pak allows R_LIBCURL_SSL_REVOKE_BEST_EFFORT set to FALSE

[tghoward]

With an update to R at 4.2.1, curl started detecting MITM issues on enterprise networks. This is described here:

https://bugs.r-project.org/show_bug.cgi?id=18379

and the fix is to set the environment variable R_LIBCURL_SSL_REVOKE_BEST_EFFORT = "TRUE"

pak doesn't seem to need this environment variable setting. Can you explain why? Is it related to the proxy settings? (https://github.com/r-lib/pak/issues/143)

Thanks, Tim

[tghoward]

Here's an example of the behavior I'm describing. (default install.packages only works with REVOKE_BEST_EFFORT set to TRUE, but pak will happily do the install with it set to FALSE).

> Sys.setenv("R_LIBCURL_SSL_REVOKE_BEST_EFFORT" = "FALSE")
> Sys.getenv("R_LIBCURL_SSL_REVOKE_BEST_EFFORT")
[1] "FALSE"

> pak::pkg_install("fortunes")

→ Will install 1 package.
→ Will download 1 CRAN package (210.45 kB).
+ fortunes   1.5-4 [dl] (210.45 kB)
ℹ Getting 1 pkg (210.45 kB)
✔ Got fortunes 1.5-4 (i386+x86_64-w64-mingw32) (210.45 kB)               
✔ Downloaded 1 package (210.45 kB) in 1.4s                               
✔ Installed fortunes 1.5-4  (126ms)                               
✔ 1 pkg: added 1, dld 1 (210.45 kB) [2.1s]                        
> Sys.getenv("R_LIBCURL_SSL_REVOKE_BEST_EFFORT")
[1] "FALSE"

> remove.packages("fortunes")
Removing package from ‘F:/softwareInstalls/R_packages’
(as ‘lib’ is unspecified)
> install.packages("fortunes")
WARNING: Rtools is required to build R packages but is not currently installed. Please download and install the appropriate version of Rtools before proceeding:

https://cran.rstudio.com/bin/windows/Rtools/
Installing package into ‘F:/softwareInstalls/R_packages’
(as ‘lib’ is unspecified)
trying URL 'https://cran.rstudio.com/bin/windows/contrib/4.3/fortunes_1.5-4.zip'
Warning in install.packages :
  URL 'https://cran.rstudio.com/bin/windows/contrib/4.3/fortunes_1.5-4.zip': status was 'SSL connect error'
Error in download.file(url, destfile, method, mode = "wb", ...) : 
  cannot open URL 'https://cran.rstudio.com/bin/windows/contrib/4.3/fortunes_1.5-4.zip'
Warning in install.packages :
  download of package ‘fortunes’ failed

> Sys.setenv("R_LIBCURL_SSL_REVOKE_BEST_EFFORT" = "TRUE")
> Sys.getenv("R_LIBCURL_SSL_REVOKE_BEST_EFFORT")
[1] "TRUE"
> install.packages("fortunes")
WARNING: Rtools is required to build R packages but is not currently installed. Please download and install the appropriate version of Rtools before proceeding:

https://cran.rstudio.com/bin/windows/Rtools/
Installing package into ‘F:/softwareInstalls/R_packages’
(as ‘lib’ is unspecified)
trying URL 'https://cran.rstudio.com/bin/windows/contrib/4.3/fortunes_1.5-4.zip'
Content type 'application/zip' length 210446 bytes (205 KB)
downloaded 205 KB

package ‘fortunes’ successfully unpacked and MD5 sums checked

> sessionInfo()
R version 4.3.1 (2023-06-16 ucrt)
Platform: x86_64-w64-mingw32/x64 (64-bit)
Running under: Windows 10 x64 (build 19045)

Matrix products: default

locale:
[1] LC_COLLATE=English_United States.utf8  LC_CTYPE=English_United States.utf8   
[3] LC_MONETARY=English_United States.utf8 LC_NUMERIC=C                          
[5] LC_TIME=English_United States.utf8    

time zone: America/New_York
tzcode source: internal

attached base packages:
[1] stats     graphics  grDevices utils     datasets  methods   base     

loaded via a namespace (and not attached):
[1] compiler_4.3.1    tools_4.3.1       rstudioapi_0.15.0 pak_0.7.2        
>
 

[gaborcsardi]

I don't know. pak does not use that environment variable. That is for R, not for libcurl.

[tghoward]

Yes, it's an R variable, but I think it's telling libcurl to use "CURLSSLOPT_REVOKE_BEST_EFFORT" as described here: https://curl.se/libcurl/c/CURLOPT_PROXY_SSL_OPTIONS.html

What SSL options does pak use in libcurl?

[gaborcsardi]

What SSL options does pak use in libcurl?

None.

[tghoward]

Okay. Thanks for your replies and comments!