[R] are R packages safe?
Bert Gunter
bgunter.4567 at gmail.com
Thu Dec 8 19:17:07 CET 2016
On Thu, Dec 8, 2016 at 10:16 AM, Dimitri Liakhovitski
<dimitri.liakhovitski at gmail.com> wrote:
> Great to know thanks, Bert!
>
> Do you happen to have a reference that shows that:
> -U. Wien checks R packages on submission for malicious code
> -R repository servers have filters in place.
No. Ask them
-- Bert
>
> Thanks again!
>
> On Thu, Dec 8, 2016 at 1:13 PM, Bert Gunter <bgunter.4567 at gmail.com> wrote:
>> Dimitri:
>>
>>
>>
>>
>> On Thu, Dec 8, 2016 at 10:05 AM, Dimitri Liakhovitski
>> <dimitri.liakhovitski at gmail.com> wrote:
>>> I just thought maybe there is something - about the process of
>>> submitting packages or anything like that - that shows that at least
>>> some diligence is being done to ensure that a given package is not
>>> just a piece of malware from ISIS or Russia.
>>> But if you, Bert, say it's not the case, then I'll believe you.
>>
>> ** I DID NOT SAY THAT ***
>>
>> You asked for **guarantees." R has none. But of course U. Wien checks
>> R packages on submission for malicious code (it is one reason binary
>> submissions are generally not permitted) and R repository servers of
>> course have filters in place. BUT THERE ARE NO GUARANTEES, explicit or
>> implied.
>>
>> Cheers,
>> Bert
>>
>>
>>
>>>
>>> I've asked my question after I received the following email from a
>>> partner company (that is a SaS company):
>>> They are starting to work with R and we are delivering some R code to
>>> them that will run in the background. I mentioned that certain R
>>> packages have to be installed in order for the code to run and got
>>> this:
>>>
>>> "I’m also going to assume that our team will want to vet any package
>>> you request. We’re big fans of open source and leveraging 3rd party
>>> libraries but are keenly aware of the risks in “inviting strangers
>>> into your house”."
>>>
>>> This is why I asked.
>>> So, I guess, my response should be - yes, please, go ahead and "vet"
>>> them any way you want.
>>> Thank you!
>>>
>>> On Thu, Dec 8, 2016 at 12:55 PM, Bert Gunter <bgunter.4567 at gmail.com> wrote:
>>>> 1. What does "Safe" mean???
>>>>
>>>> 2. From the R banner on startup:
>>>>
>>>> "R is free software and comes with ABSOLUTELY NO WARRANTY."
>>>>
>>>> Don't think it could be clearer than that!
>>>>
>>>> Cheers,
>>>> Bert
>>>>
>>>>
>>>> Bert Gunter
>>>>
>>>> "The trouble with having an open mind is that people keep coming along
>>>> and sticking things into it."
>>>> -- Opus (aka Berkeley Breathed in his "Bloom County" comic strip )
>>>>
>>>>
>>>> On Thu, Dec 8, 2016 at 9:47 AM, Dimitri Liakhovitski
>>>> <dimitri.liakhovitski at gmail.com> wrote:
>>>>> Guys,
>>>>>
>>>>> suddenly, I am being asked for a proof that R packages that are not
>>>>> '"base" are safe. I've never been asked this question before.
>>>>>
>>>>> Is there some documentation on CRAN that discusses how it's ensured
>>>>> that all "official" R packages have been "vetted" and are safe?
>>>>>
>>>>> Thanks a lot!
>>>>>
>>>>> --
>>>>> Dimitri Liakhovitski
>>>>>
>>>>> ______________________________________________
>>>>> R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see
>>>>> https://stat.ethz.ch/mailman/listinfo/r-help
>>>>> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
>>>>> and provide commented, minimal, self-contained, reproducible code.
>>>
>>>
>>>
>>> --
>>> Dimitri Liakhovitski
>
>
>
> --
> Dimitri Liakhovitski
More information about the R-help
mailing list