Hi, Recently I got the following email from the CRAN maintainer about my package, string2path[1].
However, I do ensure the binary is the pinned version and verify if the hash matches with the embedded one in the DESCRIPTION [2][3]. In case of a mismatch, the build fails. So, this mechanism should ensure that I (or anyone) cannot change the version of the binary without actually resubmitting to CRAN. I believe this complies with the CRAN policy (except for not clearing the authorship and copyright). Is there anything I have to address to prove I do "ensure that the download is of a fixed version"? Any suggestions are welcome. The CRAN policy stipulates > > "Where a package wishes to make use of a library not written solely for > the package, the package installation should first look to see if it is > already installed and if so is of a suitable version. In case not, it is > desirable to include the library sources in the package and compile them > as part of package installation. If the sources are too large, it is > acceptable to download them as part of installation, but do ensure that > the download is of a fixed version rather than the latest. Only as a > last resort and with the agreement of the CRAN team should a package > download pre-compiled software." > > and we have recently seen an instance of a rust-using package whose > check output changed because what it downloaded had changed. CRAN > checking is not set up for that (for example, macOS checks are done once > only for each version). > > Whilst investigating, the Windows' maintainers found that binary libs > were being downloaded. And subsequently I found that salso, string2path > and ymd are downloading compiled code on Intel macOS. > > Also. make sure that the authorship and copyright of code you download > (and hence include in the package) is clear from the DESCRIPTION file. > as required by the CRAN policy. > Best, Hiroaki Yutani [1]: https://cran.r-project.org/package=string2path [2]: https://github.com/cran/string2path/blob/46020296410cd78e2021bff86cb6f17c681d13a6/DESCRIPTION#L29-L40 [3]: https://github.com/cran/string2path/blob/46020296410cd78e2021bff86cb6f17c681d13a6/tools/configure.R#L177-L295 [[alternative HTML version deleted]] ______________________________________________ R-package-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-package-devel