-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use HTTPS for all URLs in R package #7863
Comments
Erin LeDell commented: Hi [~accountid:5e7a344b47dc780c3c6cc79f] thanks for the report! We were notified by CRAN that we were in violation about two weeks ago, so this is going to be fixed on the next release of H2O (getting released next week, so you should have the fix very soon!). I have a separate ticket for this here: [https://0xdata.atlassian.net/browse/PUBDEV-7779|https://0xdata.atlassian.net/browse/PUBDEV-7779|smart-link] It’s been merged already, so the fix is already available in the nightly releases (you can download the patched R package [here|http://h2o-release.s3.amazonaws.com/h2o/master/latest.html] if you want to give it a try). Did you see any other non-HTTPS violations, or was it just the h2o.jar download line of that you referenced in the description? |
Bernardo Lares commented: Thanks Erin, so glad this will be solved soon!
I’m attaching a screenshot on the regex search that helped me find them. !Captura de Pantalla 2020-09-22 a la(s) 8.48.24 p. m..png|width=1189,height=782! |
Erin LeDell commented: Hi [~accountid:5e7a344b47dc780c3c6cc79f] the CRAN policy only relates to software/data that’s installed on install/startup, so I don’t think the examples using data using http are not in violation, but it would be a good thing to fix anyway, so we can use this ticket to fix those! Thanks. |
Erin LeDell commented: Hi [~accountid:5d1185d4f46aa30c271c7cc6] I just assigned this to you (it does not need to go into the 3.32 release, but if you have time you can put it in). We need to use https in most places where we use http in URLs in the R code/docs. If a URL was duplicated in a file, i just added it to the list below once (there are a lor in frame.R examples). Here’s a list of the URLs that need to be updated from http to https (I removed some http lines that are used in h2o.init()). The R files where they appear are to the left of the file: communication.R:#' f <- "[http://h2o-public-test-data.s3.amazonaws.com/smalldata/iris/iris_wheader.csv"|http://h2o-public-test-data.s3.amazonaws.com/smalldata/iris/iris_wheader.csv%22] |
Erin LeDell commented: [~accountid:5e7a344b47dc780c3c6cc79f] Fixed. |
Erin LeDell commented: [~accountid:5e7a344b47dc780c3c6cc79f] Unfortunately, h2o was pulled from CRAN today because of this issue. These fixes were scheduled to go in our new 3.32.0.1 release (which was scheduled for tomorrow). We had been emailing with CRAN about it and they knew that we were going to fix it in our next release. Unfortunately it was removed anyway. Instead, we are doing a 3.30.1.3 release tomorrow (Monday Sept 28) and the 3.32 release will be delayed until later this week. Just an FYI. |
Bernardo Lares commented: Thanks for the follow up and quick response Erin. Looking forward to have the package back into CRAN very soon! 🙏🏼 |
Erin LeDell commented: [~accountid:5e7a344b47dc780c3c6cc79f] we are back on cran. |
Bernardo Lares commented: Thanks Erin. Great news indeed! Noticed it a couple of days back. Congratulations and happy we have h2o back on track. Cheers. |
Hi! There's a [CRAN Policy|https://cran.r-project.org/web/packages/policies.html] that states:
Downloads of additional software or data as part of package
installation or startup should only use secure download mechanisms
(e.g., ‘https’ or ‘ftps’).
and
h2o
seems to be in violation of said policy in several functions. For example, when we install the library within R sessions, this function is called using "http" urls to download additional files: [https://github.com/cran/h2o/blob/15f015a62befd8ca7fd0fe7f151d3fcefe3ad0e5/R/connection.R#L789|https://github.com/cran/h2o/blob/15f015a62befd8ca7fd0fe7f151d3fcefe3ad0e5/R/connection.R#L789]As I work with extremely security-sensible people, they are not allowing me to install the library as long as this policy is not on track. I've used and promoted
h2o
(for R) since about 3 years ago with mylares
library, and find it absolutely amazing; top of the market. It would be a waste to have to pivot to another similar library for this single reason.Hope you can fix this soon and many thanks!
The text was updated successfully, but these errors were encountered: