There is a small problem in the CRAN submission form, which is not super urgent but probably good to be aware of. So I noticed that after I submitted a package, the submission was confirmed without me actually clicking the link in the confirmation email (which could be a potential security risk). I suspect that this happens because many modern browsers use pre-rendering, which retrieves hyperlinks on a page before the user actually clicks on it. This is perfectly legal because the HTTP GET method [1] is defined to be "safe" and "idempotent", and therefore a GET request should never change server state. And this is where the current implementation of the confirmation page might violate HTTP. I think the proper way to implement this would be if the link in the confirmation email would lead to a page where the user has to click a button which results in a POST request to confirm the submission. [1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html [[alternative HTML version deleted]]