Younce, Matt
2015-Apr-16 16:32 UTC
[Rd] Does (will) CRAN provide consistent integrity verification
Intended Audience: CRAN administrators, maintainers and R Package Developers. Does anyone know of consistent methods (or plans for near future) to verify integrity of downloaded R package binaries from CRAN? The purpose is to foster a high degree of trust in the validity of downloaded binaries from CRAN. For example Apache projects mostly provide something like MD5, SHA1, SHA256, or signing with GnuPG, etc., as in http://www.apache.org/dev/release-signing. I have noticed that several R package zip files do contain MD5 strings, but not all do, and not as a separate download link. Besides, MD5 is not the preferred method. What role in the administration of CRAN would be best positioned to guide and assist R package developers (and/or repository administrators) to provide a simple reliable method? Without such features, the alternatives for many risk adverse entities would be to resort to vendor releases of R which can be cost prohibitive. Several recent articles underscore the need is here now, so I am hoping (and probably a growing number are also hoping) there is some way to currently or easily achieve this without resorting to a big dollar vendor. Thanks very much for your help, Matt Younce [[alternative HTML version deleted]]
Dan Tenenbaum
2015-Apr-16 22:23 UTC
[Rd] Does (will) CRAN provide consistent integrity verification
----- Original Message -----> From: "Matt Younce" <Matt_Younce at cinfin.com> > To: r-devel at r-project.org > Sent: Thursday, April 16, 2015 9:32:04 AM > Subject: [Rd] Does (will) CRAN provide consistent integrity verification > > Intended Audience: CRAN administrators, maintainers and R Package > Developers. > Does anyone know of consistent methods (or plans for near future) to > verify integrity of downloaded R package binaries from CRAN? > The purpose is to foster a high degree of trust in the validity of > downloaded binaries from CRAN. > For example Apache projects mostly provide something like MD5, SHA1, > SHA256, or signing with GnuPG, etc., as in > http://www.apache.org/dev/release-signing.And all of this is probably irrelevant unless packages can be downloaded over HTTPS. Dan> I have noticed that several R package zip files do contain MD5 > strings, but not all do, and not as a separate download link. > Besides, MD5 is not the preferred method. > What role in the administration of CRAN would be best positioned to > guide and assist R package developers (and/or repository > administrators) to provide a simple reliable method? > Without such features, the alternatives for many risk adverse > entities would be to resort to vendor releases of R which can be > cost prohibitive. > Several recent articles underscore the need is here now, so I am > hoping (and probably a growing number are also hoping) there is some > way to currently or easily achieve this without resorting to a big > dollar vendor. > Thanks very much for your help, > Matt Younce > > > [[alternative HTML version deleted]] > > ______________________________________________ > R-devel at r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-devel >
billy am
2015-Apr-17 00:13 UTC
[Rd] Does (will) CRAN provide consistent integrity verification
Agreed. R-project.org and mirrors should be using https. Billy On 17 Apr 2015 06:26, "Dan Tenenbaum" <dtenenba at fredhutch.org> wrote:> > > ----- Original Message ----- > > From: "Matt Younce" <Matt_Younce at cinfin.com> > > To: r-devel at r-project.org > > Sent: Thursday, April 16, 2015 9:32:04 AM > > Subject: [Rd] Does (will) CRAN provide consistent integrity verification > > > > Intended Audience: CRAN administrators, maintainers and R Package > > Developers. > > Does anyone know of consistent methods (or plans for near future) to > > verify integrity of downloaded R package binaries from CRAN? > > The purpose is to foster a high degree of trust in the validity of > > downloaded binaries from CRAN. > > For example Apache projects mostly provide something like MD5, SHA1, > > SHA256, or signing with GnuPG, etc., as in > > http://www.apache.org/dev/release-signing. > > And all of this is probably irrelevant unless packages can be downloaded > over HTTPS. > > Dan > > > > I have noticed that several R package zip files do contain MD5 > > strings, but not all do, and not as a separate download link. > > Besides, MD5 is not the preferred method. > > What role in the administration of CRAN would be best positioned to > > guide and assist R package developers (and/or repository > > administrators) to provide a simple reliable method? > > Without such features, the alternatives for many risk adverse > > entities would be to resort to vendor releases of R which can be > > cost prohibitive. > > Several recent articles underscore the need is here now, so I am > > hoping (and probably a growing number are also hoping) there is some > > way to currently or easily achieve this without resorting to a big > > dollar vendor. > > Thanks very much for your help, > > Matt Younce > > > > > > [[alternative HTML version deleted]] > > > > ______________________________________________ > > R-devel at r-project.org mailing list > > https://stat.ethz.ch/mailman/listinfo/r-devel > > > > ______________________________________________ > R-devel at r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-devel >[[alternative HTML version deleted]]