[R-pkg-devel] Best practices for CRAN package using Go

Dewey Dunnington dewey @end|ng |rom dunn|ngton@c@
Wed Jul 12 16:36:30 CEST 2023


Thank you! It seems I needed the refresher on CRAN policy regarding 
downloading sources: it seems like the go.sum/go.mod provide sufficient 
checksumming to comply with the policy, as you noted (with `go mod 
vendor` as a backup if this turns out to not be acceptable). Downloading 
Go is probably out based on the advice for Rust that explicitly forbids 
this.

Cheers!

-dewey

On 2023-07-10 11:09, Ivan Krylov wrote:
> В Thu, 06 Jul 2023 15:22:26 -0300
> Dewey Dunnington <dewey using dunnington.ca> пишет:
> 
>> I've wrapped two of these drivers for R that seem to build and
>> install on MacOS, Linux, and Windows [3][4]; however, I am not sure
>> if the pattern I used is suitable for CRAN or whether these packages
>> will have to be GitHub-only for the foreseeable future.
> 
> There are a few parts to following the CRAN policy [*] regarding
> external dependencies.
> 
> I think (but don't know for sure) that your package will not be allowed
> to download Go by itself. The policy says: "Only as a last resort and
> with the agreement of the CRAN team should a package download
> pre-compiled software."
> 
> An already installed Go should be able to "first look to see if [a
> dependency] is already installed and if so is of a suitable version"
> when installing the dependencies of the Go part of the code. The go.mod
> and go.sum files specify the exact versions and checksums of the
> dependencies, which satisfies the requirement for fixed dependency
> versions ("it is acceptable to download them as part of installation,
> but do ensure that the download is of a fixed version rather than the
> latest"), so your package seems to be fine in this respect.
> 
> One more thing: when bootstrapping the source package, can you run go
> mod vendor [**] in order to bundle *all* the Go dependencies together
> with the package? Is the resulting directory prohibitively large? Would
> it satisfy the CRAN policy preference to "include the library sources
> in the package and compile them as part of package installation"
> without requiring Internet access? Unfortunately, I don't know enough
> about Go to answer these questions myself. I think that a small bundle
> of vendored Go code would be preferrable for CRAN but *not* preferrable
> for packaging in a GNU/Linux distro like Debian where dynamic linking
> (in the widest possible sense) is a strong preference.
> 
> --
> Best regards,
> Ivan
> 
> [*] https://cran.r-project.org/web/packages/policies.html
> 
> [**] https://go.dev/ref/mod#vendoring



More information about the R-package-devel mailing list