On 16/09/2020 4:51 p.m., Simon Urbanek wrote:> I can't comment for CRAN, but generally, shorteners are considered security risk so regardless of the 301 handling I think flagging those is a good idea. Also I think it is particularly bad to use them in manuals because it hides the target so the user has no idea what hey will get.I agree, and we do have \href{}{} in Rd files and similar in other formats for giving text of a link different than the URL if the URL is inconveniently long. There's still a bit of a security issue though: the built in help browser (at least in MacOS) doesn't show the full URL when you hover over the link, as most browsers do. So one could have \href{https://disney.org}{https://horrible.web.site} Duncan Murdoch> > Cheers, > Simon > > >> On Sep 17, 2020, at 5:35 AM, G?bor Cs?rdi <csardi.gabor at gmail.com> wrote: >> >> Dear all, >> >> the new CRAN URL checks flag HTTP 301 redirects. While I understand >> the intent, I think this is unfortunate, because several URL shortener >> services use 301 redirects, and often a shorter URL is actually better >> in a manual page than a longer one that can be several lines long in >> the console and also potentially truncated in the PDF manual. >> >> Some example shorteners that are flagged: >> >>> db <- tools:::url_db(c("https://nyti.ms", "https://t.co/mtXLLfYOYE"), "README") >>> tools:::check_url_db(db) >> URL: https://nyti.ms (moved to https://www.nytimes.com/) >> From: README >> Status: 200 >> Message: OK >> >> URL: https://t.co/mtXLLfYOYE (moved to >> https://www.bbc.co.uk/news/blogs-trending-47975564) >> From: README >> Status: 200 >> Message: OK >> >> ______________________________________________ >> R-devel at r-project.org mailing list >> https://stat.ethz.ch/mailman/listinfo/r-devel >> > > ______________________________________________ > R-devel at r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-devel >
I was going to offer my opine on security risks but some prominent R folks tend to woefully inaccurately knee-jerk/react badly to my 25+ year expert opinion on such things and create childish website verbiage to show their lack of maturity (who knew random developers can become security experts overnight with no training or experience?). Allowing shorteners is a terrible, woefully insecure idea. I fully support CRAN?s position. I?d likely counsel any folks looking to move to R and CRAN packages to seek Scala or Julia ecosystems instead if it were to be overturned. But, hey, what do I know. -boB On Sep 16, 2020 at 5:50:52 PM, Duncan Murdoch <murdoch.duncan at gmail.com> wrote:> On 16/09/2020 4:51 p.m., Simon Urbanek wrote: > > I can't comment for CRAN, but generally, shorteners are considered > security risk so regardless of the 301 handling I think flagging those is a > good idea. Also I think it is particularly bad to use them in manuals > because it hides the target so the user has no idea what hey will get. > > > I agree, and we do have \href{}{} in Rd files and similar in other > formats for giving text of a link different than the URL if the URL is > inconveniently long. There's still a bit of a security issue though: > the built in help browser (at least in MacOS) doesn't show the full URL > when you hover over the link, as most browsers do. So one could have > > \href{https://disney.org}{https://horrible.web.site} > > Duncan Murdoch > > > > Cheers, > > Simon > > > > > On Sep 17, 2020, at 5:35 AM, G?bor Cs?rdi <csardi.gabor at gmail.com> > wrote: > > > > > > Dear all, > > > > > > the new CRAN URL checks flag HTTP 301 redirects. While I understand > > > the intent, I think this is unfortunate, because several URL shortener > > > services use 301 redirects, and often a shorter URL is actually better > > > in a manual page than a longer one that can be several lines long in > > > the console and also potentially truncated in the PDF manual. > > > > > > Some example shorteners that are flagged: > > > > > >> db <- tools:::url_db(c("https://nyti.ms", "https://t.co/mtXLLfYOYE"), > "README") > > >> tools:::check_url_db(db) > > > URL: https://nyti.ms (moved to https://www.nytimes.com/) > > > From: README > > > Status: 200 > > > Message: OK > > > > > > URL: https://t.co/mtXLLfYOYE (moved to > > > https://www.bbc.co.uk/news/blogs-trending-47975564) > > > From: README > > > Status: 200 > > > Message: OK > > > > > > ______________________________________________ > > > R-devel at r-project.org mailing list > > > https://stat.ethz.ch/mailman/listinfo/r-devel > > > > > > ______________________________________________ > > R-devel at r-project.org mailing list > > https://stat.ethz.ch/mailman/listinfo/r-devel > > > > ______________________________________________ > R-devel at r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-devel >[[alternative HTML version deleted]]
