Using ssl_verifypeer = FALSE in a CRAN pkg?

I don't know about consensus, but Hadley writes:

You should NEVER use ssl.verifypeer = FALSE as a default, unless you don't want to know when your security has been compromised.

That said, I have seen packages using the option by default.

The question is: without a valid certificate, how do you know that the UN website has not been compromised?

I would suggest flagging the issue clearly at the top of the package documentation and indicating that it's the users responsibility to set the option. And hoping that the hosting service sorts out its certificate soon.

Via https://curl.haxx.se/docs/sslcerts.html:

Get a CA certificate that can verify the remote server and use the proper option to point out this CA cert for verification when connecting. For libcurl hackers: curl_easy_setopt(curl, CURLOPT_CAPATH, capath);

In R curl options, that's capath.

You can get recent versions of those here https://curl.haxx.se/docs/caextract.html provided you trust the main cURL site.

cacert.pem === ca-bundle.crt if you happen to see references to both/either.

If updated CA files still cause the issue then you're doing a disservice to the user by having them think they're OK by just passing FALSE to your functions.

I have no idea what harm data comtrade data integrity loss/manipulation would cause folks. But beyond that, a flagged cert cld also be a sign to the user of MITM. Either way, you should think twice about being an enabler.