New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use HTTPS for security #139
Conversation
Codecov Report
@@ Coverage Diff @@
## master #139 +/- ##
===========================================
- Coverage 92.81% 82.46% -10.35%
===========================================
Files 28 28
Lines 1600 1620 +20
===========================================
- Hits 1485 1336 -149
- Misses 115 284 +169
Continue to review full report at Codecov.
|
The problem with this is that some older R builds do not support HTTPS. Typically R 3.1.x, which we still want to support. |
What do you think of a conditional approach, where >= 3.2 uses HTTPS? |
Yes, but we would need to condition on actual HTTPS support. Or libcurl. This is with libcurl support:
Without can be FALSE, or even:
|
Although windows will support HTTPS w/o libcurl, but AFAIR newer windows builds also link to libcurl, so it might be ok to ignore that. |
Cool, made it conditional on libcurl. |
Unfortunately whether a given download method is secure is more complicated than just checking if R is compiled with libcurl support. Even in that case they could not be using libcurl and instead using a download method that is not secure. Devtools has the following to determine if a download method is secure. See the devtools/R/download-method.R. |
I think it is ok if we miss some. In practice most new R builds will default to libcurl, and HTTPS will be probably fine for these. |
We could also copy over that logic from devtools. |
Updated PR based on your feedback @jimhester |
I think this is good. @jimhester ? |
Thanks! |
馃敀