[Rd] Wrongly checked MD5 checksums in R 3.2.0's windows binary

Duncan Murdoch murdoch.duncan at gmail.com
Mon May 11 15:53:30 CEST 2015

On 11/05/2015 9:35 AM, Tal Galili wrote:
> Hi Duncan,
> Thank you for the clarification. :)
> I ended up removing these files from being scanned in the updated 
> version of installr. I would rather focus on supporting an MD5 scan 
> that is based on what is listed in MD5 file itself (ignoring 
> exceptions that are not clearly stated in the file).

I'm not sure what the purpose is of your test, but if it is to detect 
modified files, that might not be a good strategy.  A malicious agent 
could install fake bin/R.exe or bin/Rscript.exe and not be caught.

Of course, if they knew to modify those two files but not any others, 
they would know enough to also install a fake MD5 file, and then there's 
basically nothing you could do.


More information about the R-devel mailing list