gaborcsardi
commented
2 years ago It is very unlikely that we'll add this to remotes, as it would probably need big changes. Also, it seems that the issue is in install.packages(), or probably both there and in remotes.
FWIW r-lib/pak does download all files up front, before the installation, and it also caches them, so with pak you have a better chance of a second install working fine, at least.
Following the widescale attack on software supply chains associated with the SolarWinds hack in 2019, many anti malware systems changed to automatically hold "patches" until the patch has been analyzed (often remotely). After a delay of a minute (or two) the patch is released.
This causes most installs to crash because the just downloaded file isn't yet available. The typical error message is (somewhat confusingly):
If you wait until the anti-malware system releases the file and then restart the install it will not redownload the file, so the anti-malware system doesn't interfered the second time around, allowing the install to continue past the point of the original crash. But for packages with lots of dependencies you may have to restart a dozen times.
The solution I'd like to see is for the package manager to download everything it will need at the beginning of the process and then wait for the files to become available (ideally telling me that it's waiting for files to become available).
In my case I can turn off this feature of the anti-malware system, which I do for my own packages. But I kind of like having this check when installing packages from the web. SolarWinds was hired primarily because of the belief that they were focused on security and reliability issues. By comparison my vulnerability seems high.
But many corporate developers don't have any way to turn this feature off, even if they decided that it was a good risk/benefit trade.