Right, I am sorry, I did not realize the security aspect here. I guess I unconsciously treated CRAN package authors as a trusted source. Thanks for the correction and clarification, and to CRAN for implementing these checks. :) G. On Wed, Sep 16, 2020 at 10:50 PM Duncan Murdoch <murdoch.duncan at gmail.com> wrote:> > On 16/09/2020 4:51 p.m., Simon Urbanek wrote: > > I can't comment for CRAN, but generally, shorteners are considered security risk so regardless of the 301 handling I think flagging those is a good idea. Also I think it is particularly bad to use them in manuals because it hides the target so the user has no idea what hey will get. > > I agree, and we do have \href{}{} in Rd files and similar in other > formats for giving text of a link different than the URL if the URL is > inconveniently long. There's still a bit of a security issue though: > the built in help browser (at least in MacOS) doesn't show the full URL > when you hover over the link, as most browsers do. So one could have > > \href{https://disney.org}{https://horrible.web.site} > > Duncan Murdoch > > > > > > Cheers, > > Simon > > > > > >> On Sep 17, 2020, at 5:35 AM, G?bor Cs?rdi <csardi.gabor at gmail.com> wrote: > >> > >> Dear all, > >> > >> the new CRAN URL checks flag HTTP 301 redirects. While I understand > >> the intent, I think this is unfortunate, because several URL shortener > >> services use 301 redirects, and often a shorter URL is actually better > >> in a manual page than a longer one that can be several lines long in > >> the console and also potentially truncated in the PDF manual. > >> > >> Some example shorteners that are flagged: > >> > >>> db <- tools:::url_db(c("https://nyti.ms", "https://t.co/mtXLLfYOYE"), "README") > >>> tools:::check_url_db(db) > >> URL: https://nyti.ms (moved to https://www.nytimes.com/) > >> From: README > >> Status: 200 > >> Message: OK > >> > >> URL: https://t.co/mtXLLfYOYE (moved to > >> https://www.bbc.co.uk/news/blogs-trending-47975564) > >> From: README > >> Status: 200 > >> Message: OK > >> > >> ______________________________________________ > >> R-devel at r-project.org mailing list > >> https://stat.ethz.ch/mailman/listinfo/r-devel > >> > > > > ______________________________________________ > > R-devel at r-project.org mailing list > > https://stat.ethz.ch/mailman/listinfo/r-devel > > >
I don't have an opinion on the URL shorteners, but how about the original question? Redirection can be extremely useful in general. Shortening URLs is only one of its possible applications. FWIW, CRAN uses (303) redirect itself, e.g., https://cran.r-project.org/package=MASS is redirected to https://cran.r-project.org/web/packages/MASS/index.html Should these "canonical" CRAN links be disallowed in packages, too? Just as another example, https://cran.r-project.org/bin/windows/base/release.html is redirected to the latest Windows installer of R (through the <meta> tag). If the intent of the new URL redirect check is to disallow using URL shorteners like bit.ly or nyti.ms, that may be fair, but it it is to disallow using any URLs that are redirected, I think this CRAN policy may be worth a reconsideration. Regards, Yihui -- https://yihui.org On Thu, Sep 17, 2020 at 3:26 AM G?bor Cs?rdi <csardi.gabor at gmail.com> wrote:> > Right, I am sorry, I did not realize the security aspect here. I guess > I unconsciously treated CRAN package authors as a trusted source. > > Thanks for the correction and clarification, and to CRAN for > implementing these checks. :) > > G. > > On Wed, Sep 16, 2020 at 10:50 PM Duncan Murdoch > <murdoch.duncan at gmail.com> wrote: > > > > On 16/09/2020 4:51 p.m., Simon Urbanek wrote: > > > I can't comment for CRAN, but generally, shorteners are considered security risk so regardless of the 301 handling I think flagging those is a good idea. Also I think it is particularly bad to use them in manuals because it hides the target so the user has no idea what hey will get. > > > > I agree, and we do have \href{}{} in Rd files and similar in other > > formats for giving text of a link different than the URL if the URL is > > inconveniently long. There's still a bit of a security issue though: > > the built in help browser (at least in MacOS) doesn't show the full URL > > when you hover over the link, as most browsers do. So one could have > > > > \href{https://disney.org}{https://horrible.web.site} > > > > Duncan Murdoch > > > > > > > > > > Cheers, > > > Simon > > > > > > > > >> On Sep 17, 2020, at 5:35 AM, G?bor Cs?rdi <csardi.gabor at gmail.com> wrote: > > >> > > >> Dear all, > > >> > > >> the new CRAN URL checks flag HTTP 301 redirects. While I understand > > >> the intent, I think this is unfortunate, because several URL shortener > > >> services use 301 redirects, and often a shorter URL is actually better > > >> in a manual page than a longer one that can be several lines long in > > >> the console and also potentially truncated in the PDF manual. > > >> > > >> Some example shorteners that are flagged: > > >> > > >>> db <- tools:::url_db(c("https://nyti.ms", "https://t.co/mtXLLfYOYE"), "README") > > >>> tools:::check_url_db(db) > > >> URL: https://nyti.ms (moved to https://www.nytimes.com/) > > >> From: README > > >> Status: 200 > > >> Message: OK > > >> > > >> URL: https://t.co/mtXLLfYOYE (moved to > > >> https://www.bbc.co.uk/news/blogs-trending-47975564) > > >> From: README > > >> Status: 200 > > >> Message: OK > > >> > > >> ______________________________________________ > > >> R-devel at r-project.org mailing list > > >> https://stat.ethz.ch/mailman/listinfo/r-devel > > >> > > > > > > ______________________________________________ > > > R-devel at r-project.org mailing list > > > https://stat.ethz.ch/mailman/listinfo/r-devel > > > > > > > ______________________________________________ > R-devel at r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-devel