[R] registry vulnerabilities in R

Paul Martin pamartin at alum.mit.edu
Wed May 9 18:46:03 CEST 2012


I don't have much new to add, but I want to make some clarifying comments:

First, there are clearly workarounds available. I am using one now. R is 
installed on a personal laptop which I bring to work every day. I take 
extreme care with the nature of the files I move back and forth, and 
none of this is classified. This is common practice here. Yes, it would 
be nice if I could get R onto my desktop machine at work. It would save 
me burning CDs to move plots back and forth. But it's not the end of the 
world. My ability to get work done is not the issue here.

The issue is the following: Is there anything her which is of concern to 
the R community? I suspect the answer is no, but cannot say anything for 
sure at this point.

The registry analysis tool looks like it is custom software developed by 
the Air Force. I can't get any specific information beyond that. That is 
unfortunate, since it would be nice if the tests could be duplicated and 
confirmed.

We will get separate tests on R without RStudio.

The registry analysis reports results in two sections: Registry entries 
added and registry entries modified. There were no vulnerabilities found 
in the "entries modified" section. All of the vulnerabilities are listed 
under "entries added".

I will let you know if I find out anything else. Certainly the isolated 
test of the R software without RStudio will be of interest.

Thank you all or your comments,

Paul Martin

On 5/9/2012 10:00 AM, Barry Rowlingson wrote:
>>> Someone said:
>>> Once R is accepted, you could ask for an RStudio test if you want.
>   I had another thought shortly after my initial email. Suppose yes, R
> is accepted. Great. You run R.
>
>   Then you think, "Oh, I need ggplot2" (yes you do). Do you then have
> to get security clearance for every package you want to download from
> CRAN?
>
> Barry
>



More information about the R-help mailing list