CRAN and the Isoband Incident – Is Your Project at Risk and How to Fix It
The R community had a recent scare with the isoband package risking archival on CRAN. The reason why this incident made waves is that isoband is a ggplot2 dependency and when a package gets removed from CRAN all other packages that depend on it get removed as well (see CRAN policy). If isoband fell, ggplot2 would be at risk. And this would cascade with the removal of even more packages.
In total, the removal of isoband would lead to the removal of 4747 packages.
But the isoband issue appears to be resolved by maintainers of the package (see relevant issue) and a newer version is available to download (CRAN’s checks don’t show any errors).
This isn’t the end of the story. It could happen again, but there is a solution to mitigate risks – RStudio Package Manager.
Table of Contents:
- Why was isoband set to be archived?
- R packages and their dependencies
- How RStudio Package Manager helps mitigate risk
Why was isoband set to be archived?
The main issue is related to the missing
std:: in testthat C++ headers code used for Catch unit testing framework (#1687, #1694) – the code which is being copied into isoband (source).
If you’re curious, you can check if a dependency you use depends on isoband with:
R packages and their dependencies
Developers often build their solutions upon other packages. We don’t need to reinvent the wheel for most of our functionality. And in doing so, we can speed up the process of software development.
Is your Shiny app slow? Learn how to leverage your front end, extract computations, and use databases.
In the R world, we can download packages from CRAN (Comprehensive R Archive Network), a central software repository full of useful and ready-to-use libraries. This rich environment of packages makes it easy to quickly develop projects with everything from machine learning to statistics and visualizations.
Why is the Isoband Incident important for R developers?
The isoband incident highlights the risk associated with depending on public infrastructure that you don’t have control of. It boils down to a dependence on packages and an interconnected ecosystem of libraries resulting in mass archiving.
As it turned out, just one package posed a huge threat to the R ecosystem.
Concerned with security? Set up RStudio Connect authentication and protect your Shiny applications.
All libraries that depend (directly or indirectly) on it would theoretically become archived on CRAN (around 4500 packages or ~25% of all CRAN packages) – as they began failing automated checks.
Among them, one of the most popular packages – ggplot2. Imagine your team not being able to install ggplot2 or being unable to deploy dashboards that require ggplot2 installed.
The risks of public infrastructure
Being dependent on other packages comes with risks. When package developers received an email indicating the archival of isoband (and the 4747 packages mentioned above) because of unsolved CRAN issues, one of these risks bubbled to the surface.
FYI you can spot these issues on the archived check result summary.
There are, however, other risks when relying on public infrastructure:
- What would happen if CRAN was down and you weren’t able to download packages?
- What if CRAN decides to delete a package that your existing code relies on?
- What if someone publishes a new malicious version of a package that you might accidentally download? (A situation like this happened in the ruby community)
But it’s not all doom and gloom. There are steps you can take and solutions you can implement to ensure your project remains safe.
How RStudio Package Manager helps mitigate risks of public infrastructure
Fortunately, there is RStudio Package Manager – a product that you can use to take control of your package infrastructure.
Feel confident even when CRAN is down
RStudio Package Manager allows you to host your own repository with CRAN packages. Therefore if CRAN were to go down, you would always have your own working mirror. This means your team can continue working without worrying about the public infrastructure.
Even with connectivity issues or network restrictions, R clients using the Package Manager do not need internet access, just access to the Package Manager.
Stop relying on policies that are outside of your control
CRAN checks can lead to packages getting removed from CRAN. This might lead to uncomfortable surprises at unexpected moments. RStudio Package Manager allows you to host your own CRAN snapshots – which means you can have a copy of CRAN from a specific date.
If a package gets removed tomorrow, you can use a CRAN snapshot from a time when that package was still available.
The freeze mechanism would enable you to mitigate the effects of something like the isoband incident. You can still download archived packages on CRAN from your centralized solution (RSPM).
Stay secure and compliant by using curated CRAN sources
There were instances in the past where a malicious user took over an open-source dependency and published a new version containing malicious code. You might also have compliance constraints that restrict packages with specific licenses. In the end, you don’t have control over a situation where a package maintainer might decide to change their package’s license from MIT to AGPL.
Moving to the cloud? Learn how to deploy RStudio Workbench to AWS using Terraform.
RStudio Package Manager allows you to host curated CRAN sources where administrators can create and update approved subsets of CRAN packages. That way you can make sure that only secured and legally compliant packages are available to your team.
Summing up the Isoband Incident, risks with CRAN, and RSPM
Using public infrastructure that hosts open-source packages comes with risks. The package repository might go down. Malicious updates to packages may occur. Or packages become altogether removed.
However, all of those are manageable with the right tooling. That’s why we recommend RStudio Package Manager. Take advantage of all the benefits that open source provides without sacrificing reliability, security, and compliance.
Not sure if RStudio Connect is for you? See why remote Data Science Teams should be using Connect.
And in case you missed it above, yes the isoband issue seems to be resolved by the maintainers (see relevant issue) and a newer version is available to download. They responded quickly and saved a lot of potential trouble and headache for the community.
As open source contributors ourselves, we know the R community wouldn’t be where it is without the “random person in Nebraska”, but it’s a big world with lots of room for mistakes. Don’t rely on the actions of a few for the security of your projects. Use the tools available to you from RStudio and secure your project(s) today.
If you’re not sure where to begin, reach out to us.
Appsilon is an RStudio Certified Partner. We can help with end-to-end service, from installation and configuration to training, support, and maintenance of the RStudio (Posit) Team Suite. We can help you implement best practices and open-source solutions for RStudio (Posit) products, and make it all work in your unique business case.
This article was co-written by Appsilon R Shiny Developer Ryszard Szymański and Infrastructure Engineer Arkadiusz Kalandyk.