Checksums of packages change on CRAN without change in version number

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Checksums of packages change on CRAN without change in version number

Joris FA Meys
Dear all,

I report the same problem again, as one of our sysadmins at the university
ran into the same issue again. Every so often they find an in-place update
of an R package which almost always amounts to a small change in the
DESCRIPTION file. This does cause the checksums to change, and we end up
with two packages with the exact same version number but different
checksums.

To date there hasn't been any satisfactory answer on how to avoid having to
update our own configuration builds a week after the initial update due to
these stealthy checksum changes.

It's also an increasing safety concern for our IT department, as they
seriously frown upon software that makes in-place changes. According to
them, there's no way they can know whether it is a legitimate change to the
package, or the result of some kind of hack. They have to rely on trust,
which is a dangerous thing to do in an IT context and which they like to
avoid.

github report on the issue (this time it's mgcv) :
https://github.com/easybuilders/easybuild-easyconfigs/pull/7122#pullrequestreview-172031060

Cheers
Joris

--
Joris Meys
Statistical consultant

Department of Data Analysis and Mathematical Modelling
Ghent University
Coupure Links 653, B-9000 Gent (Belgium)
<https://maps.google.com/?q=Coupure+links+653,%C2%A0B-9000+Gent,%C2%A0Belgium&entry=gmail&source=g>

-----------
Biowiskundedagen 2017-2018
http://www.biowiskundedagen.ugent.be/

-------------------------------
Disclaimer : http://helpdesk.ugent.be/e-maildisclaimer.php

        [[alternative HTML version deleted]]

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel