[R-pkg-devel] What to do when a package is archived from CRAN

SHIMA Tatsuya t@1@1@ndn @end|ng |rom gm@||@com
Sun Aug 27 17:03:06 CEST 2023 

Simon,

Thank you for taking a look at this.

 > One related issue with respect to CRAN policies that I don't see a 
good solution for is that inst/AUTHORS is patently unhelpful, because 
most of them say "foo (version ..): foo authors" with no contact, or 
real names or any links.

I understand your thoughts, but if we look for the inst/AUTHOURS files 
contained in the packages on CRAN, I don't think they always contain the 
contact information.
For example, this is from the igraph package.
<https://github.com/cran/igraph/blob/5e22d808f0341fcaa8944fe893c0980000ce7656/inst/AUTHORS>

Also, I have listed the URLs of the dependent crates (the `repository` 
field of Cargo.toml) in the LICENSE.note file, so we can see where the 
dependent crates are being developed.

Best,
Tatsuya

On 2023/08/27 14:36, Hiroaki Yutani wrote:
> Simon,
>
> Ok, let's take a look at a real example. The first item of 
> inst/AUTHORS of prqlr (GitHub version) is this:
>
>     addr2line (version 0.20.0):
>       addr2line authors
>
> You can find addr2line's owners on crates.io <http://crates.io> [1], 
> while its manifest file (Cargo.toml) [2] doesn't contain the names of 
> its owners or authors. In Rust's manifest, the "authors" field is 
> optional [3] unlike R. You might argue "owners" is not the same as 
> "authors," but at least crates.io <http://crates.io> provides the 
> names of those who are responsible for the crate.
>
> Let's go back to your question.
>
> > So are you saying you have to use crates.io <http://crates.io> and 
> do some extra step during the (misnamed) "vendor" step?
>
> "cargo vendor" doesn't take care of generating the list of authors, so 
> it's not "during the vender step." It has to be done separately 
> anyway. I was just saying you **can** use crates.io <http://crates.io> 
> in that step instead of searching for the authors manually one by one 
> (or filling it with "foo authors" when the manifest file doesn't 
> contain any names).
>
> That said, I agree with you in general that the Rust community is 
> relatively loose about authorship and licensing when compared with R. 
> I don't think it's necessarily a problem, but the impedance mismatch 
> is a headache. I was just trying to point out this part of your opinion
>
> > the Rust community as there doesn't seem to be any accountability 
> with respect to ownership and attribution.
>
> was not quite true. I hope the R community and the Rust community have 
> respect for each other.
>
> Best,
> Yutani
>
> [1]: https://crates.io/crates/addr2line
> [2]: https://github.com/gimli-rs/addr2line/blob/0.20.0/Cargo.toml
> [3]: 
> https://doc.rust-lang.org/cargo/reference/manifest.html#the-authors-field
>
>
> 2023年8月27日(日) 12:07 Simon Urbanek <simon.urbanek using r-project.org>:
>
>     Yutani,
>
>
>>     On Aug 27, 2023, at 2:19 PM, Hiroaki Yutani
>>     <yutani.ini using gmail.com> wrote:
>>
>>     Simon,
>>
>>     > it's assumed that GitHub history is the canonical source with
>>     the provenance, but that gets lost when pulled into the package.
>>
>>     No, not GitHub. You can usually find the ownership on crates.io
>>     <http://crates.io/>. So, if you want a target to blame, it's
>>     probably just a problem of the script to auto-generate
>>     inst/AUTHORS in this specific case. But, clearly, Rust's
>>     ecosystem works soundly under the existence of crates.io
>>     <http://crates.io/>, so I think this is the same kind of pain
>>     which you would feel if you use R without CRAN.
>>
>
>     Can you elaborate? I have not found anything that would have a
>     list of authors in the sources. I fully agree that I know nothing
>     about it, but even if you use R without CRAN, each package
>     contains that information in the DESCRIPTION file since it's so
>     crucial. So are you saying you have to use crates.io
>     <http://crates.io> and do some extra step during the (misnamed)
>     "vendor" step? (I didn't see the submitted tar ball of plqrl and
>     its release on GitHub is not the actual package so can't check -
>     thus just trying reverse-engineer what happens by looking at the
>     dependencies which leads to GitHub).
>
>
>>     Sorry for nitpicking.
>>
>
>     Sure, good to get the fact straight.
>
>     Cheers,
>     Simon
>
>
>
>>     Best,
>>     Yutani
>>
>>     2023年8月27日(日) 6:57 Simon Urbanek <simon.urbanek using r-project.org>:
>>
>>         Tatsuya,
>>
>>         What you do is contact CRAN. I don't think anyone here can
>>         answer your question, only CRAN can, so ask there.
>>
>>         Generally, packages with sufficiently many Rust dependencies
>>         have to be handled manually as they break the size limit, so
>>         auto-rejections are normal. Archival is unusual, but it may
>>         have fallen through the cracks - but the way to find out is
>>         to ask.
>>
>>         One related issue with respect to CRAN policies that I don't
>>         see a good solution for is that inst/AUTHORS is patently
>>         unhelpful, because most of them say "foo (version ..): foo
>>         authors" with no contact, or real names or any links. That
>>         seems to be a problem stemming from the Rust community as
>>         there doesn't seem to be any accountability with respect to
>>         ownership and attribution. I don't know if it's because it's
>>         assumed that GitHub history is the canonical source with the
>>         provenance, but that gets lost when pulled into the package.
>>
>>         Cheers,
>>         Simon
>>
>>         PS: Your README says "(Rust 1.65 or later)", but the version
>>         condition is missing from SystemRequirements.
>>
>>
>>         > On Aug 26, 2023, at 2:46 PM, SHIMA Tatsuya
>>         <ts1s1andn using gmail.com> wrote:
>>         >
>>         > Hi,
>>         >
>>         > I noticed that my submitted package `prqlr` 0.5.0 was
>>         archived from CRAN on 2023-08-19.
>>         > <https://CRAN.R-project.org/package=prqlr
>>         <https://cran.r-project.org/package=prqlr>>
>>         >
>>         > I submitted prqlr 0.5.0 on 2023-08-13. I believe I have
>>         since only received word from CRAN that it passed the
>>         automated release process.
>>         <https://github.com/eitsupi/prqlr/pull/161>
>>         > So I was very surprised to find out after I returned from
>>         my trip that this was archived.
>>         >
>>         > The CRAN page says "Archived on 2023-08-19 for policy
>>         violation. " but I don't know what exactly was the problem.
>>         > I have no idea what more to fix as I believe I have solved
>>         all the problems when I submitted 0.5.0.
>>         >
>>         > Is there any way to know what exactly was the problem?
>>         > (I thought I sent an e-mail to CRAN 5 days ago but have not
>>         yet received an answer, so I decided to ask my question on
>>         this mailing list, thinking that there is a possibility that
>>         there will be no answer to my e-mail, although I may have to
>>         wait a few weeks for an answer. My apologies if this idea is
>>         incorrect.)
>>         >
>>         > Best,
>>         > Tatsuya
>>         >
>>         > ______________________________________________
>>         > R-package-devel using r-project.org mailing list
>>         > https://stat.ethz.ch/mailman/listinfo/r-package-devel
>>         >
>>
>>         ______________________________________________
>>         R-package-devel using r-project.org mailing list
>>         https://stat.ethz.ch/mailman/listinfo/r-package-devel
>>
>
	[[alternative HTML version deleted]]

More information about the R-package-devel mailing list