[Rd] New URL redirect checks
Dear all,
the new CRAN URL checks flag HTTP 301 redirects. While I understand
the intent, I think this is unfortunate, because several URL shortener
services use 301 redirects, and often a shorter URL is actually better
in a manual page than a longer one that can be several lines long in
the console and also potentially truncated in the PDF manual.
Some example shorteners that are flagged:
> db <- tools:::url_db(c("https://nyti.ms";, "https://t.co/mtXLLfYOYE";),
> "README")
> tools:::check_url_db(db)
URL: https://nyti.ms (moved to https://www.nytimes.com/)
From: README
Status: 200
Message: OK
URL: https://t.co/mtXLLfYOYE (moved to
https://www.bbc.co.uk/news/blogs-trending-47975564)
From: README
Status: 200
Message: OK
__
R-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
Re: [Rd] New URL redirect checks
I can't comment for CRAN, but generally, shorteners are considered security
risk so regardless of the 301 handling I think flagging those is a good idea.
Also I think it is particularly bad to use them in manuals because it hides the
target so the user has no idea what hey will get.
Cheers,
Simon
> On Sep 17, 2020, at 5:35 AM, Gábor Csárdi wrote:
>
> Dear all,
>
> the new CRAN URL checks flag HTTP 301 redirects. While I understand
> the intent, I think this is unfortunate, because several URL shortener
> services use 301 redirects, and often a shorter URL is actually better
> in a manual page than a longer one that can be several lines long in
> the console and also potentially truncated in the PDF manual.
>
> Some example shorteners that are flagged:
>
>> db <- tools:::url_db(c("https://nyti.ms";, "https://t.co/mtXLLfYOYE";),
>> "README")
>> tools:::check_url_db(db)
> URL: https://nyti.ms (moved to https://www.nytimes.com/)
> From: README
> Status: 200
> Message: OK
>
> URL: https://t.co/mtXLLfYOYE (moved to
> https://www.bbc.co.uk/news/blogs-trending-47975564)
> From: README
> Status: 200
> Message: OK
>
> __
> R-devel@r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
>
__
R-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
Re: [Rd] New URL redirect checks
On 16/09/2020 4:51 p.m., Simon Urbanek wrote:
I can't comment for CRAN, but generally, shorteners are considered security
risk so regardless of the 301 handling I think flagging those is a good idea.
Also I think it is particularly bad to use them in manuals because it hides the
target so the user has no idea what hey will get.
I agree, and we do have \href{}{} in Rd files and similar in other
formats for giving text of a link different than the URL if the URL is
inconveniently long. There's still a bit of a security issue though:
the built in help browser (at least in MacOS) doesn't show the full URL
when you hover over the link, as most browsers do. So one could have
\href{https://disney.org}{https://horrible.web.site}
Duncan Murdoch
Cheers,
Simon
On Sep 17, 2020, at 5:35 AM, Gábor Csárdi wrote:
Dear all,
the new CRAN URL checks flag HTTP 301 redirects. While I understand
the intent, I think this is unfortunate, because several URL shortener
services use 301 redirects, and often a shorter URL is actually better
in a manual page than a longer one that can be several lines long in
the console and also potentially truncated in the PDF manual.
Some example shorteners that are flagged:
db <- tools:::url_db(c("https://nyti.ms";, "https://t.co/mtXLLfYOYE";), "README")
tools:::check_url_db(db)
URL: https://nyti.ms (moved to https://www.nytimes.com/)
From: README
Status: 200
Message: OK
URL: https://t.co/mtXLLfYOYE (moved to
https://www.bbc.co.uk/news/blogs-trending-47975564)
From: README
Status: 200
Message: OK
__
R-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
__
R-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
__
R-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
Re: [Rd] New URL redirect checks
I was going to offer my opine on security risks but some prominent R folks
tend to woefully inaccurately knee-jerk/react badly to my 25+ year expert
opinion on such things and create childish website verbiage to show their
lack of maturity (who knew random developers can become security experts
overnight with no training or experience?).
