----- Original Message ----- > From: "Matt Younce" <matt_you...@cinfin.com> > To: r-devel@r-project.org > Sent: Thursday, April 16, 2015 9:32:04 AM > Subject: [Rd] Does (will) CRAN provide consistent integrity verification > > Intended Audience: CRAN administrators, maintainers and R Package > Developers. > Does anyone know of consistent methods (or plans for near future) to > verify integrity of downloaded R package binaries from CRAN? > The purpose is to foster a high degree of trust in the validity of > downloaded binaries from CRAN. > For example Apache projects mostly provide something like MD5, SHA1, > SHA256, or signing with GnuPG, etc., as in > http://www.apache.org/dev/release-signing.
And all of this is probably irrelevant unless packages can be downloaded over HTTPS. Dan > I have noticed that several R package zip files do contain MD5 > strings, but not all do, and not as a separate download link. > Besides, MD5 is not the preferred method. > What role in the administration of CRAN would be best positioned to > guide and assist R package developers (and/or repository > administrators) to provide a simple reliable method? > Without such features, the alternatives for many risk adverse > entities would be to resort to vendor releases of R which can be > cost prohibitive. > Several recent articles underscore the need is here now, so I am > hoping (and probably a growing number are also hoping) there is some > way to currently or easily achieve this without resorting to a big > dollar vendor. > Thanks very much for your help, > Matt Younce > > > [[alternative HTML version deleted]] > > ______________________________________________ > R-devel@r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-devel > ______________________________________________ R-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-devel
