Re: [R-pkg-devel] Possible malware(?) in a vignette

r instances could be >> detected. Please contact the CRAN team if you have any such information and >> we can take it from there. >> >> As you hinted yourself - there is no such thing as absolute safety - as >> the webp exploits have illustrated very clearly a simple imag

Re: [R-pkg-devel] Possible malware(?) in a vignette

The current one on CRAN does get flagged for some low-level Sigma rules b/c of one of way a few URLs interact. I don't know if f-secure is pedantic enough to call that malicious (it probably is, though). The *current* PDF is "fine". There is a major problem with the 2020 version. The file Iñaki's

Re: [Rd] Proposal to limit Internet access during package load

I would personally like something like an Android/iOS permissions required/requested manifest document describing what the pkg needs with R doing what it can to enforce said permissions. R would be breaking some ground in this space, but it does that regularly in many respects. Yes, I know I just

Re: [Rd] string concatenation operator (revisited)

FWIW {stringi} has %+% for this functionality (and I occasionally use it), tho I do enough processing of quite ughly string content that I pretty much always have {stringi} loaded. That may not be true for many other folks. On Fri, Dec 10, 2021 at 2:07 PM Grant McDermott wrote: > > Sorry I

[R-pkg-devel] log4j (CVE-2021-44228) & rJava CRAN pkgs (spoiler: no issues!)

Hey folks, If you haven't heard abt the log4j vuln from Friday yet, I envy you and def want to know how you managed to do that. For folks who develop Java-backed packages, pls be aware there's an arbitrary code execution issue with log4j v2 <= 2.15.0 (NOTE log4j v1 1.x are not impacted). Thanks

Re: [Rd] sorting bug in R-devel?

base::icuSetCollate might be what you need. There are some decent examples in the manual page on it. On Tue, Jan 19, 2021 at 7:30 AM Thierry Onkelinx via R-devel wrote: > > Dear Peter, > > Thanks for the feedback on the locale. Is there a better alternative for > the C locale? One that yields a

Re: [Rd] New URL redirect checks

I was going to offer my opine on security risks but some prominent R folks tend to woefully inaccurately knee-jerk/react badly to my 25+ year expert opinion on such things and create childish website verbiage to show their lack of maturity (who knew random developers can become security experts

Re: [Rd] r-project.org SSL certificate issues

Translation subdomain is also expired. https://rud.is/r-project-cert-status/ > On Aug 19, 2020, at 13:35, Toby Hocking wrote: > > Hi win-builder certificate expired on Aug 15. My student on the other side > of the world is also seeing this problem so I think it needs to be fixed... >>

Re: [Rd] r-project.org SSL certificate issues

The browsers still shouldn't trust it. The CA cert is expired. On Sat, May 30, 2020 at 5:23 PM Bob Rudis wrote: > > I've updated the dashboard (https://rud.is/r-project-cert-status/) > script and my notifier script to account for the entire chain in each > cert. > > On Sat, Ma

Re: [Rd] r-project.org SSL certificate issues

I've updated the dashboard (https://rud.is/r-project-cert-status/) script and my notifier script to account for the entire chain in each cert. On Sat, May 30, 2020 at 5:16 PM Bob Rudis wrote: > > # A tibble: 13 x 1 >site > > 1 beta.r-project.org > 2 bugs.r-pro

Re: [Rd] r-project.org SSL certificate issues

It's the top of chain CA cert, so browsers are being lazy and helpful to humans by (incorrectly, albeit) relying on the existing trust relationship. libcurl (et al) is not nearly as forgiving. On Sat, May 30, 2020 at 5:01 PM peter dalgaard wrote: > > Odd. Safari has no problem and says

Re: [Rd] r-project.org SSL certificate issues

www.cran.r-project.org 13 www.r-project.org is the whole list b/c of the wildcard cert. On Sat, May 30, 2020 at 5:07 PM Bob Rudis wrote: > > It's the top of chain CA cert, so browsers are being lazy and helpful > to humans by (incorrectly, albeit) relying on the existing trust >

Re: [Rd] r-project.org SSL certificate issues

Yep. It should switch to Let's Encrypt with the automated cert renewals ASAP. On Sat, May 30, 2020 at 4:17 PM Gábor Csárdi wrote: > > On macOS 10.15.5 and R-devel: > > > download.file("https://www.r-project.org;, tempfile()) > trying URL 'https://www.r-project.org' > Error in

Re: [Rd] Graphic parameters with length zero in grid cause R to crash

Reproduced on latest Catalina beta and R 4.0.0 and latest RStudio devel build (it crashes the session). On Tue, May 19, 2020 at 7:39 AM Gu, Zuguang wrote: > > Hi, > > > I found in grid package, if the graphic parameters have zero length, R > crashes. In the > > following code, I only tested

Re: [R-pkg-devel] MacOS flat namespace

Can you provide a bit more context? I just grabbed the pkg source from CRAN and it builds fine. $ clang --version Apple clang version 11.0.3 (clang-1103.0.32.59) Target: x86_64-apple-darwin19.5.0 Thread model: posix InstalledDir:

Re: [R-pkg-devel] Internet security software?

As someone who is in cybersecurity as their $DAYJOB and who runs macOS as their primary OS (tho I pretty much run them all in one way, shape or form), I'd suggest: - relying heavily on Gatekeeper/Xprotect (the built-in anti-malware solution that comes with macOS, provided you keep updating the

Re: [Rd] depending on orphaned packages?

to be fairly straightforward to resolve but it's going to take a bit longer than "this week", but I'm not rescinding the volunteering. -Bob > On Sep 29, 2019, at 17:19, Bob Rudis wrote: > > Or, a crazy person (me) cld volunteer to keep this running and get it back on > CRAN. &

Re: [Rd] depending on orphaned packages?

Or, a crazy person (me) cld volunteer to keep this running and get it back on CRAN. I fixed the severe warning and also added C-side registration code. The pkg is monolithic but the C code is super straightforward (a is the R code). Unless someone can think of a reason not to, I can submit

Re: [Rd] What is the best way to loop over an ALTREP vector?

Not sure if you're using just C++ or Rcpp for C++ access but https://purrple.cat/blog/2018/10/14/altrep-and-cpp/ has some tips on using C++ w/ALTREP. > On Sep 23, 2019, at 3:17 PM, Wang Jiefei wrote: > > Sorry for post a lot of things, for the first part of code, I copied my C++ > iter macro

Re: [Rd] Addition of a meta viewport tag to HTML manuals

On Mon, Jul 15, 2019 at 5:54 AM Martin Maechler wrote: > > >>>>> Bob Rudis > >>>>> on Tue, 9 Jul 2019 14:24:24 -0400 writes: > > > The addition of a single line: > > > > > at in the of the R HTML generated manuals

[Rd] Addition of a meta viewport tag to HTML manuals

The addition of a single line: at in the of the R HTML generated manuals would make them much easier to read on mobile devices. texi2any (which generates the HTML files) is based on long-working Perl code that includes many modern HTML elements but does not include this one. A Perl

Re: [R-pkg-devel] Checking for future file timestamps - warning with worldclockapi HTTP status 403 Site Disabled

the release branch) > > The timestamp checking code is still present in R-devel. I presume something > needs to be done about the breakage. > > - pd > >> On 7 Mar 2019, at 14:38 , Bob Rudis wrote: >> >> It's fixed in the RC that's GA on the 11th. >> >> I think

Re: [R-pkg-devel] Checking for future file timestamps - warning with worldclockapi HTTP status 403 Site Disabled

It's fixed in the RC that's GA on the 11th. I think perhaps "stealth fixed" may be more appropro since it's not in SVN logs, Bugzilla nor noted prominently in any of the various NEWS* files. Then there's the "why was the core R installation using a third party, non-HTTPS site for this to begin

Re: [R-pkg-devel] registering native routines

I believe you've got _some_ time. As of the changes in 3.4.0 the verbiage is: R CMD check --as-cran now NOTEs if the package does not register its native routines or does not declare its intentions on (native) symbol search. (This will become a WARNING in due course.) And I think it's

Re: [Rd] Support for signing R packages with GPG

I suspected/hoped this was one reason for the new pkg ;-) I'm *100% in support of this* and will help as much as I can. I can see if my org (Rapid7) would be willing to be a trusted peer (given my position it's prbly more like "we will be doing this" vs an ask). Sonatype may also be willing to be

[R-pkg-devel] New libcurl coming / question for pkg authors

(didn't know where else to post this, but pkg authors seemed to be a good group to run this by) Some folks may know I work in cybersecurity and my org's been talking with the curl/libcurl community regarding: https://curl.haxx.se/mail/lib-2016-10/0076.html TLDR: there's a new libcurl/curl coming

[Rd] Sys.setFileTime()

Since there has been a recent tweak to the functionality of Sys.setFileTime() I thought it might be an opportune time to ask a question regarding the decision to set both access and modification times (i.e. settime.actime = settime.modtime = (int)ftime; ) vs provide a parameter for each. Might it

Re: [Rd] Web site for MacOSX R-devel precompiled version

I've had a TODO on the list for a while to produce a daily R-devel binary build for macOS since I have some spare macOS compute cycles available. If there's sufficient interest I can copy the build setup and start generating them. I'm also a registered Apple developer so can make signed binaries

Re: [Rd] src/Makevars ignored ?