Allowing shorteners is a terrible, woefully insecure idea. I fully support
CRAN’s position.
I’d likely counsel any folks looking to move to R and CRAN packages to seek
Scala or Julia ecosystems instead if it were to be overturned.
But, hey, what do I know.
-boB
On Sep 16, 2020 at 5:50:52 PM, Duncan Murdoch
wrote:
> On 16/09/2020 4:51 p.m., Simon Urbanek wrote:
>
> I can't comment for CRAN, but generally, shorteners are considered
> security risk so regardless of the 301 handling I think flagging those is a
> good idea. Also I think it is particularly bad to use them in manuals
> because it hides the target so the user has no idea what hey will get.
>
>
> I agree, and we do have \href{}{} in Rd files and similar in other
> formats for giving text of a link different than the URL if the URL is
> inconveniently long. There's still a bit of a security issue though:
> the built in help browser (at least in MacOS) doesn't show the full URL
> when you hover over the link, as most browsers do. So one could have
>
> \href{https://disney.org}{https://horrible.web.site}
>
> Duncan Murdoch
>
>
>
> Cheers,
>
> Simon
>
>
>
> > On Sep 17, 2020, at 5:35 AM, Gábor Csárdi
> wrote:
>
> >
>
> > Dear all,
>
> >
>
> > the new CRAN URL checks flag HTTP 301 redirects. While I understand
>
> > the intent, I think this is unfortunate, because several URL shortener
>
> > services use 301 redirects, and often a shorter URL is actually better
>
> > in a manual page than a longer one that can be several lines long in
>
> > the console and also potentially truncated in the PDF manual.
>
> >
>
> > Some example shorteners that are flagged:
>
> >
>
> >> db <- tools:::url_db(c("https://nyti.ms";, "https://t.co/mtXLLfYOYE";),
> "README")
>
> >> tools:::check_url_db(db)
>
> > URL: https://nyti.ms (moved to https://www.nytimes.com/)
>
> > From: README
>
> > Status: 200
>
> > Message: OK
>
> >
>
> > URL: https://t.co/mtXLLfYOYE (moved to
>
> > https://www.bbc.co.uk/news/blogs-trending-47975564)
>
> > From: README
>
> > Status: 200
>
> > Message: OK
>
> >
>
> > __
>
> > R-devel@r-project.org mailing list
>
> > https://stat.ethz.ch/mailman/listinfo/r-devel
>
> >
>
>
> __
>
> R-devel@r-project.org mailing list
>
> https://stat.ethz.ch/mailman/listinfo/r-devel
>
>
>
> __
> R-devel@r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
>
[[alternative HTML version deleted]]
__
R-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
Re: [Rd] New URL redirect checks
Right, I am sorry, I did not realize the security aspect here. I guess
I unconsciously treated CRAN package authors as a trusted source.
Thanks for the correction and clarification, and to CRAN for
implementing these checks. :)
G.
On Wed, Sep 16, 2020 at 10:50 PM Duncan Murdoch
wrote:
>
> On 16/09/2020 4:51 p.m., Simon Urbanek wrote:
> > I can't comment for CRAN, but generally, shorteners are considered security
> > risk so regardless of the 301 handling I think flagging those is a good
> > idea. Also I think it is particularly bad to use them in manuals because it
> > hides the target so the user has no idea what hey will get.
>
> I agree, and we do have \href{}{} in Rd files and similar in other
> formats for giving text of a link different than the URL if the URL is
> inconveniently long. There's still a bit of a security issue though:
> the built in help browser (at least in MacOS) doesn't show the full URL
> when you hover over the link, as most browsers do. So one could have
>
> \href{https://disney.org}{https://horrible.web.site}
>
> Duncan Murdoch
>
>
> >
> > Cheers,
> > Simon
> >
> >
> >> On Sep 17, 2020, at 5:35 AM, Gábor Csárdi wrote:
> >>
> >> Dear all,
> >>
> >> the new CRAN URL checks flag HTTP 301 redirects. While I understand
> >> the intent, I think this is unfortunate, because several URL shortener
> >> services use 301 redirects, and often a shorter URL is actually better
> >> in a manual page than a longer one that can be several lines long in
> >> the console and also potentially truncated in the PDF manual.
