Re: [R-pkg-devel] False positive antivirus reports on package vignettes
On Tue, 18 Feb 2025 07:05:06 -0600
Dirk Eddelbuettel wrote:
> one of the two pdf vignettes (which I happen to create as a shallow
> Rnw -> pdf wrapper around a pre-made pdf, here that inner pdf had not
> changed in five years, sigh ...) now upsets one of these (idiotic,
> but hey, I am sure that at least they are very expensive) anti-virus
> checkers.
Does VirusTotal confirm the non-zero virus detection?
> Has anybody figured out a workaround?
Last time [*] it turned out to be a collision of a 32-bit checksum in
the virus database. Try re-compressing the vignette or finding a
comment that can be changed. For example, (La)TeX-produced vignettes
sometimes contain a comment that says charToRaw('PTEX') |> as.integer()
|> bitwXor(0x80) |> as.raw(), and these four bytes can be replaced by
four spaces.
--
Best regards,
Ivan
[*] https://stat.ethz.ch/pipermail/r-package-devel/2024q1/010411.html
__
R-package-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-package-devel
[R-pkg-devel] False positive antivirus reports on package vignettes
Something that had happened to the Rcpp package in the past (but seemingly went away on its own ?) is now apparently hitting package RcppArmadillo. I received private email from the CRAN maintainers reporting, without offering a fix as there seems to be none, that one of the two pdf vignettes (which I happen to create as a shallow Rnw -> pdf wrapper around a pre-made pdf, here that inner pdf had not changed in five years, sigh ...) now upsets one of these (idiotic, but hey, I am sure that at least they are very expensive) anti-virus checkers. Has anybody figured out a workaround? I see withdrawing the pdf vignette as (simple but bad) route. Or should I just change the (internal, binary) pdf payload of the file (hey, one can always update the .bib to newer versions of the cited packages) and hope for the best? Any other route? Help or tips would be appreciated. Best, Dirk -- dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org __ R-package-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-package-devel
Re: [R-pkg-devel] False positive antivirus reports on package vignettes
On Tue, 18 Feb 2025 08:11:15 -0600 Dirk Eddelbuettel wrote: > Maybe these do not tickle the silly anti-virsu tool. Looks like they don't, so no need to tinker with raw PDF bytes: https://www.virustotal.com/gui/url/2ef08a12060e046308afd6923b6447be10eafc36416b3af0734f724ce5127f22 (As they shouldn't. If there was still a match, it would be much harder to explain as a checksum collision.) -- Best regards, Ivan __ R-package-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-package-devel
Re: [R-pkg-devel] False positive antivirus reports on package vignettes
On Tue, 18 Feb 2025 at 14:05, Dirk Eddelbuettel wrote: > > > Something that had happened to the Rcpp package in the past (but seemingly > went away on its own ?) is now apparently hitting package RcppArmadillo. > > I received private email from the CRAN maintainers reporting, without > offering a fix as there seems to be none, that one of the two pdf vignettes > (which I happen to create as a shallow Rnw -> pdf wrapper around a pre-made > pdf, here that inner pdf had not changed in five years, sigh ...) now upsets > one of these (idiotic, but hey, I am sure that at least they are very > expensive) anti-virus checkers. > > Has anybody figured out a workaround? I see withdrawing the pdf vignette as > (simple but bad) route. Or should I just change the (internal, binary) pdf > payload of the file (hey, one can always update the .bib to newer versions of > the cited packages) and hope for the best? Any other route? What happened in Rcpp is that the antivirus were detecting an old version of ghostscript that could produce potentially vulnerable outputs. We solved it by rebuilding the vignettes with a newer version of ghostscript. This is most likely the same issue. I can rebuild them and send a PR your way if you want. Best, Iñaki > > Help or tips would be appreciated. > > Best, Dirk > > -- > dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org > > __ > R-package-devel@r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-package-devel > -- Iñaki Úcar __ R-package-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-package-devel
Re: [R-pkg-devel] False positive antivirus reports on package vignettes
This really is Dadaism (or maybe Absurdism? Where are our art historians?)
By now I heard from one of the affected scientists via a private slack
message. A choice quote:
basically the pdf is moved into quarantine, and our IT are now threatening
us to format all our laptops
This is beyond parody.
Anyway, as a first step I changed the (binary) pdf file (by an update of the
underlying .bib file) and r-universe has new builds one can install via
repos <- c("https://rcppcore.r-universe.dev";, getOption("repos"))
install.packages('RcppArmadillo', repos = repos)
Maybe these do not tickle the silly anti-virsu tool.
Dirk
--
dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
__
R-package-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-package-devel
Re: [R-pkg-devel] False positive antivirus reports on package vignettes
On Tue, 18 Feb 2025 07:31:59 -0600
Dirk Eddelbuettel wrote:
> I have no idea. They have not communicated with me. I am only the
> relevant author so why whould they.
That's unfortunate. I've just fed the RcppArmadillo-sparseMatrix
vignette to VirusTotal, and, indeed, there is one match:
https://www.virustotal.com/gui/url/f8d4551cce926dbe1ca4ade853038e9b358a65ce06e448f83825247df0c9f375
> Can you translate that tip into an actionable `sed` (or, of course
> `Rscript` or `r`) expression I could add to the Makefile?
It's probably doable with `sed`, but here's R:
contents <- readBin(pdf_file, raw(), file.size(pdf_file))
# both PDFTeX and QPDF add a 4-byte comment here that can be changed
stopifnot(grepl(
'^%PDF-1.5\n%[^\n]{4}\n$',
rawToChar(contents[1:15]),
useBytes = TRUE
))
# so replace it with spaces
contents[11:14] <- charToRaw('')
writeBin(contents, pdf_file)
No matches after the four-byte change:
https://www.virustotal.com/gui/file/e0bf6c55e5d1377c3375b962b24bbaaead4424d0bf5f9bcdaadd47c39b36abe7
Your bytes match what QPDF usually writes when re-compressing a
vignette [*], not PDFTeX's "PTEX" + (not xor) 128. This is also to be
expected.
--
Best regards,
Ivan
[*]
https://github.com/qpdf/qpdf/blob/8a1d34bb74e6bae1b57076485386fc56e7c22aaa/libqpdf/QPDFWriter.cc#L2321-L2323
__
R-package-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-package-devel
Re: [R-pkg-devel] False positive antivirus reports on package vignettes
On 18 February 2025 at 15:14, Iñaki Ucar wrote: | What happened in Rcpp is that the antivirus were detecting an old | version of ghostscript that could produce potentially vulnerable | outputs. We solved it by rebuilding the vignettes with a newer version | of ghostscript. This is most likely the same issue. I can rebuild them | and send a PR your way if you want. Bingo. The combination of (re-)using an old pdf (in this case from Feb 2020) inside a freshly made-from-Rnw pdf is likely at fault, and my simply rebuild with updated .bib should take care of it. Ivan, in parallel emails, is on the trail too and reports the file is good now and I _think_ he refers to the updated pdf one by now gets from the GitHub repo, or for R user convenience, in the r-universe builds from it. And hence in the next release (once we work through effects from upstream changes see [1]). Excellent assistance from both of you here. Many thanks, as usual. Cheers, Dirk [1] https://github.com/RcppCore/RcppArmadillo/issues/462 -- dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org __ R-package-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-package-devel
Re: [R-pkg-devel] How to fix "attribute "id" has invalid value" when submitting new package to CRAN
Dear Han Zhang,
Welcome to R-package-devel!
В Mon, 17 Feb 2025 23:28:24 -0500
Han Zhang пишет:
> Found the following
> HTML validation problems: GraphicalTesting.html:114:1
> (GraphicalTesting.Rd:170): Warning: attribute "id" has invalid
> value "method-Graphical Testing Procedure-new"
Thank you for providing the NOTE you are receiving. It's best to also
provide a link to the source code of your package, because the error
messages alone are frequently not enough to diagnose the problem, and
it's not always easy to find out the code in question from a few
breadcrumbs in the error messages.
In the few cases I've checked, R CMD check points at the lines
containing \if{html}{\out{...}} statements [1]. This seems to be a
problem with 'roxygen2': it did not expect your class name to contain
spaces [2], so it did not replace them in the 'id' attribute while
generating the HTML fragment for the class documentation. You can
rename the class or ask the 'roxygen2' developers to adjust their HTML
generation.
In the future, please compose your messages to this list in plain text.
When you compose them in HTML, we only receive the plain text version
automatically generated by your mailer, which doesn't present the
intended formatting intact [3].
Good luck!
--
Best regards,
Ivan
[1]
https://github.com/zhangh12/TrialSimulator/blob/93b6ef034108f4562a7658c33b9c946346ea9d1c/man/GraphicalTesting.Rd#L170
[2]
https://github.com/zhangh12/TrialSimulator/blob/93b6ef034108f4562a7658c33b9c946346ea9d1c/R/GraphicalTesting.R#L139
[3]
https://hypatia.math.ethz.ch/pipermail/r-package-devel/2025q1/011504.html
__
R-package-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-package-devel
Re: [R-pkg-devel] False positive antivirus reports on package vignettes
On 18 February 2025 at 16:26, Ivan Krylov wrote:
| On Tue, 18 Feb 2025 07:05:06 -0600
| Dirk Eddelbuettel wrote:
|
| > one of the two pdf vignettes (which I happen to create as a shallow
| > Rnw -> pdf wrapper around a pre-made pdf, here that inner pdf had not
| > changed in five years, sigh ...) now upsets one of these (idiotic,
| > but hey, I am sure that at least they are very expensive) anti-virus
| > checkers.
|
| Does VirusTotal confirm the non-zero virus detection?
