[Rd] Does (will) CRAN provide consistent integrity verification

billy am wickedpuppy at gmail.com
Fri Apr 17 02:13:51 CEST 2015 

Agreed.  R-project.org and mirrors should be using https.

Billy
On 17 Apr 2015 06:26, "Dan Tenenbaum" <dtenenba at fredhutch.org> wrote:

>
>
> ----- Original Message -----
> > From: "Matt Younce" <Matt_Younce at cinfin.com>
> > To: r-devel at r-project.org
> > Sent: Thursday, April 16, 2015 9:32:04 AM
> > Subject: [Rd] Does (will) CRAN provide consistent integrity verification
> >
> > Intended Audience:  CRAN administrators, maintainers and R Package
> > Developers.
> > Does anyone know of consistent methods (or plans for near future) to
> > verify integrity of downloaded R package binaries from CRAN?
> > The purpose is to foster a high degree of trust in the validity of
> > downloaded binaries from CRAN.
> > For example Apache projects mostly provide something like MD5, SHA1,
> > SHA256, or signing with GnuPG, etc., as in
> > http://www.apache.org/dev/release-signing.
>
> And all of this is probably irrelevant unless packages can be downloaded
> over HTTPS.
>
> Dan
>
>
> > I have noticed that several R package zip files do contain MD5
> > strings, but not all do, and not as a separate download link.
> >  Besides, MD5 is not the preferred method.
> > What role in the administration of CRAN would be best positioned to
> > guide and assist R package developers (and/or repository
> > administrators) to provide a simple reliable method?
> > Without such features, the alternatives for many risk adverse
> > entities would be to resort to vendor releases of R which can be
> > cost prohibitive.
> > Several recent articles underscore the need is here now, so I am
> > hoping (and probably a growing number are also hoping) there is some
> > way to currently or easily achieve this without resorting to a big
> > dollar vendor.
> > Thanks very much for your help,
> > Matt Younce
> >
> >
> >       [[alternative HTML version deleted]]
> >
> > ______________________________________________
> > R-devel at r-project.org mailing list
> > https://stat.ethz.ch/mailman/listinfo/r-devel
> >
>
> ______________________________________________
> R-devel at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
>

	[[alternative HTML version deleted]]

More information about the R-devel mailing list