[R] registry vulnerabilities in R

Richard M. Heiberger rmh at temple.edu
Wed May 9 20:57:14 CEST 2012


One more item.  Have you given a copy of the document
   R: Regulatory Compliance and Validation Issues A Guidance Document
for the Use of R in Regulated Clinical Trial Environments
   http://www.r-project.org/doc/R-FDA.pdf
to your security office?

It addresses overlapping, not identical, security issues.

Rich

On 5/9/12, Paul Martin <pamartin at alum.mit.edu> wrote:
> I don't have much new to add, but I want to make some clarifying comments:
>
> First, there are clearly workarounds available. I am using one now. R is
> installed on a personal laptop which I bring to work every day. I take
> extreme care with the nature of the files I move back and forth, and
> none of this is classified. This is common practice here. Yes, it would
> be nice if I could get R onto my desktop machine at work. It would save
> me burning CDs to move plots back and forth. But it's not the end of the
> world. My ability to get work done is not the issue here.
>
> The issue is the following: Is there anything her which is of concern to
> the R community? I suspect the answer is no, but cannot say anything for
> sure at this point.
>
> The registry analysis tool looks like it is custom software developed by
> the Air Force. I can't get any specific information beyond that. That is
> unfortunate, since it would be nice if the tests could be duplicated and
> confirmed.
>
> We will get separate tests on R without RStudio.
>
> The registry analysis reports results in two sections: Registry entries
> added and registry entries modified. There were no vulnerabilities found
> in the "entries modified" section. All of the vulnerabilities are listed
> under "entries added".
>
> I will let you know if I find out anything else. Certainly the isolated
> test of the R software without RStudio will be of interest.
>
> Thank you all or your comments,
>
> Paul Martin
>
> On 5/9/2012 10:00 AM, Barry Rowlingson wrote:
>>>> Someone said:
>>>> Once R is accepted, you could ask for an RStudio test if you want.
>>   I had another thought shortly after my initial email. Suppose yes, R
>> is accepted. Great. You run R.
>>
>>   Then you think, "Oh, I need ggplot2" (yes you do). Do you then have
>> to get security clearance for every package you want to download from
>> CRAN?
>>
>> Barry
>>
>
> ______________________________________________
> R-help at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide
> http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>



More information about the R-help mailing list