[R-package] Warnings of CRAN Package

[shiyu1994]

I received an email from CRAN this reporting warnings of our CRAN package which are required to be fixed by Dec 12.

Dear maintainer,

Please see the problems shown on
<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcran.r-project.org%2Fweb%2Fchecks%2Fcheck_results_lightgbm.html&data=05%7C01%7Cyushi2%40microsoft.com%7C828251b45fc141e8007f08dbf0127212%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638367734286824172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OzCWU2kJl4o77avH%2FJOst6vevoGRNl3Hw4GR6jm4XDE%3D&reserved=0>.

Please correct before 2023-12-12 to safely retain your package on CRAN.

Best,
-k

It seems that both warnings are from lightgbm_R.cpp

checking whether package ‘lightgbm’ can be installed ... WARNING
Found the following significant warnings:
  lightgbm_R.cpp:128:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:160:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:185:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:211:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:228:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:276:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:288:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:298:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:328:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:363:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:382:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:393:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:403:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:414:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:430:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:445:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:459:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:473:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:483:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:493:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:503:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:514:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:525:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:534:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:553:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:561:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:572:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:582:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:592:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:641:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:656:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:668:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:680:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:718:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:737:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:772:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:800:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:813:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:838:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  lightgbm_R.cpp:863:3: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
See the [install log](https://www.r-project.org/nosvn/R.check/r-devel-linux-x86_64-debian-clang/lightgbm-00install.html) for details.

[jameslamb]

Thanks @shiyu1994 . I was worried about that 😭

This is exactly what I was asking about in #6212 (comment), and a fix for it (#6216) is already on master.

11 days is not a lot of time :/

And the current state of master will be rejected by CRAN because of the issues described in #5987.

I really do not want to do another 3.3.x R-only patch release... they're a lot of effort and they confuse users.

Here's my proposal:

• I'll try over the next 3 days to find a fix for [R-package] v4.0.0 CRAN submission issues #5987
• if I can't, I'll put up a PR limiting the number of threads used by the R package to at most 2, everywhere, so we can try to release v4.2.0 to CRAN
  • I assume users would rather have the package on CRAN but slower than not on CRAN at all
  • I do not want to cause all the packages depending on {lightgbm} to need to remove that dependency or face archival
• we try to release v4.2.0 to CRAN

What do you think?

Also could we change the maintainer in R-package/DESCRIPTION to me, so I'll receive these emails from CRAN (and others from this submission) in the future? That would reduce the time between CRAN providing feedback and us working on fixes.

[shiyu1994]

I totally agree with the proposal. I think it is more important to keep the package available even somehow slower.

[jameslamb]

try ... to find a fix

@shiyu1994 I'm happy to say that I think I have a more permanent solution that could resolve the issues CRAN previously rejected the R package for (#5987).

Put up a PR here: #6226.

If we move forward with that approach in the next few days, I can submit try to submit a v4.2.0 of the R package to CRAN.

If reviews take too long or if some significant issue is found, I'll put up another PR limiting the R package to 2 threads everywhere, so we can continue working on this without the time pressure of CRAN archival.

[jameslamb]

The latest release of the R package has passed all checks: #6191 (comment)

So I think this can safely be closed.

Thanks @shiyu1994 for the help!