R check false positive - multiple versions of a dependency

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

R check false positive - multiple versions of a dependency

Dénes Tóth-2

----
Disclaimer: I sent this report first to [hidden email]
but it seems it has not been delivered to the list - re-trying to r-devel
----

Dear R maintainers,

Use case:
Restrict the acceptable versions of an imported package (e.g., 'pkg') to
a closed interval. That is, provide *both* pkg (>= min.version.nr), pkg
(<= max.version.nr) under Imports.

Problem:
Even though the package is an internal package, I want to have clean R
CMD check results for QC reasons, and this seems impossible due to a bug
in tools/R/QC.R/.check_package_description2.

Details:
This is a quote from Writing R Extensions, 1.1.3 Package Dependencies:

"A package or ‘R’ can appear more than once in the ‘Depends’ field, for
example to give upper and lower bounds on acceptable versions."

In reality, this statement seems untrue: 1) only R can appear more than
once (even base packages like 'stats' trigger a NOTE in R CMD check); 2)
Not only 'Depends', but other fields (Imports, Suggests, Enhances) can
contain duplicated entries in the sense that the entries are processed
as expected, but the check gives a NOTE.

Minimal reproducible example:
In a (Linux) terminal, issue the following commands (note the Depends row):

#####
mkdir -p pkgname
echo "
Depends: R (>= 3.1.0), R (<= 4.1.0)
Package: pkgname
Version: 0.5-1
Date: 2021-04-15
Title: My First Collection of Functions
Author: Joe Developer [aut, cre],
   Pat Developer [aut],
   A. User [ctb]
Maintainer: Joe Developer <[hidden email]>
Description: A (one paragraph) description of what
   the package does and why it may be useful.
License: GPL (>= 2)
" > pkgname/DESCRIPTION

R CMD build pkgname
_R_CHECK_CRAN_INCOMING_REMOTE_=FALSE R CMD check pkgname_0.5-1.tar.gz
--as-cran --no-manual
#####

The commands above return with "Status: OK" - so far so good.

Now instead of restricting the R version, let us restrict the version of
'stats'. (This is the only change, see Depends.)

#####
echo "
Depends: stats (>= 0.0.0), stats (<= 10.0.0)
Package: pkgname
Version: 0.5-1
Date: 2021-04-15
Title: My First Collection of Functions
Author: Joe Developer [aut, cre],
   Pat Developer [aut],
   A. User [ctb]
Maintainer: Joe Developer <[hidden email]>
Suggests: MASS
Description: A (one paragraph) description of what
   the package does and why it may be useful.
License: GPL (>= 2)
" > pkgname/DESCRIPTION
R CMD build pkgname
_R_CHECK_CRAN_INCOMING_REMOTE_=FALSE R CMD check pkgname_0.5-1.tar.gz
--as-cran --no-manual
#####

Now the status is "Status: 1 NOTE", and the note is:
"Package listed in more than one of Depends, Imports, Suggests, Enhances:
   ‘stats’
A package should be listed in only one of these fields."

Possible fix:
1) I think the highlighted sentence in Writing R Extensions should read as:
"A package or ‘R’ can appear more than once in the ‘Depends’ field, for
example to give upper and lower bounds on acceptable versions. For
packages, the same rule applies for ‘Imports’ and ‘Suggests’ fields (see
later)."

2) In .check_package_description2(),
'unique(allpkgs[duplicated(allpkgs)])' shall be replaced with a more
elaborated check. BTW, that check appears twice in the function, where
the first result is assigned to 'out' and is never used until 'out' gets
re-assigned. See
https://github.com/r-devel/r-svn/blob/0d65935f30dcaccfeee1dd61991bf4b1444873bc/src/library/tools/R/QC.R#L3553

If you agree this is a bug, I can create a formal bug report and
probably create a patch, too.

