[R-pkg-devel] What to do when a package is archived from CRAN

Hi Uwe, thanks for the summary of the background.
Let me ask you a few questions about a couple of points.

Accepting a package that downloads crates from github

I don't think prqlr 0.5.0 downloads crates on GitHub.
prqlr <= 0.4.0 use crate on GitHub which I patched to support old Rust 
on Debian <https://github.com/PRQL/prql/pull/1561>, but with 0.5.0 I 
switched to installing from crates.io completely.
(This was made possible because Debian recently upgraded Rust for the 
first time in six months.)

All the correspondence we see claims that the submission had bundled 

the rust code, but the version that got archived after publication was 
104KB and did not.

I am aware that in the first submission of prqlr 0.5.0, the size of 
the source was 12MB due to the vendoring all Rust dependent crates and 
CRAN pointed out the size of 12MB as a reason for rejection.
That is why in my second submission I wrote the following comment that 
I had removed the vendoring tarball.

To reduce package size on CRAN, it does not vendor dependent Rust 

crates.

https://github.com/eitsupi/prqlr/pull/161/commits/9aba66647fa5e48da0a5983643a4df001721b3f7#diff-cf8c1cd4cfb6a9ceb5ba522a5711321831948fea41fbb0cd9f799506c7caca1bR22-R27 


In other words, I did not claim to have bundled the Rust code.
And that second submission was accepted by CRAN and I have not 
received any further messages from CRAN.

I am aware that the CRAN policy says that we can ask CRAN for 
permission to download from the internet.
I intended to ask for that in this comment.

If I am doing this wrong, what should I do?

Thanks for reading this.

Best,
Tatsuya

On 2023/08/28 17:24, Uwe Ligges wrote:

Friends,

CRAN wrote initially to some rust using maintainers:

The CRAN policy on authorship/copyright is very clear:

"(?All components? includes any downloaded at installation or during 
use.) "

Please explain how your package complies if you believe it does.

Further, we ask that you use the 'cargo vendor' mechanism to avoid 
downloading during installation and limit the number of CPUs 'cargo 
build' can use during installation.? Both points are covered in 
<https://cran.r-project.org/web/packages/using_rust.html>."




Accepting a package that downloads crates from github happened 
automatically, but incorrectly (a false negative):
All the correspondence we see claims that the submission had bundled 
the rust code, but the version that got archived after publication 
was 104KB and did not.

So please simply follow the mails you got and fix the package folwing 
the "using_rust" documentation.

In addition, it was mentined already to get the authorship straight.

Best,
Uwe Ligges







On 27.08.2023 17:28, SHIMA Tatsuya wrote:

Hi Tim, thank you for sharing this information. i didn't know this.

If this is the cause, the problem seems to have been resolved in the 
latest serde <https://github.com/serde-rs/serde/pull/2590>, so it 
seems to be possible to deal with it.

Best,
Tatsuya

On 2023/08/27 20:24, Tim Taylor wrote:

Could you have been caught out with the precompiled binary that 
serde started distributing in a few of it?s versions 
(https://github.com/serde-rs/serde/issues/2538)? That could have 
been a reason if you pinned a version with it present but only CRAN 
could confirm if that was the reason.

Tim

On 26 Aug 2023, at 22:22, Ivan Krylov <krylov.r00t at gmail.com> wrote:

?On Sat, 26 Aug 2023 11:46:44 +0900
SHIMA Tatsuya <ts1s1andn at gmail.com> wrote:

I noticed that my submitted package `prqlr` 0.5.0 was archived from
CRAN on 2023-08-19.
<https://CRAN.R-project.org/package=prqlr>

I submitted prqlr 0.5.0 on 2023-08-13. I believe I have since only
received word from CRAN that it passed the automated release 
process.

Sarah gave a good guess (although there are CRAN packages containing
C++ and Rust code with NOTEs about size of their libs, 18.2Mb is 
still
a lot), though I do find it strange that you didn't receive anything
from CRAN prior to having your package archived. I don't think I ever
had problems with e-mails being delivered from CRAN to GMail, but we
can't rule that out.

You've obviously made an effort to follow the Rust policy, and I 
don't
see any obvious problems with this part of the package, although I
haven't tried it myself to verify the installation working offline 
from
bundled source code.

You've also made an effort to list all the authors of the code
comprising your package in inst/AUTHORS, which is the right thing 
to do
to avoid making the list of authors in DESCRIPTION long enough to be
unreadable.

You licensed the package as MIT. Are your dependencies compatible 
with
MIT? All direct dependencies of your Rust code seem to be licensed
under either MIT or Apache-2.0, which seems to be compatible. You 
named
the copyright holder of your package as "prqlr authors", which may 
be a
problem. (I think I saw it somewhere that for MIT license, CRAN 
prefers
the copyright holder to be some kind of legal entity: either the 
legal
name of a person, or a company, or something like that.)

Could the Rust code or any of the dependencies accidentally write 
under
the user's home directory or take over the terminal or something like
that?

We might need a response from CRAN after all.

-- 
Best regards,
Ivan