I’m curious to know where the cost of updating is coming from?
I have some experience with how this was handled in the UK HSA. At first, when R was not as popular and IT security more relaxed, those of us who used it were able to download directly from CRAN as often as we wanted.
Then IT security became a lot stricter and it was no longer possible to download any kind of software directly - they had to be pre-approved, assessed and then put in the software download centre for people to install from there. Many discussions were had between the concerned R user community and IT prior to the launch of the software download system.
What we ultimately wanted was for at least the major versions (to the second digit e.g. 4.2.x) to be available immediately in the software centre. However we weren’t able to persuade IT to upload them without some kind of checking process for every new version. In the end, they agreed to pre-release new versions to a group of R users who would serve as beta testers for two weeks. If they encountered no problems, the new versions would be pushed to the software centre and then available to everyone.
What happened in practice was that our IT department was unable to keep up with the release schedule. They often had to be prompted by R users to start the update process when a new version was released - but then it would not be available for several weeks to months, and sometimes there were incompatibilities, for example R tools version not matching R.
This is how it was in the initial phase of the software download centre roll out - however I left the organisation at the start of the pandemic, so I don’t know what happened after that. I’m happy to ask my colleagues how it is now (I’m also curious) and post an update back here.
In general I would say it is important to have constant dialogue between the R user community and IT - the latter need to be educated on the R ecosystem and needs of users. I think it is unfortunate that there is this perceived need among IT professionals for pre-testing (from a security perspective) of R releases- personally I’m not aware of there ever being a release that was contaminated with a virus for instance. I suspect that CRAN also have some rigorous protocols to prevent that, but IT security people tend to have less confidence on the security protocols of open software.
Another thing that is essential to ensure is that packages can be installed by users from CRAN or github as needed, without any special privilages. I’m aware that this is difficult in RKI in Germany and in some parts of the HPSC in Ireland. There is often a distinction between experienced R users, who have negotiated with IT and have the relevant permissions, and new R users, who may not be aware of what they need to ask for. To mitigate this, it is advisable to have a communication hub for R users in the organisation, with a resources section that details what new users need to do and ask for. SLACK is great for internal communication (though it has its limits unless you get a paid plan) but people may be able to use existing messaging and shared storage infrastructure, such as Microsoft TEAMS and Sharepoint.
Hope this is helpful - I would recommend finding out from IT exactly what the bottlenecks are for doing updates in synch with the actual release schedule of R versions, and push for that if you can.