> >>
> >> Some example shorteners that are flagged:
> >>
> >>> db <- tools:::url_db(c("https://nyti.ms";, "https://t.co/mtXLLfYOYE";),
> >>> "README")
> >>> tools:::check_url_db(db)
> >> URL: https://nyti.ms (moved to https://www.nytimes.com/)
> >> From: README
> >> Status: 200
> >> Message: OK
> >>
> >> URL: https://t.co/mtXLLfYOYE (moved to
> >> https://www.bbc.co.uk/news/blogs-trending-47975564)
> >> From: README
> >> Status: 200
> >> Message: OK
> >>
> >> __
> >> R-devel@r-project.org mailing list
> >> https://stat.ethz.ch/mailman/listinfo/r-devel
> >>
> >
> > __
> > R-devel@r-project.org mailing list
> > https://stat.ethz.ch/mailman/listinfo/r-devel
> >
>
__
R-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
Re: [Rd] New URL redirect checks
I don't have an opinion on the URL shorteners, but how about the
original question? Redirection can be extremely useful in general.
Shortening URLs is only one of its possible applications. FWIW, CRAN
uses (303) redirect itself, e.g.,
https://cran.r-project.org/package=MASS is redirected to
https://cran.r-project.org/web/packages/MASS/index.html Should these
"canonical" CRAN links be disallowed in packages, too? Just as another
example, https://cran.r-project.org/bin/windows/base/release.html is
redirected to the latest Windows installer of R (through the
tag).
If the intent of the new URL redirect check is to disallow using URL
shorteners like bit.ly or nyti.ms, that may be fair, but it it is to
disallow using any URLs that are redirected, I think this CRAN policy
may be worth a reconsideration.
Regards,
Yihui
--
https://yihui.org
On Thu, Sep 17, 2020 at 3:26 AM Gábor Csárdi wrote:
>
> Right, I am sorry, I did not realize the security aspect here. I guess
> I unconsciously treated CRAN package authors as a trusted source.
>
> Thanks for the correction and clarification, and to CRAN for
> implementing these checks. :)
>
> G.
>
> On Wed, Sep 16, 2020 at 10:50 PM Duncan Murdoch
> wrote:
> >
> > On 16/09/2020 4:51 p.m., Simon Urbanek wrote:
> > > I can't comment for CRAN, but generally, shorteners are considered
> > > security risk so regardless of the 301 handling I think flagging those is
> > > a good idea. Also I think it is particularly bad to use them in manuals
> > > because it hides the target so the user has no idea what hey will get.
> >
> > I agree, and we do have \href{}{} in Rd files and similar in other
> > formats for giving text of a link different than the URL if the URL is
> > inconveniently long. There's still a bit of a security issue though:
> > the built in help browser (at least in MacOS) doesn't show the full URL
> > when you hover over the link, as most browsers do. So one could have
> >
> > \href{https://disney.org}{https://horrible.web.site}
> >
> > Duncan Murdoch
> >
> >
> > >
> > > Cheers,
> > > Simon
> > >
> > >
> > >> On Sep 17, 2020, at 5:35 AM, Gábor Csárdi wrote:
> > >>
> > >> Dear all,
> > >>
> > >> the new CRAN URL checks flag HTTP 301 redirects. While I understand
> > >> the intent, I think this is unfortunate, because several URL shortener
> > >> services use 301 redirects, and often a shorter URL is actually better
> > >> in a manual page than a longer one that can be several lines long in
> > >> the console and also potentially truncated in the PDF manual.
> > >>
> > >> Some example shorteners that are flagged:
> > >>
> > >>> db <- tools:::url_db(c("https://nyti.ms";, "https://t.co/mtXLLfYOYE";),
> > >>> "README")
> > >>> tools:::check_url_db(db)
> > >> URL: https://nyti.ms (moved to https://www.nytimes.com/)
> > >> From: README
> > >> Status: 200
> > >> Message: OK
> > >>
> > >> URL: https://t.co/mtXLLfYOYE (moved to
> > >> https://www.bbc.co.uk/news/blogs-trending-47975564)
> > >> From: README
> > >> Status: 200
> > >> Message: OK
> > >>
> > >> __
> > >> R-devel@r-project.org mailing list
> > >> https://stat.ethz.ch/mailman/listinfo/r-devel
> > >>
> > >
> > > __
> > > R-devel@r-project.org mailing list
> > > https://stat.ethz.ch/mailman/listinfo/r-devel
> > >
> >
>
> __
> R-devel@r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
__
R-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
Re: [Rd] New URL redirect checks
Isn't the whole concept of DOI basically link-shortening/redirecting?
For example, this link
https://doi.org/10.2134/agronj2016.07.0395
redirects to
https://acsess.onlinelibrary.wiley.com/doi/abs/10.2134/agronj2016.07.0395
As a side note, I got so fed up with CRAN check complaints about (perfectly
valid) re-directs that I refuse to use the \url{} tag anymore.
Kevin
On Thu, Sep 17, 2020 at 8:32 AM Yihui Xie wrote:
> I don't have an opinion on the URL shorteners, but how about the
> original question? Redirection can be extremely useful in general.
> Shortening URLs is only one of its possible applications. FWIW, CRAN
> uses (303) redirect itself, e.g.,
> https://cran.r-project.org/package=MASS is redirected to
> https://cran.r-project.org/web/packages/MASS/index.html Should these
> "canonical" CRAN links be disallowed in packages, too? Just as another
> example, https://cran.r-project.org/bin/windows/base/release.html is
> redirected to the latest Windows installer of R (through the
> tag).
>
> If the intent of the new URL redirect check is to disallow using URL
> shorteners like bit.ly or nyti.ms, that may be fair, but it it is to
> disallow using any URLs that are redirected, I think this CRAN policy
> may be worth a reconsideration.
>
> Regards,
> Yihui
> --
> https://yihui.org
>
>
> On Thu, Sep 17, 2020 at 3:26 AM Gábor Csárdi
> wrote:
> >
> > Right, I am sorry, I did not realize the security aspect here. I guess
> > I unconsciously treated CRAN package authors as a trusted source.
> >
> > Thanks for the correction and clarification, and to CRAN for
> > implementing these checks. :)
> >
> > G.
> >
> > On Wed, Sep 16, 2020 at 10:50 PM Duncan Murdoch
> > wrote:
> > >
> > > On 16/09/2020 4:51 p.m., Simon Urbanek wrote:
> > > > I can't comment for CRAN, but generally, shorteners are considered
> security risk so regardless of the 301 handling I think flagging those is a
> good idea. Also I think it is particularly bad to use them in manuals
> because it hides the target so the user has no idea what hey will get.
> > >
> > > I agree, and we do have \href{}{} in Rd files and similar in other
> > > formats for giving text of a link different than the URL if the URL is
> > > inconveniently long. There's still a bit of a security issue though:
> > > the built in help browser (at least in MacOS) doesn't show the full URL
> > > when you hover over the link, as most browsers do. So one could have
> > >
> > > \href{https://disney.org}{https://horrible.web.site}
> > >
> > > Duncan Murdoch
> > >
> > >
> > > >
> > > > Cheers,
> > > > Simon
> > > >
> > > >
> > > >> On Sep 17, 2020, at 5:35 AM, Gábor Csárdi
> wrote:
> > > >>
> > > >> Dear all,
> > > >>
> > > >> the new CRAN URL checks flag HTTP 301 redirects. While I understand
> > > >> the intent, I think this is unfortunate, because several URL
> shortener
> > > >> services use 301 redirects, and often a shorter URL is actually
> better
> > > >> in a manual page than a longer one that can be several lines long in
> > > >> the console and also potentially truncated in the PDF manual.
> > > >>
> > > >> Some example shorteners that are flagged:
> > > >>
> > > >>> db <- tools:::url_db(c("https://nyti.ms";, "https://t.co/mtXLLfYOYE";),
> "README")
> > > >>> tools:::check_url_db(db)
> > > >> URL: https://nyti.ms (moved to https://www.nytimes.com/)
> > > >> From: README
> > > >> Status: 200
> > > >> Message: OK
> > > >>
> > > >> URL: https://t.co/mtXLLfYOYE (moved to
> > > >> https://www.bbc.co.uk/news/blogs-trending-47975564)
> > > >> From: README
> > > >> Status: 200
> > > >> Message: OK
> > > >>
> > > >> __
> > > >> R-devel@r-project.org mailing list
> > > >> https://stat.ethz.ch/mailman/listinfo/r-devel
> > > >>
> > > >
> > > > __
> > > > R-devel@r-project.org mailing list
> > > > https://stat.ethz.ch/mailman/listinfo/r-devel
> > > >
> > >
> >
> > __
> > R-devel@r-project.org mailing list
> > https://stat.ethz.ch/mailman/listinfo/r-devel
>
> __
> R-devel@r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
>
--
Kevin Wright
[[alternative HTML version deleted]]
__
R-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
Re: [Rd] New URL redirect checks
Me too. I have changed some valid URLs in \url{} to \verb{} just to
avoid these check NOTEs. I do appreciate the check for the validity of
URLs in packages, especially those dead links (404), but discouraging
URLs with status code other than 200 (such as 301) feels like
overdoing the job. After I "hide" links from R CMD check with \verb{}
, it will be hard to know if these links are still valid in the
future.
Regards,
Yihui
On Tue, Sep 22, 2020 at 1:17 PM Kevin Wright wrote:
>
> Isn't the whole concept of DOI basically link-shortening/redirecting?
>
> For example, this link
> https://doi.org/10.2134/agronj2016.07.0395
> redirects to
> https://acsess.onlinelibrary.wiley.com/doi/abs/10.2134/agronj2016.07.0395
>
> As a side note, I got so fed up with CRAN check complaints about (perfectly
> valid) re-directs that I refuse to use the \url{} tag anymore.
>
> Kevin
>
>
> On Thu, Sep 17, 2020 at 8:32 AM Yihui Xie wrote:
>>
>> I don't have an opinion on the URL shorteners, but how about the
>> original question? Redirection can be extremely useful in general.
>> Shortening URLs is only one of its possible applications. FWIW, CRAN
>> uses (303) redirect itself, e.g.,
>> https://cran.r-project.org/package=MASS is redirected to
>> https://cran.r-project.org/web/packages/MASS/index.html Should these
>> "canonical" CRAN links be disallowed in packages, too? Just as another
>> example, https://cran.r-project.org/bin/windows/base/release.html is
>> redirected to the latest Windows installer of R (through the
>> tag).
>>
>> If the intent of the new URL redirect check is to disallow using URL
>> shorteners like bit.ly or nyti.ms, that may be fair, but it it is to
>> disallow using any URLs that are redirected, I think this CRAN policy
>> may be worth a reconsideration.
>>
>> Regards,
>> Yihui
>> --
>> https://yihui.org
>>
>>
>> On Thu, Sep 17, 2020 at 3:26 AM Gábor Csárdi wrote:
>> >
>> > Right, I am sorry, I did not realize the security aspect here. I guess
>> > I unconsciously treated CRAN package authors as a trusted source.
>> >
>> > Thanks for the correction and clarification, and to CRAN for
>> > implementing these checks. :)
>> >
>> > G.
>> >
>> > On Wed, Sep 16, 2020 at 10:50 PM Duncan Murdoch
>> > wrote:
>> > >
>> > > On 16/09/2020 4:51 p.m., Simon Urbanek wrote:
>> > > > I can't comment for CRAN, but generally, shorteners are considered
>> > > > security risk so regardless of the 301 handling I think flagging those
>> > > > is a good idea. Also I think it is particularly bad to use them in
>> > > > manuals because it hides the target so the user has no idea what hey
>> > > > will get.
>> > >
>> > > I agree, and we do have \href{}{} in Rd files and similar in other
>> > > formats for giving text of a link different than the URL if the URL is
>> > > inconveniently long. There's still a bit of a security issue though:
>> > > the built in help browser (at least in MacOS) doesn't show the full URL
>> > > when you hover over the link, as most browsers do. So one could have
>> > >
>> > > \href{https://disney.org}{https://horrible.web.site}
>> > >
>> > > Duncan Murdoch
>> > >
>> > >
>> > > >
>> > > > Cheers,
>> > > > Simon
>> > > >
>> > > >
>> > > >> On Sep 17, 2020, at 5:35 AM, Gábor Csárdi
>> > > >> wrote:
>> > > >>
>> > > >> Dear all,
>> > > >>
>> > > >> the new CRAN URL checks flag HTTP 301 redirects. While I understand
>> > > >> the intent, I think this is unfortunate, because several URL shortener
>> > > >> services use 301 redirects, and often a shorter URL is actually better
>> > > >> in a manual page than a longer one that can be several lines long in
>> > > >> the console and also potentially truncated in the PDF manual.
>> > > >>
>> > > >> Some example shorteners that are flagged:
>> > > >>
>> > > >>> db <- tools:::url_db(c("https://nyti.ms";,
>> > > >>> "https://t.co/mtXLLfYOYE";), "README")
>> > > >>> tools:::check_url_db(db)
>> > > >> URL: https://nyti.ms (moved to https://www.nytimes.com/)
>> > > >> From: README
>> > > >> Status: 200
>> > > >> Message: OK
>> > > >>
>> > > >> URL: https://t.co/mtXLLfYOYE (moved to
>> > > >> https://www.bbc.co.uk/news/blogs-trending-47975564)
>> > > >> From: README
>> > > >> Status: 200
>> > > >> Message: OK
>> > > >>
>> > > >> __
>> > > >> R-devel@r-project.org mailing list
>> > > >> https://stat.ethz.ch/mailman/listinfo/r-devel
>> > > >>
>> > > >
>> > > > __
>> > > > R-devel@r-project.org mailing list
>> > > > https://stat.ethz.ch/mailman/listinfo/r-devel
>> > > >
>> > >
>> >
>> > __
>> > R-devel@r-project.org mailing list
>> > https://stat.ethz.ch/mailman/listinfo/r-devel
>>
>> __
>> R-devel@r-project.org mailing list
>> https://stat.ethz.ch/mailman/listinfo/r-devel
>
>
>
> --
> Kevin Wright
__
R-devel@r-project.org mailing list
https://s
Re: [Rd] New URL redirect checks
Does this issue fit in the more general one of centralized vs
partitioned checks? I've suggested before that the CRAN team
seems (and I'll be honest and admit I don't have a good knowledge
of how they work) to favour an all-in-one checking, whereas it
might be helpful to developers and also widen the "CRAN checking"
team to partition checks. Partitioned checks would allow the
particular problems that are raised to be dealt with in a more
focussed action. URLs seem an obvious candidate, since
link checking is used outside of R packages.
I'm sure there are others besides myself who would contribute
to such activities. After all, the partitioned checks could be
contributed packages themselves.
JN
On 2020-09-22 9:50 p.m., Yihui Xie wrote:
> Me too. I have changed some valid URLs in \url{} to \verb{} just to
> avoid these check NOTEs. I do appreciate the check for the validity of
> URLs in packages, especially those dead links (404), but discouraging
> URLs with status code other than 200 (such as 301) feels like
> overdoing the job. After I "hide" links from R CMD check with \verb{}
> , it will be hard to know if these links are still valid in the
> future.
