[R-sig-Debian] Regarding R_LIBS_USER

Pavel Krivitsky pavel at uow.edu.au
Thu Jul 6 07:03:44 CEST 2017 

Hello,

I just subscribed to the list to join the discussion after being
blindsided by the change and reading Dirk Eddelbuettel's reply to my
bug report at https://bugs.debian.org/866768 . 

As far as I can tell the advantages of site library are:

   1. Saves disk space and a little bit of user time spent installing and
      upgrading.
   2. Other Debian package manages, like pip, default to trying to install
      to a site library.

However, it seems to me that the case for status quo ante is stronger,
even if the jarring behaviour (asking user whether to create a personal
directory, then failing to do so) is fixed:

   1. Correct me if I am wrong, but wouldn't the change make the default
      behaviour of R on Debian different from its default behaviour on
      other distributions?
   2. Site library has no benefit over user library on a single-user
      system.
   3. Making the site library writeable by default is a severe security
      vulnerability, since it enables users to rewrite library code that
      will be blindly executed by other users on the system.
   4. Making the site library not-writeable by default means that users
      relying on site library need to contact an administrator to get a
      package installed or upgraded. This seems to me to largely defeat
      the benefit of a site library for most systems, since most users
      aren't so patient and would just figure out how to use a user
      library.
   5. The use case where defaulting to installing to site library is most
      beneficial---a system shared by few trusted users---is rare compared
      to the single-user and the many-untrusted-user systems.
   6. There are workarounds, and, indeed, users can always use user
      libraries, but the new setup puts the burden of tweaking the system
      on the *least skilled* users, whereas the old setup Just Worked for
      them (since R 2.5.0).
   7. Even in Python and others, the user library takes precedence over
      the site library (which, in turn, takes precedence over the dpkg-
      installed library). This means that .libPaths() should have the user
      library (if it exists) in first position, not as a fallback.

So, overall, I think the change does more harm than good. Am I missing anything?

				Best Regards,
				Pavel

-- 
Pavel Krivitsky
Lecturer in Statistics
National Institute of Applied Statistics Research Australia (NIASRA)
School of Mathematics and Applied Statistics | Building 39C Room 154
University of Wollongong NSW 2522 Australia
T +61 2 4221 3713
Web (NIASRA): http://niasra.uow.edu.au/index.html
Web (Personal): http://www.krivitsky.net/research
ORCID: 0000-0002-9101-3362

NOTICE: This email is intended for the addressee named and may contain
confidential information. If you are not the intended recipient, please
delete it and notify the sender. Please consider the environment before
printing this email.

More information about the R-SIG-Debian mailing list