[R] are R packages safe?

Dimitri Liakhovitski dimitri.liakhovitski at gmail.com
Thu Dec 8 19:16:08 CET 2016


Great to know thanks, Bert!

Do you happen to have a reference that shows that:
-U. Wien checks R packages on submission for malicious code
-R repository servers have filters in place.

Thanks again!

On Thu, Dec 8, 2016 at 1:13 PM, Bert Gunter <bgunter.4567 at gmail.com> wrote:
> Dimitri:
>
>
>
>
> On Thu, Dec 8, 2016 at 10:05 AM, Dimitri Liakhovitski
> <dimitri.liakhovitski at gmail.com> wrote:
>> I just thought maybe there is something - about the process of
>> submitting packages or anything like that - that shows that at least
>> some diligence is being done to ensure that a given package is not
>> just a piece of malware from ISIS or Russia.
>> But if you, Bert, say it's not the case, then I'll believe you.
>
> ** I DID NOT SAY THAT ***
>
> You asked for **guarantees." R has none. But of course U. Wien checks
> R packages on submission for malicious code (it is one reason binary
> submissions are generally not permitted) and R repository servers of
> course have filters in place. BUT THERE ARE NO GUARANTEES, explicit or
> implied.
>
> Cheers,
> Bert
>
>
>
>>
>> I've asked my question after I received the following email from a
>> partner company (that is a SaS company):
>> They are starting to work with R and we are delivering some R code to
>> them that will run in the background. I mentioned that certain R
>> packages have to be installed in order for the code to run and got
>> this:
>>
>> "I’m also going to assume that our team will want to vet any package
>> you request. We’re big fans of open source and leveraging 3rd party
>> libraries but are keenly aware of the risks in “inviting strangers
>> into your house”."
>>
>> This is why I asked.
>> So, I guess, my response should be - yes, please, go ahead and "vet"
>> them any way you want.
>> Thank you!
>>
>> On Thu, Dec 8, 2016 at 12:55 PM, Bert Gunter <bgunter.4567 at gmail.com> wrote:
>>> 1. What does "Safe" mean???
>>>
>>> 2. From the R banner on startup:
>>>
>>> "R is free software and comes with ABSOLUTELY NO WARRANTY."
>>>
>>> Don't think it could be clearer than that!
>>>
>>> Cheers,
>>> Bert
>>>
>>>
>>> Bert Gunter
>>>
>>> "The trouble with having an open mind is that people keep coming along
>>> and sticking things into it."
>>> -- Opus (aka Berkeley Breathed in his "Bloom County" comic strip )
>>>
>>>
>>> On Thu, Dec 8, 2016 at 9:47 AM, Dimitri Liakhovitski
>>> <dimitri.liakhovitski at gmail.com> wrote:
>>>> Guys,
>>>>
>>>> suddenly, I am being asked for a proof that R packages that are not
>>>> '"base" are safe. I've never been asked this question before.
>>>>
>>>> Is there some documentation on CRAN that discusses how it's ensured
>>>> that all "official" R packages have been "vetted" and are safe?
>>>>
>>>> Thanks a lot!
>>>>
>>>> --
>>>> Dimitri Liakhovitski
>>>>
>>>> ______________________________________________
>>>> R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see
>>>> https://stat.ethz.ch/mailman/listinfo/r-help
>>>> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
>>>> and provide commented, minimal, self-contained, reproducible code.
>>
>>
>>
>> --
>> Dimitri Liakhovitski



-- 
Dimitri Liakhovitski



More information about the R-help mailing list