[R-SIG-Mac] Generating R .pkg file for Mac Distribution

Balamuta, James Joseph b@l@mut2 @ending from illinoi@@edu
Fri May 25 04:09:14 CEST 2018 

Greetings and Salutations Simon,

I appreciate the feedback at long last; but, I fear that a majority of this is scaremongering at this stage. These installers, clang4 and the _unofficial_ macos rtools, have operated since their inception without incident since almost a year ago. Their sources are public and are also signed by my developer credentials in a way that is similar to the official R installer package.

You do have one _very_ valid point regarding the woes of an "online-based" installer. Meaning, it will attempt to download the appropriate binaries from CRAN, the official gfortran site, and Apple. For those wondering, this is where the phrase "man-in-the-middle attack" arises as the request could be intercepted and re-routed. However, when you view the modern day ecosystem of online installers this can largely be said for all of them. One way to address this is to check a pre-defined sha256 hash against the downloaded file hash, which can easily be added to the installer now that this has been raised. 

Note: Apple is contacted to install the Xcode Command Line Tools on the user's system through a secure software update.

In reference to the root escalation, this is required to install into `/usr/local/` and set the appropriate paths within `~/.R/Makevars`, e.g. `LDFLAGS`, `CXX`, `CXX11`, ... . Both of these actions are emphasized to the user in the welcome splash. The latter action is where I believe you have an issue. 

When making the design decision to include path support, the intent was to ensure everything just "works" and avoid having users type in long paths. I find that macOS users are frequently expected to be knowledgeable about Unix-based workflows, but have very little experience within that environment. With the rise in data science, I hope that trend will be reversed. 

Sincerely,

JJB

On 5/24/18, 12:56 PM, "Simon Urbanek" <simon.urbanek using R-project.org> wrote:

    Just for posterity - please note that the installer referenced below is potentially unsafe and dangerous, because it does NOT actually package the binary but rather contains just an arbitrary shell script and thus you cannot be sure that you get the official binaries or something malicious instead (and it is vulnerable to man-in-the-middle attacks). Also it performs various actions as root that you may or may not like. Be careful trusting installers that are not signed by CRAN members. We only supply the binary and any post-install actions only affect the installed binary not other system functions nor user directories.
    
    Cheers,
    Simon
    
    
    
    > On May 17, 2018, at 3:15 PM, Balamuta, James Joseph <balamut2 using illinois.edu> wrote:
    > 
    > Greetings and Salutations Nigel,
    > 
    > I've "augmented" the base R install via an unofficial, e.g. not sanctioned by CRAN, Rtools build. This can be found here:
    > 
    > https://github.com/coatless/r-macos-rtools
    > 
    > Presently, the latest release only supports the R 3.4.* line:
    > 
    > https://github.com/coatless/r-macos-rtools/releases/tag/v1.0.0
    > 
    > I'll likely update it this weekend to provide support for R 3.5.*. In particular, I'll bump the compiler from clang4 to clang6.
    > 
    > Sincerely,
    > 
    > JJB
    > 
    > On 5/17/18, 11:45 AM, "R-SIG-Mac on behalf of Nigel Delaney" <r-sig-mac-bounces using r-project.org on behalf of nigelfdelaney using gmail.com> wrote:
    > 
    >    Thanks for the responses so far.
    > 
    >    David - indeed those instructions are up to date, but people are
    >    struggling with the issue and unable to fix that (and keep trying to
    >    install from source).
    > 
    >    Chuck - Thanks also for the suggestion, it's a good idea.  I'm hoping
    >    we might be able to have a one step installation to keep things simple
    >    though.
    > 
    >    Cheers,
    >    Nigel
    > 
    >    On Thu, May 17, 2018 at 9:39 AM, Berry, Charles <ccberry using ucsd.edu> wrote:
    >> 
    >> 
    >>> On May 16, 2018, at 11:40 AM, Nigel Delaney <nigelfdelaney using gmail.com> wrote:
    >>> 
    >>> Hi,
    >>> 
    >>> Mac binaries on R are distributed as .pkg files available from CRAN
    >>> for installation.  Does anyone know if the source script (assuming a
    >>> script is used) that generates this pkg file is available anywhere?
    >>> The pkg seems to contain a few elements like a postflight/postinstall
    >>> script that I could not find in any open source repository and are not
    >>> part of the R binaries.
    >>> 
    >>> We have a few users who are dealing with the fortran compiler issues
    >>> on Mac, and were hoping to just modify the current .pkg to contain a
    >>> few more packages, was hoping to avoid reinventing the wheel on the
    >>> packaging scripts.
    >>> 
    >> 
    >> 
    >> Why not just provide those users with the binaries for those packages?
    >> 
    >> If there are more than a few users and/or more than a few packages that need this treatment, set up your own repository and put the binaries there. See:
    >> 
    >> https://cran.r-project.org/doc/manuals/r-release/R-admin.html#Setting-up-a-package-repository
    >> 
    >> HTH,
    >> 
    >> Chuck
    >> 
    >> 
    >> 
    > 
    >    _______________________________________________
    >    R-SIG-Mac mailing list
    >    R-SIG-Mac using r-project.org
    >    https://stat.ethz.ch/mailman/listinfo/r-sig-mac
    > 
    > 
    > _______________________________________________
    > R-SIG-Mac mailing list
    > R-SIG-Mac using r-project.org
    > https://stat.ethz.ch/mailman/listinfo/r-sig-mac

More information about the R-SIG-Mac mailing list