Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use HTTPS for security #139

Merged
merged 2 commits into from Aug 24, 2018
Merged

Use HTTPS for security #139

merged 2 commits into from Aug 24, 2018

Conversation

@ankane
Copy link
Contributor

@ankane ankane commented Aug 18, 2018

馃敀

@codecov-io
Copy link

@codecov-io codecov-io commented Aug 18, 2018

Codecov Report

Merging #139 into master will decrease coverage by 10.34%.
The diff coverage is 50%.

Impacted file tree graph

@@             Coverage Diff             @@
##           master     #139       +/-   ##
===========================================
- Coverage   92.81%   82.46%   -10.35%     
===========================================
  Files          28       28               
  Lines        1600     1620       +20     
===========================================
- Hits         1485     1336      -149     
- Misses        115      284      +169
Impacted Files Coverage 螖
R/utils.R 86.01% <100%> (+0.19%) 猬嗭笍
R/deps.R 81.63% <100%> (-11.23%) 猬囷笍
R/install-bioc.R 91.26% <100%> (酶) 猬嗭笍
R/download.R 74% <38.88%> (-19.75%) 猬囷笍
R/install-git.R 20.73% <0%> (-71.96%) 猬囷笍
R/github.R 27.58% <0%> (-62.07%) 猬囷笍
R/install-github.R 64.82% <0%> (-24.14%) 猬囷笍
R/install-remote.R 74.19% <0%> (-19.36%) 猬囷笍

Continue to review full report at Codecov.

Legend - Click here to learn more
螖 = absolute <relative> (impact), 酶 = not affected, ? = missing data
Powered by Codecov. Last update d518ca1...ecbc022. Read the comment docs.

Loading

@gaborcsardi
Copy link
Contributor

@gaborcsardi gaborcsardi commented Aug 18, 2018

The problem with this is that some older R builds do not support HTTPS. Typically R 3.1.x, which we still want to support.

Loading

@ankane
Copy link
Contributor Author

@ankane ankane commented Aug 18, 2018

What do you think of a conditional approach, where >= 3.2 uses HTTPS?

Loading

@gaborcsardi
Copy link
Contributor

@gaborcsardi gaborcsardi commented Aug 18, 2018

Yes, but we would need to condition on actual HTTPS support. Or libcurl. This is with libcurl support:

> capabilities("libcurl")
libcurl
   TRUE

Without can be FALSE, or even:

> capabilities("libcurl")
named logical(0)

Loading

@gaborcsardi
Copy link
Contributor

@gaborcsardi gaborcsardi commented Aug 18, 2018

Although windows will support HTTPS w/o libcurl, but AFAIR newer windows builds also link to libcurl, so it might be ok to ignore that.

Loading

@ankane
Copy link
Contributor Author

@ankane ankane commented Aug 18, 2018

Cool, made it conditional on libcurl.

Loading

@jimhester
Copy link
Member

@jimhester jimhester commented Aug 20, 2018

Unfortunately whether a given download method is secure is more complicated than just checking if R is compiled with libcurl support. Even in that case they could not be using libcurl and instead using a download method that is not secure. Devtools has the following to determine if a download method is secure.

See the devtools/R/download-method.R.

Loading

@gaborcsardi
Copy link
Contributor

@gaborcsardi gaborcsardi commented Aug 20, 2018

I think it is ok if we miss some. In practice most new R builds will default to libcurl, and HTTPS will be probably fine for these.

Loading

@gaborcsardi
Copy link
Contributor

@gaborcsardi gaborcsardi commented Aug 20, 2018

We could also copy over that logic from devtools.

Loading

@ankane
Copy link
Contributor Author

@ankane ankane commented Aug 23, 2018

Updated PR based on your feedback @jimhester

Loading

@gaborcsardi
Copy link
Contributor

@gaborcsardi gaborcsardi commented Aug 24, 2018

I think this is good. @jimhester ?

Loading

@jimhester jimhester merged commit 783e829 into r-lib:master Aug 24, 2018
2 of 4 checks passed
Loading
@jimhester
Copy link
Member

@jimhester jimhester commented Aug 24, 2018

Thanks!

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants