<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>You're very welcome Martin!</p>
<blockquote>
<p><i>Aha, glad to see your master site is HTTPS, not HTTP. I was
under the false impression that the project's main site was
only available under the latter (which did seem strange).</i></p>
</blockquote>
<p>Sorry if you weren't the best person to contact, I couldn't work
out who was the best to contact from the information on the page.</p>
<p>Best Regards,</p>
<p><i>J.S.</i><br>
</p>
<div class="moz-signature">
<hr>
<strong style="font-family: monospace">My PGP Public Key Identity</strong>
<pre>pub 4096R/<strong class="preserve-case">DDD75C27</strong> <time datetime="2016-11-17">2016-11-17</time> [expires: <time datetime="2018-10-06">2018-10-06</time>]
Key fingerprint = <strong class="preserve-case">F9B1 BDAF 9A2A 7F9A 0712 DEEB 3B24 41F6 DDD7 5C27</strong>
uid [ultimate] Joshua Saxby (Decoded Ltd) <a href="mailto:josh@decoded.com" target="_blank">josh@decoded.com</a>
sub 4096R/8B35ECE4 <time datetime="2016-11-17">2016-11-17</time> [expires: <time datetime="2018-10-06">2018-10-06</time>]</pre>
<hr></div>
<div class="moz-cite-prefix">On 2018-03-26 16:24, Martin Maechler
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:23225.4253.300516.377252@stat.math.ethz.ch">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Joshua Saxby <........>
on Mon, 26 Mar 2018 15:18:25 +0100 writes:
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">
> Dear Sir/Madam,
> While downloading the latest version of /R for Mac OS X/, I noticed that
> the SHA-1 checksum for the file as advertised on the page at
> <a class="moz-txt-link-freetext" href="http://cran.us.r-project.org/bin/macosx/">http://cran.us.r-project.org/bin/macosx/</a> appears to be incorrect. I am
> quite certain that the checksum as displayed on the page is incorrect,
> because the MD5 hash on the page matches that which I can reproduce
> locally, and the Apple Developer certificates also validate successfully
> when pkgutil --check-signature R-3.4.4.pkg is run.
> To clarify, the SHA-hash (I assume it is SHA-1, no other SHA hash
> matches this length) as displayed on your page is:
> 566f8c7a85e9343d056c1b143ebf5ca6c101dec7
> The SHA-1 hash I get when I hash the file locally (on macOS with the
> command shasum R-3.4.4.pkg) is: 5fd44c8a6eb2e936614f844d00f29c1fc2f4a0f9
> I have encountered this scenario across two of the mirror sites, so my
> assumption would be that the wrong hash is displayed.
Thank you very much, Joshua!
The master site is (with 'https', not just 'http' !)
<a class="moz-txt-link-freetext" href="https://cran.r-project.org/bin/macosx/">https://cran.r-project.org/bin/macosx/</a>
and that does show the same hash (of course: the mirrors do not
recompute the hashes in the *text* of their pages).
So this must be an error somewhere.
I'm CC'ing the R-SIG-Mac mailing list,
where the R-on-Mac experts should be listening.
Can mac users confirm they do not get the indicated hash but a
different one?
-------
NOTE: The Webmasters of <a class="moz-txt-link-abbreviated" href="http://www.r-project.org">www.r-project.org</a> cannot really
change contents of cran.r-project.org and its mirrors.
So we have to refer this to the CRAN maintainers ourselves.
For the webmasters of R-project.org,
Martin Maechler
ETH Zurich
> Best Regards,
> /J.S./
</pre>
</blockquote>
<br>
</body>
</html>