CRAN and the Isoband Incident – Is Your Project at Risk and How to Fix It | R-bloggers

CRAN and the Isoband Incident – Is Your Project at Risk and How to Fix It | R-bloggers

The R community had a recent scare with theisoband package risking archival on CRAN. The reason why this incident made waves is that isoband is a ggplot2 dependency and when a package gets removed from CRAN all other packages that depend on it get removed as well (see CRAN policy). If isoband fell, ggplot2 would be at risk. And this would cascade with the removal of even more packages. 

In total, the removal of isoband would lead to the removal of 4747 packages.

But theisoband issue appears to be resolved by maintainers of the package(see relevantissue) and a newer version is available to download (CRAN’s checksdon’t show any errors).

This isn’t the end of the story. It could happen again, but there is a solution to mitigate risks – RStudio Package Manager.

The main issue is related to the missing std:: in testthat C++ headers code used for Catch unit testing framework (#1687,#1694) – the code which is being copied into isoband (source).

If you’re curious, you can check if a dependency you use depends on isoband with:

Developers often build their solutions upon other packages. We don’t need to reinvent the wheel for most of our functionality. And in doing so, we can speed up the process of software development. 

In the R world, we can download packages from CRAN (Comprehensive R Archive Network), a central software repository full of useful and ready-to-use libraries. This rich environment of packages makes it easy to quickly develop projects with everything from machine learning to statistics and visualizations. 

The isoband incident highlights the risk associated with depending on public infrastructure that you don’t have control of. It boils down to a dependence on packages and an interconnected ecosystem of libraries resulting in mass archiving. 

As it turned out, just one package posed a huge threat to the R ecosystem. 

All libraries that depend (directly or indirectly) on it would theoretically become archived on CRAN (around 4500 packages or ~25% of all CRAN packages) – as they began failing automated checks. 

Among them, one of the most popular packages – ggplot2. Imagine your team not being able to install ggplot2 or being unable to deploy dashboards that require ggplot2 installed.

Being dependent on other packages comes with risks. When package developers received an email indicating the archival of isoband (and the 4747 packages mentioned above) because of unsolved CRAN issues, one of these risks bubbled to the surface. 

FYI you can spot these issues on thearchived check result summary.

There are, however,other riskswhen relying on public infrastructure:

But it’s not all doom and gloom. There are steps you can take and solutions you can implement to ensure your project remains safe.

Fortunately, there is RStudio Package Manager – a product that you can use to take control of your package infrastructure.

RStudio Package Manager allows you to host your own repository with CRAN packages. Therefore if CRAN were to go down, you would always have your own working mirror. This means your team can continue working without worrying about the public infrastructure.

Even with connectivity issues or network restrictions,R clients using the Package Manager do not need internet access, just access to the Package Manager. 

CRAN checks can lead to packages getting removed from CRAN. This might lead to uncomfortable surprises at unexpected moments.RStudio Package Manager allows you to host your own CRAN snapshots– which means you can have a copy of CRAN from a specific date.

If a package gets removed tomorrow, you can use a CRAN snapshot from a time when that package was still available.

The freeze mechanism would enable you to mitigate the effects of something like the isoband incident. You can still download archived packages on CRAN from your centralized solution (RSPM).

There were instances in the past where a malicious user took over an open-source dependency and published a new version containing malicious code. You might also have compliance constraints that restrict packages with specific licenses. In the end, you don’t have control over a situation where a package maintainer might decide to change their package’s license from MIT to AGPL.

Using public infrastructure that hosts open-source packages comes with risks. The package repository might go down. Malicious updates to packages may occur. Or packages become altogether removed. 

However, all of those are manageable with the right tooling. That’s why we recommendRStudio Package Manager. Take advantage of all the benefits thatopen sourceprovideswithout sacrificing reliability, security, and compliance. 

And in case you missed it above,yes the isoband issue seems to be resolvedby the maintainers (see relevantissue) and a newer version is available to download. They responded quickly and saved a lot of potential trouble and headache for the community.

As open source contributors ourselves, we know the R community wouldn’t be where it is without the “random person in Nebraska”, but it’s a big world with lots of room for mistakes. Don’t rely on the actions of a few for the security of your projects. Use the tools available to you from RStudio and secure your project(s) today.

If you’re not sure where to begin, reach out to us.

Appsilon is an RStudio Certified Partner. We can help with end-to-end service, from installation and configuration to training, support, and maintenance of the RStudio (Posit) Team Suite. We can help you implement best practices and open-source solutions for RStudio (Posit) products, and make it all work in your unique business case.

This article was co-written by Appsilon R Shiny Developer Ryszard Szymański and Infrastructure Engineer Arkadiusz Kalandyk.

The post CRAN and the Isoband Incident – Is Your Project at Risk and How to Fix It appeared first on Appsilon | Enterprise R Shiny Dashboards.

Images Powered by Shutterstock