Intended Audience: CRAN administrators, maintainers and R Package Developers.
Does anyone know of consistent methods (or plans for near future) to verify
integrity of downloaded R package binaries from CRAN?
The purpose is to foster a high degree of trust in the validity of downloaded
binaries from CRAN.
For example Apache projects mostly provide something like MD5, SHA1, SHA256, or
signing with GnuPG, etc., as in http://www.apache.org/dev/release-signing.
I have noticed that several R package zip files do contain MD5 strings, but not
all do, and not as a separate download link. Besides, MD5 is not the preferred
method.
What role in the administration of CRAN would be best positioned to guide and
assist R package developers (and/or repository administrators) to provide a
simple reliable method?
Without such features, the alternatives for many risk adverse entities would be
to resort to vendor releases of R which can be cost prohibitive.
Several recent articles underscore the need is here now, so I am hoping (and
probably a growing number are also hoping) there is some way to currently or
easily achieve this without resorting to a big dollar vendor.
Thanks very much for your help,
Matt Younce
[[alternative HTML version deleted]]
______________________________________________
R-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
