7 Repositories and Sources
R repositories contain package tar files and are the primary vehicle for organizing and distributing R packages. For more information on packages and repositories see B.
In RStudio Package Manager, repositories are created from one or more sources. The documentation in this chapter outlines repositories as well as the types and structure of sources.
7.1 Repository Structure
R package repositories have a specific structure that enables client commands
install.packages to query the repository’s contents and download
A regular CRAN repository is just a set of files served from disk. RStudio Package Manager does not create repositories on disk. Instead, RStudio Package Manager maintains a single copy of each package source and uses a database and specialized web server to handle HTTP requests from R.
Some example requests that can be served by the RStudio Package Manager:
This serves a PACKAGES file. The PACKAGES file for a repository is human-readable and contains information on each package available in the repository. RStudio Package Manager can also serve requests for PACKAGES.gz and PACKAGES.rds.
This request downloads the package source to the client.
Archived Package Source
This request downloads the tar file for an older, archived version of the package.
Most importantly, a RStudio Package Manager repository is a CRAN-like repository
which means users can access and install packages using their regular R
7.2 Repository Versioning
RStudio Package Manager tracks every change to a repository (or source) and associates
each change with a transaction id. Together, these transaction ids create a
full versioned history of each repository. If a user wants to install packages
from a prior point in the repository’s history they can do so by replacing the
/latest component of the request URL with a transaction id. Transaction ids
can be obtained in a repository’s “Activity” log. The current transaction id is
available in the “Setup” page. For projects that require strict reproducibility,
we recommend configuring R to use a repository URL with a transaction id.
Versioning is available for all repository and source types.
7.3.1 About Sources
RStudio Package Manager repositories are composed of one or more sources. There are currently three types of sources:
- cran source - A single cran source is automatically created. This source contains metadata and packages from RStudio’s CRAN service. The source can be used directly in a repository to give users access to all CRAN packages, or it can used indirectly by curated-cran sources.
While the cran source is created automatically, an administrator must use the CLI before any metadata or packages are downloaded to RStudio Package Manager. See the CLI section for more information on making CRAN available through RStudio Package Manager.
curated-cran source - A curated CRAN source allows administrators to specify specific sets of approved CRAN packages. Administrators can add or remove packages from the set, and they can also update the set. See 7.5 for more information.
local source - A local source is used as a mechanism to distribute locally developed packages or other packages without native support in RStudio Package Manager. Administrators add packages to local sources by specifying a path to a package’s tar file.
7.3.2 Repositories with Multiple Sources
A repository can have more than one source. If you wish to serve both local packages and CRAN packages from a single repository, you can create a single repository that subscribes to multiple sources. For example:
- public (a repository)
- internal (local source)
- cran (CRAN source)
The “public” repository above gives users access to both local and CRAN packages,
and its PACKAGES list could be accessed, for example, at
http://pkg-manager.example.com/public/latest/src/contrib/PACKAGES. A repository
subscribes to sources, which means that changes to a source will be reflected in
the repository. For example, if an admin adds a new package to the
source, users will automatically be able to access the new package via the
7.3.3 Package Conflicts Between Sources
If a repository has multiple sources and a package with the same name exists in
both sources, RStudio Package Manager eliminates duplicates, giving preference
in the order the sources are subscribed. In the example repository above, if a
package named “plumber” exists in both the “cran” and “internal” sources, the
“plumber” package from the “internal” source would be served and listed since it
is the first source for the repository. The same conflict resolution occurs as
sources change. For example, in the sample above, even if a new package is added
to CRAN with the same name as an internal package, the internal package will
continue to be served. The precedence is also maintained during updates. In the
example above, the internal version of plumber will continue to be served even
if the CRAN version of plumber is updated. The order of sources within a
repository can be re-arranged using the
7.4 The CRAN Source
A primary use case for RStudio Package Manager is making packages in public repositories, like CRAN, available to enterprise users. Administrators can elect to make all of CRAN available, or to make only curated subsets of CRAN available.
7.4.1 What is RStudio’s Package Service?
RStudio Package Manager doesn’t download packages directly from CRAN. Instead, RStudio maintains a curated s3 bucket that contains metadata about CRAN and package tar files. The metadata is used to track CRAN’s day-to-day changes.
See D if your environment does not have access to the RStudio Package Service.
During a sync, the metadata is downloaded to RStudio Package Manager. The metadata is compared against the RStudio Package Manager database to determine what changes need to be applied. Package tarballs are then downloaded to the cache either eagerly or lazily depending on the sync mode.
Lazy sync mode is recommended.
7.4.2 Eager vs Lazy
The sync mode is configured using the
CRAN.SyncMode property. The property
defaults to “lazy”, but can be set to “eager” for eager package fetching.
For eager fetching, RSPM attempts to download any package sources that could be served to users. This means that RSPM will download packages under a number of scenarios:
- When a repository subscribes to the CRAN source.
- If a repository is subscribed to the CRAN source, then packages will
be downloaded when a sync occurs, initiated with the CLI
synccommand or initiated based on the configured schedule.
- When a package is added to a curated CRAN source with the
addcommand (and at least one repository has subscribed to the curated CRAN source).
- When a curated CRAN source is updated with the
updatecommand (and at least one repository has subscribed to the curated CRAN source).
All four of these actions happen automatically. Additionally, an admin can
force RSPM to download packages using the CLI
If a repository subscribes to the CRAN source, then all CRAN packages will downloaded. Downloading all of CRAN during an initial sync can take a significant amount of time, bandwidth, and disk space. However, downloading packages does not block end users from accessing repositories that subscribe to the source. End users can request any package as soon as the metadata is sync’d. If a user requests a package that is not already downloaded, the package will be immediately downloaded and served to the client.
If RStudio Package Manager is set up for lazy fetching, it downloads packages as the packages are requested by end users. Package Manager will still download the metadata from CRAN on the sync schedule to keep the RStudio Package Manager database updated. The database serves as the source of truth for package availability. The benefit of lazy fetching is a smaller footprint in terms of network bandwidth and disk space.
22.214.171.124 Package Caching
In either mode, each version of a package is only downloaded once. RStudio Package Manager always checks the local cache to see if the required tar file is already available.
126.96.36.199 Changing Modes
If you change the sync mode, the following occurs:
Lazy to Eager - Eager fetching is applied to future syncs. When you next synchronize, all packages that have not yet been downloaded will be downloaded.
Eager to Lazy - Lazy fetching is applied to all future syncs. A sync with in-progress downloads will be completed.
7.4.3 Updates from CRAN
The cran source is updated according to a schedule set using the
CRAN.SyncSchedule property in the RStudio Package Manager configuration file.
This property accepts a string in crontab format. See
We recommend syncing every day. CRAN adds or updates tens to hundreds of packages each day.
SyncSchedule property does not necessarily determine when a repository
will make updated packages available to users. If the repository subscribes
directly to the cran source, users will see updates according to the sync
schedule. In contrast, if the repository subscribes to a curated CRAN source, an
administrator must explicitly update the source in order for updates to become
In addition, updating the repository does not automatically push updates to users. A repository specifies what packages are available, but the R user is in control of when and how to update the packages used by a project.
See the section on managing change control for more information.
RStudio Package Manager keeps track of old versions of packages as well. Old versions of packages are available in the repository’s archive, and are listed in the RStudio Package Manager web UI. This allows users to roll back updates if necessary or install packages as they existed at a prior time.
7.5 Curated CRAN Sources
Curated CRAN sources allow administrators to create and update approved subsets of CRAN. The behavior is best explained in an example.
Assume that RStudio Package Manager has been configured to sync CRAN updates daily.
January 1st - An administrator creates a curated CRAN source and is given a list of desired packages.
January 2nd - The administrator can use the
add command with the
flag, supplying the list of desired packages. RStudio Package Manager will
identify all of the required dependencies and create a proposal. The proposal
includes the set of packages to be added as well as information about each
package, such as license type. This information can be used to facilitate an
external review process.
January 15th - The proposal is approved. The administrator returns to RStudio
Package Manager and runs the
add command again, replacing the
with a transaction ID included in the proposal. The set of packages is
added from CRAN as they existed on January 1st, the date the source was
January 20th - The administrator receives a request to add a new package to the
set of approved packages. The admin uses the
add command with the
flag, supplying the new package as an argument. RStudio Package Manager will
create a proposal using the version of CRAN as it existed on January 1st. In
order to ensure compatibility between the packages added to the source, RStudio
Package Manager will add to the set of packages by pulling from CRAN as it
existed the day the source was created. As before, if the proposal is accepted,
the admin can commit the changes.
January 30th - Now the administrator gets a request to update the approved
packages. In order to keep all packages consistent, the entire set is updated at
once using the
update command. Like the
add command, the
dryrun flag that will enumerate all the changes needed to update the
set of packages from January 1st to January 30th.
February 1st - The proposal is approved and the administrator completes the
update command by using the transaction ID included in the dry run update.
The set of packages is now tied to CRAN on January 30th. Future add commands
will use this pinned date, until another update sequence occurs.
To summarize, curated CRAN sources allow admins to create a subset of CRAN at a point in time. Administrators can add packages to the subset from the same frozen point in time. Administrators can also update the subset to a newer point in time. Each change supports a dry run that creates a proposal and a confirmation run that applies the proposal.
Given a list of desired packages, RStudio Package Manager automatically
determines the full set of dependencies and also tracks those dependencies over
time. Admins can elect to include suggested dependencies or only required
dependencies by using the
include-suggests flag. During each update, older
versions of packages are archived, ensuring that tools like packrat and RStudio
Connect work seamlessly with the curated CRAN subset.
update command will be impacted by the sync schedule defined on the
server. If the server only syncs every few weeks,
update will only reference
the latest data from CRAN available on the server.