Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use HTTPS for security #139

Merged
merged 2 commits into from Aug 24, 2018
Merged

Use HTTPS for security #139

merged 2 commits into from Aug 24, 2018

Conversation

ankane
Copy link
Contributor

@ankane ankane commented Aug 18, 2018

🔒

@codecov-io
Copy link

codecov-io commented Aug 18, 2018

Codecov Report

Merging #139 into master will decrease coverage by 10.34%.
The diff coverage is 50%.

Impacted file tree graph

@@             Coverage Diff             @@
##           master     #139       +/-   ##
===========================================
- Coverage   92.81%   82.46%   -10.35%     
===========================================
  Files          28       28               
  Lines        1600     1620       +20     
===========================================
- Hits         1485     1336      -149     
- Misses        115      284      +169
Impacted Files Coverage Δ
R/utils.R 86.01% <100%> (+0.19%) ⬆️
R/deps.R 81.63% <100%> (-11.23%) ⬇️
R/install-bioc.R 91.26% <100%> (ø) ⬆️
R/download.R 74% <38.88%> (-19.75%) ⬇️
R/install-git.R 20.73% <0%> (-71.96%) ⬇️
R/github.R 27.58% <0%> (-62.07%) ⬇️
R/install-github.R 64.82% <0%> (-24.14%) ⬇️
R/install-remote.R 74.19% <0%> (-19.36%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d518ca1...ecbc022. Read the comment docs.

@gaborcsardi
Copy link
Member

The problem with this is that some older R builds do not support HTTPS. Typically R 3.1.x, which we still want to support.

@ankane
Copy link
Contributor Author

ankane commented Aug 18, 2018

What do you think of a conditional approach, where >= 3.2 uses HTTPS?

@gaborcsardi
Copy link
Member

gaborcsardi commented Aug 18, 2018

Yes, but we would need to condition on actual HTTPS support. Or libcurl. This is with libcurl support:

> capabilities("libcurl")
libcurl
   TRUE

Without can be FALSE, or even:

> capabilities("libcurl")
named logical(0)

@gaborcsardi
Copy link
Member

Although windows will support HTTPS w/o libcurl, but AFAIR newer windows builds also link to libcurl, so it might be ok to ignore that.

@ankane
Copy link
Contributor Author

ankane commented Aug 18, 2018

Cool, made it conditional on libcurl.

@jimhester
Copy link
Member

jimhester commented Aug 20, 2018

Unfortunately whether a given download method is secure is more complicated than just checking if R is compiled with libcurl support. Even in that case they could not be using libcurl and instead using a download method that is not secure. Devtools has the following to determine if a download method is secure.

See the devtools/R/download-method.R.

@gaborcsardi
Copy link
Member

I think it is ok if we miss some. In practice most new R builds will default to libcurl, and HTTPS will be probably fine for these.

@gaborcsardi
Copy link
Member

We could also copy over that logic from devtools.

@ankane
Copy link
Contributor Author

ankane commented Aug 23, 2018

Updated PR based on your feedback @jimhester

@gaborcsardi
Copy link
Member

I think this is good. @jimhester ?

@jimhester jimhester merged commit 783e829 into r-lib:master Aug 24, 2018
@jimhester
Copy link
Member

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants