Not claiming anybody is doing this but: I think we all must be very careful in ascribing all rumors of interaction difficulties to CRAN. I have also heard some negative rumors, but they didn't match my limited direct experience (which has been positive). So I personally discount the rumors, but would not discount any concrete examples (good or bad). If the rumors match somebody else's direct experience I don't mean to undermine that, and I certainly do not intend to claim "just because nothing bad has happened to me it is implausible something bad has happened to someone else."
Most conflicts involve more than one party who may be at fault. I am not meaning to diminish anyone else's direct experience, but I do want to diminish the indirect repeated rumors that CRAN is fundamentally hard to work with. I feel that CRAN is a great benefit, and much better than not having a central package facility of having a central facility run by a company.
I am most definitely not commenting on
bigstatsr, as I don't know anything about their interaction with CRAN. And you are correct in that package state does seem mysterious (I follow other orphaned and removed packages for which I would love to know what happened).
Below I am commenting on other packages in general (though I do have specific examples to back it up).
I think in many cases the package maintainers have been getting away with not obeying even simple CRAN guidelines that have been known for some time. That helps make it seem uneven (and even seem unfair) when one gets caught by one of these guidelines. My personal experience (maintaining multiple packages for multiple years) is: things are easier if you make an extra effort to follow your best guess of a broadening of the guidelines, even if it appears to you other packages have no such requirement. It is not a good idea to "get lawyerly" and attempt to follow the guidelines minimally to the letter.
Each time a package is submitted the submitter checks the following boxes on the user submission form.
In addition to this, the rules say you are supposed to check current versions of packages that depend on your package.
Given the above I have seen popular packages:
- Not fixing the errors seen on the results pages. Given the checkbox this means: when you submit not having fixed errors, not only have you violated guidance- but you have also affirmatively claimed to follow it.
- Add to their CRAN submission notes they are breaking their own dependent packages. This causes needless trouble, as the same authors could first fix the dependent package and not need to ask for an exception.
- Claim they have notified dependent packages of breaking changes (when it later comes out they have not). This is particularly nasty because not responding to such messages is one of the quicker ways to get orphaned. So claiming another package is ignoring messages is transferring a harm/risk to that dependent package.
Again this is not to kill discussion, it is just my side of the discussion. I think direct sharing of experiences with CRAN (be they good or bad) is useful. The above (unfortunately, including the bullet points) is some of what I have directly seen both in maintaining my own packages, and interacting with other packages.
Sorry that got long, I promise not to swoop in and debate other comments. Interested to hear what other's have to say on the topic.