Greetings and Salutations Simon,
I appreciate the feedback at long last; but, I fear that a majority of this is
scaremongering at this stage. These installers, clang4 and the _unofficial_
macos rtools, have operated since their inception without incident since almost
a year ago. Their sources are public and are also signed by my developer
credentials in a way that is similar to the official R installer package.
You do have one _very_ valid point regarding the woes of an "online-based"
installer. Meaning, it will attempt to download the appropriate binaries from
CRAN, the official gfortran site, and Apple. For those wondering, this is where
the phrase "man-in-the-middle attack" arises as the request could be
intercepted and re-routed. However, when you view the modern day ecosystem of
online installers this can largely be said for all of them. One way to address
this is to check a pre-defined sha256 hash against the downloaded file hash,
which can easily be added to the installer now that this has been raised.
Note: Apple is contacted to install the Xcode Command Line Tools on the user's
system through a secure software update.
In reference to the root escalation, this is required to install into
`/usr/local/` and set the appropriate paths within `~/.R/Makevars`, e.g.
`LDFLAGS`, `CXX`, `CXX11`, ... . Both of these actions are emphasized to the
user in the welcome splash. The latter action is where I believe you have an
issue.
When making the design decision to include path support, the intent was to
ensure everything just "works" and avoid having users type in long paths. I
find that macOS users are frequently expected to be knowledgeable about
Unix-based workflows, but have very little experience within that environment.
With the rise in data science, I hope that trend will be reversed.
Sincerely,
JJB
On 5/24/18, 12:56 PM, "Simon Urbanek" <simon.urba...@r-project.org> wrote:
Just for posterity - please note that the installer referenced below is
potentially unsafe and dangerous, because it does NOT actually package the
binary but rather contains just an arbitrary shell script and thus you cannot
be sure that you get the official binaries or something malicious instead (and
it is vulnerable to man-in-the-middle attacks). Also it performs various
actions as root that you may or may not like. Be careful trusting installers
that are not signed by CRAN members. We only supply the binary and any
post-install actions only affect the installed binary not other system
functions nor user directories.
Cheers,
Simon
> On May 17, 2018, at 3:15 PM, Balamuta, James Joseph
<balam...@illinois.edu> wrote:
>
> Greetings and Salutations Nigel,
>
> I've "augmented" the base R install via an unofficial, e.g. not
sanctioned by CRAN, Rtools build. This can be found here:
>
> https://github.com/coatless/r-macos-rtools
>
> Presently, the latest release only supports the R 3.4.* line:
>
> https://github.com/coatless/r-macos-rtools/releases/tag/v1.0.0
>
> I'll likely update it this weekend to provide support for R 3.5.*. In
particular, I'll bump the compiler from clang4 to clang6.
>
> Sincerely,
>
> JJB
>
> On 5/17/18, 11:45 AM, "R-SIG-Mac on behalf of Nigel Delaney"
<r-sig-mac-boun...@r-project.org on behalf of nigelfdela...@gmail.com> wrote:
>
> Thanks for the responses so far.
>
> David - indeed those instructions are up to date, but people are
> struggling with the issue and unable to fix that (and keep trying to
> install from source).
>
> Chuck - Thanks also for the suggestion, it's a good idea. I'm hoping
> we might be able to have a one step installation to keep things simple
> though.
>
> Cheers,
> Nigel
>
> On Thu, May 17, 2018 at 9:39 AM, Berry, Charles <ccbe...@ucsd.edu>
wrote:
>>
>>
>>> On May 16, 2018, at 11:40 AM, Nigel Delaney <nigelfdela...@gmail.com>
wrote:
>>>
>>> Hi,
>>>
>>> Mac binaries on R are distributed as .pkg files available from CRAN
>>> for installation. Does anyone know if the source script (assuming a
>>> script is used) that generates this pkg file is available anywhere?
>>> The pkg seems to contain a few elements like a postflight/postinstall
>>> script that I could not find in any open source repository and are not
>>> part of the R binaries.
>>>
>>> We have a few users who are dealing with the fortran compiler issues
>>> on Mac, and were hoping to just modify the current .pkg to contain a
>>> few more packages, was hoping to avoid reinventing the wheel on the
>>> packaging scripts.
>>>
>>
>>
>> Why not just provide those users with the binaries for those packages?
>>
>> If there are more than a few users and/or more than a few packages that
need this treatment, set up your own repository and put the binaries there. See:
>>
>>
https://cran.r-project.org/doc/manuals/r-release/R-admin.html#Setting-up-a-package-repository
>>
>> HTH,
>>
>> Chuck
>>
>>
>>
>
> _______________________________________________
> R-SIG-Mac mailing list
> R-SIG-Mac@r-project.org
> https://stat.ethz.ch/mailman/listinfo/r-sig-mac
>
>
> _______________________________________________
> R-SIG-Mac mailing list
> R-SIG-Mac@r-project.org
> https://stat.ethz.ch/mailman/listinfo/r-sig-mac
_______________________________________________
R-SIG-Mac mailing list
R-SIG-Mac@r-project.org
https://stat.ethz.ch/mailman/listinfo/r-sig-mac
