MD5 mismatch logic #120
Description
Note: There is more detail here.
I wanted to ask about the code comparing md5 sums of dlls on disk to those in the MD5 file. That code compares dlls on disk dlls in the /libs/ directory specifically to those in the MD5 file found through a regex.
The this.path package (on CRAN) has a dll stored in a /dlls/ directory also, so sessioninfo reports an md5 mismatch in this case (comparing an object with 2 md5sums to an object with 1 md5sum).
I tried to do some background reading on the intent behind the MD5 file, and learned there is not a lot discussed about it, but that it is at most a basic integrity check between build and install steps and often performed by CRAN (but noted there's no private key signing involved here). I also noticed the Description file changes between RSPM and CRAN for the same version of the same package, and some other files can change also. I also checked the most recent CRAN r-release packages with a script and confirmed /libs/ was used for dlls in each Windows distribution I checked (n = 231 = 1 week worth). That was using a mirror though and this.path was also not updated there - perhaps the mirrors aren't detecting modifications to the same version on CRAN as requiring an update their side.
I think there's at least 3 options here:
- Assume dlls are forbidden to be in non-standard locations and surface an explicit error to this effect
- Use the MD5 file to collect the locations of dlls on disk for calculating their md5sum, or
- Find the dlls on disk explicitely by recursively walking the directory structure and calculating their md5sum
To be honest, I think the MD5 file offers a false sense of security/integrity but perhaps there is a good usecase I'm missing. I'm sure you will have more insight into this than myself.