> On 15 Oct 2015, at 08:11, Philip Gillißen <gue...@freenet.de> wrote: > > Dear list, > > I'm using R in a corporate environment and was interested how R checks > integrity of packages during an installation. > I saw (and verified my suspicion in the code[1]) that the verification purely > relies on MD5. >> From an IT security perspective, this can be improved.
Maybe, but 'IT security' was not the point. MD5 sums were added first as a way to check for corrupted downloads/unpacking (which used to be common on Windows), and second to reinforce the version number of a package as sometimes the source package is altered without changing the version, and less rarely binary packages are re-built. > > My question is: Is is possible to force R to verify integrity via SHA256 or > even OpenPGP signatures? > If not are there any plans to support better hashes than MD5? > As the source code looks, an extension to support other (optional) hash > values would be quite easy. > > Thanks in advance! > > Kind regards, > Philip > > [1] see from line 594 on in src/library/tools/R/install.R in R-latest.tar.gz > > > > > > > --- > Alle Postfächer an einem Ort. Jetzt wechseln und E-Mail-Adresse mitnehmen! > http://email.freenet.de/basic/Informationen > > > > ______________________________________________ > R-devel@r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-devel ______________________________________________ R-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-devel