>
> Regards,
> Yihui
>
> On Tue, Sep 22, 2020 at 1:17 PM Kevin Wright wrote:
>>
>> Isn't the whole concept of DOI basically link-shortening/redirecting?
>>
>> For example, this link
>> https://doi.org/10.2134/agronj2016.07.0395
>> redirects to
>> https://acsess.onlinelibrary.wiley.com/doi/abs/10.2134/agronj2016.07.0395
>>
>> As a side note, I got so fed up with CRAN check complaints about (perfectly
>> valid) re-directs that I refuse to use the \url{} tag anymore.
>>
>> Kevin
>>
>>
>> On Thu, Sep 17, 2020 at 8:32 AM Yihui Xie wrote:
>>>
>>> I don't have an opinion on the URL shorteners, but how about the
>>> original question? Redirection can be extremely useful in general.
>>> Shortening URLs is only one of its possible applications. FWIW, CRAN
>>> uses (303) redirect itself, e.g.,
>>> https://cran.r-project.org/package=MASS is redirected to
>>> https://cran.r-project.org/web/packages/MASS/index.html Should these
>>> "canonical" CRAN links be disallowed in packages, too? Just as another
>>> example, https://cran.r-project.org/bin/windows/base/release.html is
>>> redirected to the latest Windows installer of R (through the
>>> tag).
>>>
>>> If the intent of the new URL redirect check is to disallow using URL
>>> shorteners like bit.ly or nyti.ms, that may be fair, but it it is to
>>> disallow using any URLs that are redirected, I think this CRAN policy
>>> may be worth a reconsideration.
>>>
>>> Regards,
>>> Yihui
>>> --
>>> https://yihui.org
>>>
>>>
>>> On Thu, Sep 17, 2020 at 3:26 AM Gábor Csárdi wrote:
Right, I am sorry, I did not realize the security aspect here. I guess
I unconsciously treated CRAN package authors as a trusted source.
Thanks for the correction and clarification, and to CRAN for
implementing these checks. :)
G.
On Wed, Sep 16, 2020 at 10:50 PM Duncan Murdoch
wrote:
>
> On 16/09/2020 4:51 p.m., Simon Urbanek wrote:
>> I can't comment for CRAN, but generally, shorteners are considered
>> security risk so regardless of the 301 handling I think flagging those
>> is a good idea. Also I think it is particularly bad to use them in
>> manuals because it hides the target so the user has no idea what hey
>> will get.
>
> I agree, and we do have \href{}{} in Rd files and similar in other
> formats for giving text of a link different than the URL if the URL is
> inconveniently long. There's still a bit of a security issue though:
> the built in help browser (at least in MacOS) doesn't show the full URL
> when you hover over the link, as most browsers do. So one could have
>
> \href{https://disney.org}{https://horrible.web.site}
>
> Duncan Murdoch
>
>
>>
>> Cheers,
>> Simon
>>
>>
>>> On Sep 17, 2020, at 5:35 AM, Gábor Csárdi
>>> wrote:
>>>
>>> Dear all,
>>>
>>> the new CRAN URL checks flag HTTP 301 redirects. While I understand
>>> the intent, I think this is unfortunate, because several URL shortener
>>> services use 301 redirects, and often a shorter URL is actually better
>>> in a manual page than a longer one that can be several lines long in
>>> the console and also potentially truncated in the PDF manual.
>>>
>>> Some example shorteners that are flagged:
>>>
db <- tools:::url_db(c("https://nyti.ms";, "https://t.co/mtXLLfYOYE";),
"README")
tools:::check_url_db(db)
>>> URL: https://nyti.ms (moved to https://www.nytimes.com/)
>>> From: README
>>> Status: 200
>>> Message: OK
>>>
>>> URL: https://t.co/mtXLLfYOYE (moved to
>>> https://www.bbc.co.uk/news/blogs-trending-47975564)
>>> From: README
>>> Status: 200
>>> Message: OK
>>>
>>> _
