Background
One protection against supply-chain attacks on CRAN is the confirmation email that the package maintainer needs to accept before the package is accepted to the "CRAN incoming" area. The confirmation email looks like:
From: CRAN Package Submission Form root-xmpalantir@xmbombadil.wu.ac.at
Date: Tue, Mar 31, 2026 at 9:25 PM
Subject: CRAN Submission of somepkg 1.0 - Confirmation Link
To: alice.bobson@example.org
Dear Alice Bobson
Someone has submitted the package somepkg to CRAN.
You are receiving this email to confirm the submission as the maintainer of
this package.
To confirm the submission to CRAN, follow or copy & paste the following
link into your browser:
https://xmpalantir.wu.ac.at/cransubmit/conf_mail.php?code=991250a60319753e637f77cb6c9885b4
If you did not submit the package or do not wish for it to be submitted to
CRAN, simply ignore this email
...
Issue
In order to submit a malicious package update to CRAN, an attacker needs to compromise the package maintainer's email account. Although this is hard, it can still happen. If it happens, the door is wide open to submit to CRAN.
Idea
To lower the risk for such attacks, CRAN could extend its current email confirmation infrastructure to require submission approvals from more than one listed package maintainer.
This would work by CRAN sending out multiple, seperate confirmation emails (as above) to each of the maintainers, which then would have to be approved by each of them. The conf_mail.php?code=<unique code> script would have to understand how to handler multiple grouped codes and across multiple sessions.
The multi-maintainer authentication (MMA) could be an opt-in feature.
Background
One protection against supply-chain attacks on CRAN is the confirmation email that the package maintainer needs to accept before the package is accepted to the "CRAN incoming" area. The confirmation email looks like:
Issue
In order to submit a malicious package update to CRAN, an attacker needs to compromise the package maintainer's email account. Although this is hard, it can still happen. If it happens, the door is wide open to submit to CRAN.
Idea
To lower the risk for such attacks, CRAN could extend its current email confirmation infrastructure to require submission approvals from more than one listed package maintainer.
This would work by CRAN sending out multiple, seperate confirmation emails (as above) to each of the maintainers, which then would have to be approved by each of them. The
conf_mail.php?code=<unique code>script would have to understand how to handler multiple grouped codes and across multiple sessions.The multi-maintainer authentication (MMA) could be an opt-in feature.