Regards,
Denes

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
Reply | Threaded
Open this post in threaded view
|

Re: R check false positive - multiple versions of a dependency

Duncan Murdoch-2
I'd say a NOTE is appropriate even if upper and lower limits are
allowed, but the wording of the current note should be changed, e.g.
your example should say

"Package listed more than once in Depends, Imports, Suggests, Enhances:
      ‘stats’"

If you really meant to do this, you can ignore the note, but I'd suspect
multiple listings are more often an error than intentional, and that's
what NOTEs are for.

There may still be a more serious bug here if one of the limits is
ignored; I haven't checked that.

Duncan Murdoch

On 21/04/2021 6:57 a.m., Dénes Tóth wrote:

>
> ----
> Disclaimer: I sent this report first to [hidden email]
> but it seems it has not been delivered to the list - re-trying to r-devel
> ----
>
> Dear R maintainers,
>
> Use case:
> Restrict the acceptable versions of an imported package (e.g., 'pkg') to
> a closed interval. That is, provide *both* pkg (>= min.version.nr), pkg
> (<= max.version.nr) under Imports.
>
> Problem:
> Even though the package is an internal package, I want to have clean R
> CMD check results for QC reasons, and this seems impossible due to a bug
> in tools/R/QC.R/.check_package_description2.
>
> Details:
> This is a quote from Writing R Extensions, 1.1.3 Package Dependencies:
>
> "A package or ‘R’ can appear more than once in the ‘Depends’ field, for
> example to give upper and lower bounds on acceptable versions."
>
> In reality, this statement seems untrue: 1) only R can appear more than
> once (even base packages like 'stats' trigger a NOTE in R CMD check); 2)
> Not only 'Depends', but other fields (Imports, Suggests, Enhances) can
> contain duplicated entries in the sense that the entries are processed
> as expected, but the check gives a NOTE.
>
> Minimal reproducible example:
> In a (Linux) terminal, issue the following commands (note the Depends row):
>
> #####
> mkdir -p pkgname
> echo "
> Depends: R (>= 3.1.0), R (<= 4.1.0)
> Package: pkgname
> Version: 0.5-1
> Date: 2021-04-15
> Title: My First Collection of Functions
> Author: Joe Developer [aut, cre],
>     Pat Developer [aut],
>     A. User [ctb]
> Maintainer: Joe Developer <[hidden email]>
> Description: A (one paragraph) description of what
>     the package does and why it may be useful.
> License: GPL (>= 2)
> " > pkgname/DESCRIPTION
>
> R CMD build pkgname
> _R_CHECK_CRAN_INCOMING_REMOTE_=FALSE R CMD check pkgname_0.5-1.tar.gz
> --as-cran --no-manual
> #####
>
> The commands above return with "Status: OK" - so far so good.
>
> Now instead of restricting the R version, let us restrict the version of
> 'stats'. (This is the only change, see Depends.)
>
> #####
> echo "
> Depends: stats (>= 0.0.0), stats (<= 10.0.0)
> Package: pkgname
> Version: 0.5-1
> Date: 2021-04-15
> Title: My First Collection of Functions
> Author: Joe Developer [aut, cre],
>     Pat Developer [aut],
>     A. User [ctb]
> Maintainer: Joe Developer <[hidden email]>
> Suggests: MASS
> Description: A (one paragraph) description of what
>     the package does and why it may be useful.
> License: GPL (>= 2)
> " > pkgname/DESCRIPTION
> R CMD build pkgname
> _R_CHECK_CRAN_INCOMING_REMOTE_=FALSE R CMD check pkgname_0.5-1.tar.gz
> --as-cran --no-manual
> #####
>
> Now the status is "Status: 1 NOTE", and the note is:
> "Package listed in more than one of Depends, Imports, Suggests, Enhances:
>     ‘stats’
> A package should be listed in only one of these fields."
>
> Possible fix:
> 1) I think the highlighted sentence in Writing R Extensions should read as:
> "A package or ‘R’ can appear more than once in the ‘Depends’ field, for
> example to give upper and lower bounds on acceptable versions. For
> packages, the same rule applies for ‘Imports’ and ‘Suggests’ fields (see
> later)."
>
> 2) In .check_package_description2(),
> 'unique(allpkgs[duplicated(allpkgs)])' shall be replaced with a more
> elaborated check. BTW, that check appears twice in the function, where
> the first result is assigned to 'out' and is never used until 'out' gets
> re-assigned. See
> https://github.com/r-devel/r-svn/blob/0d65935f30dcaccfeee1dd61991bf4b1444873bc/src/library/tools/R/QC.R#L3553
>
> If you agree this is a bug, I can create a formal bug report and
> probably create a patch, too.
>
> Regards,
> Denes
>
> ______________________________________________
> [hidden email] mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
>

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
Reply | Threaded
Open this post in threaded view
|

Msg not getting posted (or much delayed (was "R check false positive ..")

Martin Maechler
In reply to this post by Dénes Tóth-2
>>>>> Dénes Tóth
>>>>>     on Wed, 21 Apr 2021 12:57:48 +0200 writes:

    > ----
    > Disclaimer: I sent this report first to [hidden email]
    > but it seems it has not been delivered to the list - re-trying to r-devel
    > ----

Also, for R-devel, your msg  sat for  3  days in the spam filter
queue, and I as list co-moderator noticed it (among all the real
spam, so quite by coincidence) and released it...

Almost surely the R-package-devel moderators did *not* notice it
in the spam filter queue there...

NB: The spam symptoms were indicated as
  X-Spamc: is spam (7.0/5.0) position : 6, spam decisive
  X-MailCleaner-SpamCheck: spam, Newsl (score=0.0, required=5.0, NONE,
   position : 0, not decisive), NiceBayes (42.47%, position : 2,
   not decisive), Spamc (score=7.0, required=5.0, EthURLb 0.0,
   URIBL_BLOCKED 0.0, EZURL 0.0, MC_SPF_SOFTFAIL 7.0, position : 6,
   spam decisive),

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
Reply | Threaded
Open this post in threaded view
|

Re: R check false positive - multiple versions of a dependency

Dénes Tóth-2
In reply to this post by Duncan Murdoch-2



On 4/24/21 5:52 PM, Duncan Murdoch wrote:

> I'd say a NOTE is appropriate even if upper and lower limits are
> allowed, but the wording of the current note should be changed, e.g.
> your example should say
>
> "Package listed more than once in Depends, Imports, Suggests, Enhances:
>       ‘stats’"
>
> If you really meant to do this, you can ignore the note, but I'd suspect
> multiple listings are more often an error than intentional, and that's
> what NOTEs are for.

I would say if a package is listed multiple times, but with different
*explicit* version requirements and under the same heading (one and only
one of Depends, Imports, Suggests, Enhances), it is valid and almost
surely intentional. Currently the code which performs the check (and
that I linked to) is not smart enough to distinguish between this
particular use case and simple multiple listings of the same package
dependency (which I agree can be assumed to be an error and not
intentional).

>
> There may still be a more serious bug here if one of the limits is
> ignored; I haven't checked that.

I checked it, and can confirm that *both* limits are considered. This
supports my argument that this is a valid use case, and the NOTE could
be avoided by a smarter check in the relevant part of
.check_package_description2. I also understand this is a low-priority
issue, so I do not expect someone from R-Core wants to spend time on
fixing it. This is why I suggested I could give it a try to do it on my
own if there is any chance that my patch will be accepted.

Regards,
Denes

>
> Duncan Murdoch
>
> On 21/04/2021 6:57 a.m., Dénes Tóth wrote:
>>
>> ----
>> Disclaimer: I sent this report first to [hidden email]
>> but it seems it has not been delivered to the list - re-trying to r-devel
>> ----
>>
>> Dear R maintainers,
>>
>> Use case:
>> Restrict the acceptable versions of an imported package (e.g., 'pkg') to
>> a closed interval. That is, provide *both* pkg (>= min.version.nr), pkg
>> (<= max.version.nr) under Imports.
>>
>> Problem:
>> Even though the package is an internal package, I want to have clean R
>> CMD check results for QC reasons, and this seems impossible due to a bug
>> in tools/R/QC.R/.check_package_description2.
>>
>> Details:
>> This is a quote from Writing R Extensions, 1.1.3 Package Dependencies:
>>
>> "A package or ‘R’ can appear more than once in the ‘Depends’ field, for
>> example to give upper and lower bounds on acceptable versions."
>>
>> In reality, this statement seems untrue: 1) only R can appear more than
>> once (even base packages like 'stats' trigger a NOTE in R CMD check); 2)
>> Not only 'Depends', but other fields (Imports, Suggests, Enhances) can
>> contain duplicated entries in the sense that the entries are processed
>> as expected, but the check gives a NOTE.
>>
>> Minimal reproducible example:
>> In a (Linux) terminal, issue the following commands (note the Depends
>> row):
>>
>> #####
>> mkdir -p pkgname
>> echo "
>> Depends: R (>= 3.1.0), R (<= 4.1.0)
>> Package: pkgname
>> Version: 0.5-1
>> Date: 2021-04-15
>> Title: My First Collection of Functions
>> Author: Joe Developer [aut, cre],
>>     Pat Developer [aut],
>>     A. User [ctb]
>> Maintainer: Joe Developer <[hidden email]>
>> Description: A (one paragraph) description of what
>>     the package does and why it may be useful.
>> License: GPL (>= 2)
>> " > pkgname/DESCRIPTION
>>
>> R CMD build pkgname
>> _R_CHECK_CRAN_INCOMING_REMOTE_=FALSE R CMD check pkgname_0.5-1.tar.gz
>> --as-cran --no-manual
>> #####
>>
>> The commands above return with "Status: OK" - so far so good.
>>
>> Now instead of restricting the R version, let us restrict the version of
>> 'stats'. (This is the only change, see Depends.)
>>
>> #####
>> echo "
>> Depends: stats (>= 0.0.0), stats (<= 10.0.0)
>> Package: pkgname
>> Version: 0.5-1
>> Date: 2021-04-15
>> Title: My First Collection of Functions
>> Author: Joe Developer [aut, cre],
>>     Pat Developer [aut],
>>     A. User [ctb]
>> Maintainer: Joe Developer <[hidden email]>
>> Suggests: MASS
>> Description: A (one paragraph) description of what
>>     the package does and why it may be useful.
>> License: GPL (>= 2)
>> " > pkgname/DESCRIPTION
>> R CMD build pkgname
>> _R_CHECK_CRAN_INCOMING_REMOTE_=FALSE R CMD check pkgname_0.5-1.tar.gz
>> --as-cran --no-manual
>> #####
>>
>> Now the status is "Status: 1 NOTE", and the note is:
>> "Package listed in more than one of Depends, Imports, Suggests, Enhances:
>>     ‘stats’
>> A package should be listed in only one of these fields."
>>
>> Possible fix:
>> 1) I think the highlighted sentence in Writing R Extensions should
>> read as:
>> "A package or ‘R’ can appear more than once in the ‘Depends’ field, for
>> example to give upper and lower bounds on acceptable versions. For
>> packages, the same rule applies for ‘Imports’ and ‘Suggests’ fields (see
>> later)."
>>
>> 2) In .check_package_description2(),
>> 'unique(allpkgs[duplicated(allpkgs)])' shall be replaced with a more
>> elaborated check. BTW, that check appears twice in the function, where
>> the first result is assigned to 'out' and is never used until 'out' gets
>> re-assigned. See
>> https://github.com/r-devel/r-svn/blob/0d65935f30dcaccfeee1dd61991bf4b1444873bc/src/library/tools/R/QC.R#L3553 
>>
>>
>> If you agree this is a bug, I can create a formal bug report and
>> probably create a patch, too.
>>
>> Regards,
>> Denes
>>
>> ______________________________________________
>> [hidden email] mailing list
>> https://stat.ethz.ch/mailman/listinfo/r-devel
>>
>
>

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel