Skip to content

CRAN: Lower risk for supply-chain attacks with Multi-Maintainer Authentication (MMA) #176

Description

@HenrikBengtsson

Background

One protection against supply-chain attacks on CRAN is the confirmation email that the package maintainer needs to accept before the package is accepted to the "CRAN incoming" area. The confirmation email looks like:

From: CRAN Package Submission Form root-xmpalantir@xmbombadil.wu.ac.at
Date: Tue, Mar 31, 2026 at 9:25 PM
Subject: CRAN Submission of somepkg 1.0 - Confirmation Link
To: alice.bobson@example.org

Dear Alice Bobson
Someone has submitted the package somepkg to CRAN.
You are receiving this email to confirm the submission as the maintainer of
this package.
To confirm the submission to CRAN, follow or copy & paste the following
link into your browser:

https://xmpalantir.wu.ac.at/cransubmit/conf_mail.php?code=991250a60319753e637f77cb6c9885b4

If you did not submit the package or do not wish for it to be submitted to
CRAN, simply ignore this email
...

Issue

In order to submit a malicious package update to CRAN, an attacker needs to compromise the package maintainer's email account. Although this is hard, it can still happen. If it happens, the door is wide open to submit to CRAN.

Idea

To lower the risk for such attacks, CRAN could extend its current email confirmation infrastructure to require submission approvals from more than one listed package maintainer.

This would work by CRAN sending out multiple, seperate confirmation emails (as above) to each of the maintainers, which then would have to be approved by each of them. The conf_mail.php?code=<unique code> script would have to understand how to handler multiple grouped codes and across multiple sessions.

The multi-maintainer authentication (MMA) could be an opt-in feature.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions