On source("https://bioconductor.org/biocLite.R")

Yihui Xie 2018-07-27

About six years ago when I visited Bioconductor for the first time in Seattle, I asked them a question that I had for long: Why is source("https://bioconductor.org/biocLite.R") the recommended way to install Bioconductor? Unfortunately, I don’t remember their answer now, but I guess I was not convinced at that time anyway. Sourcing an R script directly from the web was an obviously very bad idea in my eyes. If you open this script, you will see that it further sources another script from bioconductor.org (and even tries to fall back to the insecure HTTP URL if HTTPS fails), which in turn sources yet another script. If the web server is compromised and someone injects something like system('rm -rf /') in these scripts, users will be in deep deep trouble immediately.

Yesterday I saw Stephen Turner’s tweet about the new BiocManager package, and he recommended that we stop using the biocLite() function. While we should definitely thank the security team at Bioconductor for keeping the server secure for several years, I feel the source() way of installing Bioconductor should be retired as soon as possible.