Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use HTTPS for security #139

Merged
merged 2 commits into from Aug 24, 2018

Conversation

Projects
None yet
4 participants
@ankane
Copy link
Contributor

commented Aug 18, 2018

馃敀

@codecov-io

This comment has been minimized.

Copy link

commented Aug 18, 2018

Codecov Report

Merging #139 into master will decrease coverage by 10.34%.
The diff coverage is 50%.

Impacted file tree graph

@@             Coverage Diff             @@
##           master     #139       +/-   ##
===========================================
- Coverage   92.81%   82.46%   -10.35%     
===========================================
  Files          28       28               
  Lines        1600     1620       +20     
===========================================
- Hits         1485     1336      -149     
- Misses        115      284      +169
Impacted Files Coverage 螖
R/utils.R 86.01% <100%> (+0.19%) 猬嗭笍
R/deps.R 81.63% <100%> (-11.23%) 猬囷笍
R/install-bioc.R 91.26% <100%> (酶) 猬嗭笍
R/download.R 74% <38.88%> (-19.75%) 猬囷笍
R/install-git.R 20.73% <0%> (-71.96%) 猬囷笍
R/github.R 27.58% <0%> (-62.07%) 猬囷笍
R/install-github.R 64.82% <0%> (-24.14%) 猬囷笍
R/install-remote.R 74.19% <0%> (-19.36%) 猬囷笍

Continue to review full report at Codecov.

Legend - Click here to learn more
螖 = absolute <relative> (impact), 酶 = not affected, ? = missing data
Powered by Codecov. Last update d518ca1...ecbc022. Read the comment docs.

@gaborcsardi

This comment has been minimized.

Copy link
Member

commented Aug 18, 2018

The problem with this is that some older R builds do not support HTTPS. Typically R 3.1.x, which we still want to support.

@ankane

This comment has been minimized.

Copy link
Contributor Author

commented Aug 18, 2018

What do you think of a conditional approach, where >= 3.2 uses HTTPS?

@gaborcsardi

This comment has been minimized.

Copy link
Member

commented Aug 18, 2018

Yes, but we would need to condition on actual HTTPS support. Or libcurl. This is with libcurl support:

> capabilities("libcurl")
libcurl
   TRUE

Without can be FALSE, or even:

> capabilities("libcurl")
named logical(0)
@gaborcsardi

This comment has been minimized.

Copy link
Member

commented Aug 18, 2018

Although windows will support HTTPS w/o libcurl, but AFAIR newer windows builds also link to libcurl, so it might be ok to ignore that.

@ankane

This comment has been minimized.

Copy link
Contributor Author

commented Aug 18, 2018

Cool, made it conditional on libcurl.

@jimhester

This comment has been minimized.

Copy link
Member

commented Aug 20, 2018

Unfortunately whether a given download method is secure is more complicated than just checking if R is compiled with libcurl support. Even in that case they could not be using libcurl and instead using a download method that is not secure. Devtools has the following to determine if a download method is secure.

See the devtools/R/download-method.R.

@gaborcsardi

This comment has been minimized.

Copy link
Member

commented Aug 20, 2018

I think it is ok if we miss some. In practice most new R builds will default to libcurl, and HTTPS will be probably fine for these.

@gaborcsardi

This comment has been minimized.

Copy link
Member

commented Aug 20, 2018

We could also copy over that logic from devtools.

@ankane

This comment has been minimized.

Copy link
Contributor Author

commented Aug 23, 2018

Updated PR based on your feedback @jimhester

@gaborcsardi

This comment has been minimized.

Copy link
Member

commented Aug 24, 2018

I think this is good. @jimhester ?

@jimhester jimhester merged commit 783e829 into r-lib:master Aug 24, 2018

2 of 4 checks passed

codecov/patch 50% of diff hit (target 92.81%)
Details
codecov/project 82.46% (-10.35%) compared to d518ca1
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@jimhester

This comment has been minimized.

Copy link
Member

commented Aug 24, 2018

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can鈥檛 perform that action at this time.