[R] are R packages safe?

Bert Gunter bgunter.4567 at gmail.com
Thu Dec 8 19:13:55 CET 2016


Dimitri:




On Thu, Dec 8, 2016 at 10:05 AM, Dimitri Liakhovitski
<dimitri.liakhovitski at gmail.com> wrote:
> I just thought maybe there is something - about the process of
> submitting packages or anything like that - that shows that at least
> some diligence is being done to ensure that a given package is not
> just a piece of malware from ISIS or Russia.
> But if you, Bert, say it's not the case, then I'll believe you.

** I DID NOT SAY THAT ***

You asked for **guarantees." R has none. But of course U. Wien checks
R packages on submission for malicious code (it is one reason binary
submissions are generally not permitted) and R repository servers of
course have filters in place. BUT THERE ARE NO GUARANTEES, explicit or
implied.

Cheers,
Bert



>
> I've asked my question after I received the following email from a
> partner company (that is a SaS company):
> They are starting to work with R and we are delivering some R code to
> them that will run in the background. I mentioned that certain R
> packages have to be installed in order for the code to run and got
> this:
>
> "I’m also going to assume that our team will want to vet any package
> you request. We’re big fans of open source and leveraging 3rd party
> libraries but are keenly aware of the risks in “inviting strangers
> into your house”."
>
> This is why I asked.
> So, I guess, my response should be - yes, please, go ahead and "vet"
> them any way you want.
> Thank you!
>
> On Thu, Dec 8, 2016 at 12:55 PM, Bert Gunter <bgunter.4567 at gmail.com> wrote:
>> 1. What does "Safe" mean???
>>
>> 2. From the R banner on startup:
>>
>> "R is free software and comes with ABSOLUTELY NO WARRANTY."
>>
>> Don't think it could be clearer than that!
>>
>> Cheers,
>> Bert
>>
>>
>> Bert Gunter
>>
>> "The trouble with having an open mind is that people keep coming along
>> and sticking things into it."
>> -- Opus (aka Berkeley Breathed in his "Bloom County" comic strip )
>>
>>
>> On Thu, Dec 8, 2016 at 9:47 AM, Dimitri Liakhovitski
>> <dimitri.liakhovitski at gmail.com> wrote:
>>> Guys,
>>>
>>> suddenly, I am being asked for a proof that R packages that are not
>>> '"base" are safe. I've never been asked this question before.
>>>
>>> Is there some documentation on CRAN that discusses how it's ensured
>>> that all "official" R packages have been "vetted" and are safe?
>>>
>>> Thanks a lot!
>>>
>>> --
>>> Dimitri Liakhovitski
>>>
>>> ______________________________________________
>>> R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see
>>> https://stat.ethz.ch/mailman/listinfo/r-help
>>> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
>>> and provide commented, minimal, self-contained, reproducible code.
>
>
>
> --
> Dimitri Liakhovitski



More information about the R-help mailing list