábor Csárdi
c@@rd|@g@bor @end|ng |rom gm@||@com
Mon Mar 21 14:22:32 CET 2022
On Mon, Mar 21, 2022 at 2:15 PM Borini, Stefano
<stefano.borini using astrazeneca.com> wrote:
> Well, the binaries it’s a different story and needs its own solution. I am referring to the source packages, not the binary ones. So I suspect that when the binaries are rebuilt, the DESCRIPTION file in the source package is updated as well by the build system.
>
> That’s what creates the issue.
Oh, right, I missed that, sorry. In my experience the source packages
are rebuilt much less frequently, at least this was the situation in
the past. This said, I can't imagine a good reason for rebuilding a
source package without increasing the version number.
[...]
> I agree that it would be great to add the sha256 (or other) hash to
> DESCRIPTION.
>
>
>
> You can’t do that because then you would end up in a chicken egg situation where the sha of the tgz package depends on the content of the DESCRIPTION which would depend on the sha of the package.
I meant PACKAGES*, sorry.
FWIW for source packages the MD5 is already in PACKAGES, so you can
use that to see if a source package was updated or not.
G.
[...]
More information about the R-package-devel
mailing list