buffer overflow causes tests to crash

[jhpoelen]

As documented in https://www.r-project.org/nosvn/R.check/r-devel-linux-x86_64-debian-clang/openssl-00check.html on 2023-03-13 and communicated by Prof Brian Ripley .

[...]
checking tests ... [14s/14s] ERROR
  Running ‘engine.R’ [0s/1s]
  Comparing ‘engine.Rout’ to ‘engine.Rout.save’ ...4d3
< Linking to: OpenSSL 3.0.8 7 Feb 2023
  Running ‘testthat.R’ [13s/13s]
Running the tests in ‘tests/testthat.R’ failed.
Complete output:
  > library(testthat)
  > suppressPackageStartupMessages(library(openssl))
  >
  > test_check("openssl")
  *** buffer overflow detected ***: terminated
  Aborted
[...]

see openssl-00check.html.txt

[jeroen]

This bug was already fixed last week in openssl 2.0.6 release, but it takes a few days for CRAN to update the results of the checks for all packages. As you can see, the check log that you link above is still from openssl 2.0.5.

The error has already disappeared on the Fedora checks and will automatically disappear on the Debian checks in one or two days for all packages.

[jhpoelen]

@jeroen Thanks for the update. Planning to revert my earlier changes made via https://github.com/ropensci/rglobi/commit/44323f6438f88712d357437bfaacd337711fa191

[jhpoelen]

Hmm. This does make me realize that a package version management is not as straight forward as you'd hope. Intuitively, selecting a package version would select a specific version of the package and their dependencies. However, practically, this is hard to achieve: an extreme example would be that you'd have to ship an entire operating system along with one package to keep the dependency tree stable over time. With Java, there's some isolation from the underlying OS by the virtual machine, but not a perfect one.

@jeroen aside from going the docker route (even there, docker has to run in something right?), do you know of other approaches to help stabilize specific versions of R packages over time?

[jeroen]

People use renv for this, but it can be quite an exercise do do it properly.