You're then asking CRAN to violate your "ideal contract" w/r/t compiler switching inside src/Makevars since CRAN needs to setup and produce standard, predictable, repeatable builds, including binary generation for two platforms (much to Dirk's chagrin, there _are_ other operating systems besides

Re: [R-pkg-devel] automated testing for an SSH tunneling package?

I'm not sure where Jeroen is on this - https://github.com/jeroenooms/ssh - but it might make more sense to dovetail off of it than rely on binaries being available on systems. That's doable, but (IMO) fraught with peril. On Fri, Sep 16, 2016 at 4:53 PM, William May wrote:

Re: [R-pkg-devel] robust download function in R (similar to wget)?

libcurl (which the RCurl & curl packages are built on) do not inherently have retry or resume partial capabilities, but those could be packaged up into a "robustdownloader" package. There's no guarantee of wget or curl binaries being on a system (especially Windows, even with an Rtools

Re: [Rd] Milestone: 9000 packages on CRAN

Hear! Hear! +100 for the shout out to the CRAN volunteers. Some of the most unsung heroes of the R universe. On Mon, Aug 22, 2016 at 5:16 AM, Henrik Bengtsson < henrik.bengts...@gmail.com> wrote: > An additional 1000 packages have been added to CRAN. This time, it > took less than 6 months.

Re: [R-pkg-devel] [Learning] the secret of Win[dows C-backed packages]

Aye. I rly need to get back to my security & privacy "R" post. The slipstreaming in of these binaries is somewhat frightening. Almost as frightening as being stuck on Windows  On Sat, Aug 13, 2016 at 13:09 Dirk Eddelbuettel wrote: > > I don't think there is a good "generally

[R-pkg-devel] [Learning] the secret of Win[dows C-backed packages]

Hey folks, I usually stare in awe at the C-backed packages that rely on eternal libraries which are super-easy to get working on macOS & *nix _but_ that also work perfectly on Windows. I fire up Windows (*maybe*) once a month to test some of my packages but I'm curious as to what I need to do to

Re: [Rd] ifelse() woes ... can we agree on a ifelse2() ?

have you tried seeing if `dplyr::if_else` behaves more to your liking? On Sat, Aug 6, 2016 at 10:20 AM Martin Maechler wrote: > Dear R-devel readers, > ( = people interested in the improvement and development of R). > > This is not the first time that this topic is

Re: [R-pkg-devel] Pkgs with ToS violations

mund.de> wrote: > CRAN will follow up with the package maintainer. > > Best, > Uwe Ligges > > > > On 04.08.2016 10:50, peter dalgaard wrote: >> >> >> On 04 Aug 2016, at 05:21 , Dirk Eddelbuettel <e...@debian.org> wrote: >> >>> >

[R-pkg-devel] Pkgs with ToS violations

I came across https://cran.rstudio.com/web/packages/boxoffice/index.html in CRAN today and while I don't expect CRAN to be a legal authority, should there not be some kind of policy for excluding R packages that deliberately violate (data) site ToS? (I'm asking this here vs sending a note to CRAN

Re: [R-pkg-devel] Submitting CRAN packages with hard-to-meet dependencies

I would hope CRAN would let this in with some validation (even to the point of it possibly adding a new field to DESCRIPTION). It may never run on Slolaris or Plan 9, and I - who now runs a CRAN mirror in the hopes to eventually have a MacBuilder equivalent service at some point in the near future

Re: [R-pkg-devel] Format/parser for NEWS (not NEWS.Rd)?

Try looking at the source for tools:::.news_reader_default and then tools::toRd On Wed, Oct 7, 2015 at 8:37 PM, Henrik Bengtsson wrote: > Hi, > > I'm looking for a parser of the plain text NEWS format (not the > NEWS.Rd format) - ideally the same on that is used by R