I have no idea. They have not communicated with me. I am only the relevant
author so why whould they.
| > Has anybody figured out a workaround?
|
| Last time [*] it turned out to be a collision of a 32-bit checksum in
| the virus database. Try re-compressing the vignette or finding a
| comment that can be changed. For example, (La)TeX-produced vignettes
| sometimes contain a comment that says charToRaw('PTEX') |> as.integer()
| |> bitwXor(0x80) |> as.raw(), and these four bytes can be replaced by
| four spaces.
Can you translate that tip into an actionable `sed` (or, of course `Rscript`
or `r`) expression I could add to the Makefile?
I just updated the (outdated, here) bibliography also adding DOI fields so we
have a net gain. The particular vignette needs a refresh, I will try to
check some content too.
Dirk
--
dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
__
R-package-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-package-devel
[R-pkg-devel] How to fix "attribute "id" has invalid value" when submitting new package to CRAN
Hi, It is my first time to see this NOTE when submitting a new package to CRAN. It seems to happen on Debian and Windows, but I don't have a machine with those OS installed. I searched for this note but did not find solutions. Please advise. Thank you. * checking HTML version of manual ... [1s/1s] NOTE Found the following HTML validation problems: GraphicalTesting.html:114:1 (GraphicalTesting.Rd:170): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-new" GraphicalTesting.html:168:1 (GraphicalTesting.Rd:212): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-reset" GraphicalTesting.html:185:1 (GraphicalTesting.Rd:223): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-is_valid_hid" GraphicalTesting.html:214:1 (GraphicalTesting.Rd:240): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-get_hypothesis_name" GraphicalTesting.html:243:1 (GraphicalTesting.Rd:257): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-get_weight" GraphicalTesting.html:274:1 (GraphicalTesting.Rd:276): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-set_weight" GraphicalTesting.html:307:1 (GraphicalTesting.Rd:297): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-get_alpha" GraphicalTesting.html:339:1 (GraphicalTesting.Rd:317): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-set_alpha" GraphicalTesting.html:370:1 (GraphicalTesting.Rd:336): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-get_hypotheses_ids" GraphicalTesting.html:386:1 (GraphicalTesting.Rd:346): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-get_number_hypotheses" GraphicalTesting.html:402:1 (GraphicalTesting.Rd:356): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-get_hids_not_in_graph" GraphicalTesting.html:418:1 (GraphicalTesting.Rd:366): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-get_testable_hypotheses" GraphicalTesting.html:435:1 (GraphicalTesting.Rd:377): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-has_testable_hypotheses" GraphicalTesting.html:452:1 (GraphicalTesting.Rd:388): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-is_in_graph" GraphicalTesting.html:481:1 (GraphicalTesting.Rd:405): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-is_testable" GraphicalTesting.html:510:1 (GraphicalTesting.Rd:422): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-get_hid" GraphicalTesting.html:540:1 (GraphicalTesting.Rd:440): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-reject_a_hypothesis" GraphicalTesting.html:570:1 (GraphicalTesting.Rd:458): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-set_trajectory" GraphicalTesting.html:599:1 (GraphicalTesting.Rd:475): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-get_trajectory" GraphicalTesting.html:618:1 (GraphicalTesting.Rd:488): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-test_hypotheses" GraphicalTesting.html:672:1 (GraphicalTesting.Rd:523): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-test" GraphicalTesting.html:751:1 (GraphicalTesting.Rd:578): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-get_current_testing_results" GraphicalTesting.html:790:1 (GraphicalTesting.Rd:602): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-get_current_decision" GraphicalTesting.html:816:1 (GraphicalTesting.Rd:618): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-print" GraphicalTesting.html:854:1 (GraphicalTesting.Rd:644): Warning: attribute "id" has invalid value "method-Graphical Testing Procedure-clone" GroupSequentialTest.html:95:1 (GroupSequentialTest.Rd:97): Warning: attribute "id" has invalid value "method-Group Sequential Test-new" GroupSequentialTest.html:142:1 (GroupSequentialTest.Rd:132): Warning: attribute "id" has invalid value "method-Group Sequential Test-get_name" GroupSequentialTest.html:158:1 (GroupSequentialTest.Rd:142): Warning: attribute "id" has invalid value "method-Group Sequential Test-get_alpha" GroupSequentialTest.html:174:1 (GroupSequentialTest.Rd:152): Warning: attribute "id" has invalid value "method-Group Sequential Test-set_alpha_spending" GroupSequentialTest.html:204:1 (GroupSequentialTest.Rd:170): Warning: attribute "id" has invalid value "method-Group Sequential Test-get_alpha_spending" GroupSequentialTest.html:220:1 (GroupSequentialTest.Rd:180): Warning: attribute "id" has invalid value "method-Group Sequential Test-get_max_info" GroupSequentialTest.html:236:
