{"id":12016,"date":"2019-03-03T15:22:11","date_gmt":"2019-03-03T20:22:11","guid":{"rendered":"https:\/\/rud.is\/b\/?p=12016"},"modified":"2019-03-04T08:17:46","modified_gmt":"2019-03-04T13:17:46","slug":"cran-mirror-security","status":"publish","type":"post","link":"https:\/\/rud.is\/b\/2019\/03\/03\/cran-mirror-security\/","title":{"rendered":"CRAN Mirror “Security”"},"content":{"rendered":"

In the “Changes on CRAN” section of the latest version of the The R Journal (Vol. 10\/2, December 2018) had this short blurb entitled “CRAN mirror security”:<\/p>\n

\n Currently, there are 100 official CRAN mirrors, 68 of which provide both secure downloads via \u2018https\u2019 and use secure mirroring from the CRAN master (via rsync<\/code> through ssh<\/code> tunnels). Since the R 3.4.0 release, chooseCRANmirror()<\/code> offers these mirrors in preference to the others which are not fully secured (yet).\n<\/p><\/blockquote>\n

I would have linked to the R Journal section quoted above but I can’t<\/em> because I’m blocked from accessing all resources at the IP address serving cran.r-project.org<\/code> from my business-class internet connection likely due to me having a personal CRAN mirror (that was following the rules, which I also cannot link to since I can’t get to the site).<\/p>\n

That word — “security” — is one of the<\/em> most misunderstood and misused terms in modern times in many contexts. The context for the use here is cybersecurity and since CRAN (and others in the R community) seem to equate transport-layer uber-obfuscation with actual security\/safety I thought it would be useful for R users in general to get a more complete picture of these so-called “secure” hosts. I also did this since I had to figure out another way to continue to have a CRAN mirror and needed to validate which nodes both supported + allowed mirroring and were at least somewhat trustworthy.<\/p>\n

Unless there is something truly egregious in a given section I’m just going to present data with some commentary (I’m unamused abt being blocked so some commentary has an unusually sharp edge) and refrain from stating “X is ?|?” since the goal is really to help you<\/strong> make the best decision of which mirror to use on your own.<\/p>\n

The full Rproj supporting the snippets in this post (and including the data gathered by the post) can be found in my new R blog projects<\/a>.<\/p>\n

We’re going to need a few supporting packages so let’s get those out of the way:<\/p>\n

library(xml2)\nlibrary(httr)\nlibrary(curl)\nlibrary(stringi)\nlibrary(urltools)\nlibrary(ipinfo) # install.packages(\"ipinfo\", repos = \"https:\/\/cinc.rud.is\/\")\nlibrary(openssl)\nlibrary(furrr)\nlibrary(vershist) # install.packages(\"vershist\", repos = \"https:\/\/cinc.rud.is\/\")\nlibrary(ggalt)\nlibrary(ggbeeswarm)\nlibrary(hrbrthemes)\nlibrary(tidyverse)\n<\/code><\/pre>\n
What Is “Secure”?<\/h3>\n
As noted, CRAN folks seem to think encryption == security since the criteria for making that claim in the R Journal was transport-layer encryption for rsync<\/code> (via ssh<\/code>) mirroring from CRAN to a downstream mirror and a downstream mirror providing an https<\/code> transport for shuffling package binaries and sources from said mirror to your local system(s). I find that equally as adorable as I do the rhetoric from the Let’s Encrypt cabal as this https<\/code> gets you:<\/p>\n