[R] Any MD5 digests for source files?

Thomas Lumley tlumley at u.washington.edu
Sat Oct 12 01:59:20 CEST 2002

On 11 Oct 2002, Stuart Luppescu wrote:

> Do MD5 digests exist somewhere for the source packages? If not, is there
> some other way to verify the integrity of the files we've downloaded?

No, there aren't any things like that.  There have been discussions from
time to time about signing packages, but it never got anywhere.

Without some way to certify public keys it would be less helpful than you
might think. If you download from the central CRAN site in Austria then a
package can only be invalid if either the maintainer's computers were
cracked or if they were misled into accepting a fake package.  In neither
case could you trust CRAN for MD5 digests.

You would need packages to be signed by their authors, using public keys
available independently from CRAN or certified by someone you trust to get
a genuine improvement in security. This would be useful (along the lines
that Debian uses), but it hasn't happened yet.


r-help mailing list -- Read http://www.ci.tuwien.ac.at/~hornik/R/R-FAQ.html
Send "info", "help", or "[un]subscribe"
(in the "body", not the subject !)  To: r-help-request at stat.math.ethz.ch

More information about the R-help mailing list