[R] registry vulnerabilities in R
Duncan Murdoch
murdoch.duncan at gmail.com
Wed May 9 20:17:38 CEST 2012
On 09/05/2012 2:04 PM, Gabor Grothendieck wrote:
> On Wed, May 9, 2012 at 12:46 PM, Paul Martin<pamartin at alum.mit.edu> wrote:
> > I don't have much new to add, but I want to make some clarifying comments:
> >
> > First, there are clearly workarounds available. I am using one now. R is
> > installed on a personal laptop which I bring to work every day. I take
> > extreme care with the nature of the files I move back and forth, and none of
> > this is classified. This is common practice here. Yes, it would be nice if I
> > could get R onto my desktop machine at work. It would save me burning CDs to
> > move plots back and forth. But it's not the end of the world. My ability to
> > get work done is not the issue here.
> >
> > The issue is the following: Is there anything her which is of concern to the
> > R community? I suspect the answer is no, but cannot say anything for sure at
> > this point.
> >
> > The registry analysis tool looks like it is custom software developed by the
> > Air Force. I can't get any specific information beyond that. That is
> > unfortunate, since it would be nice if the tests could be duplicated and
> > confirmed.
> >
> > We will get separate tests on R without RStudio.
> >
> > The registry analysis reports results in two sections: Registry entries
> > added and registry entries modified. There were no vulnerabilities found in
> > the "entries modified" section. All of the vulnerabilities are listed under
> > "entries added".
> >
>
> During the installation process its only the installer that sets any
> registry values, not R itself.
>
> Using the standard installer that comes with R it asks you whether you
> want to save version numbers in the registry and whether you want to
> create an association for RData files. If you uncheck those then the
> installation does not set any registry values.
That's correct. And with a small change to the installer script, even
that can be suppressed. (For anyone interested: you need
"Uninstallable=no" near the top of the Inno Setup script; if using the
regular build, that's in the file RHOME/src/gnuwin32/installer/header1.iss.)
Duncan Murdoch
More information about the R-help
mailing list