[R] Requesting Assistance with a Backend Question

[Ivan Krylov]

On Tue, 24 Sep 2019 22:35:39 +0000
"Caughman, Vanessa (OATH)" <vcaughman using oath.nyc.gov> wrote:

> Does this application require any access, on the backend, when
> processing or performing analytics; to any parts of the Cloud
> environment.

The answer is: no, but see the fine print.

Core R code (i.e. the one you can get by navigating to
https://cran.r-project.org/ and clicking "Download R for (operating
system)") does *not* use Internet services to perform analytics. A part
of core R is its package system (not used to perform analytics per se),
and its functions like install.packages() function do access CRAN
servers by default (though one could specify the repos = ... argument
to make it access local filesystem or another server of your choice)
to download packages of code provided by other users of R. Packages
installed from CRAN may want to access the Internet or execute
arbitrary code with local user access rights. Though there is a policy
[*] to keep things sane and a review process, mistakes may slip though.

Same goes for any kind of programming environment with a repository of
user-supplied code (Perl and CPAN, Python and PyPI, Rust and
crates.io, JavaScript and NPM...). There are also distributions of R
prepared by third parties, such as Anaconda R, Microsoft R Open, and
third party graphical front-ends for R, such as R-Studio, R commander,
RKWard, JGR, which are also outside of the scope of core R.

But one shouldn't trust the advice of J. Random Hacker from the
Internet to determine whether R is safe (subject to whatever definition
of "safe"). Since R is, indeed, free software, it is possible to
exercise the freedom to study how the program works by looking at the
source code [**] and conducting a security audit.

-- 
Best regards,
Ivan

[*] https://cran.r-project.org/web/packages/policies.html

[**] https://cloud.r-project.org/src/base/R-3/R-3.6.1.tar.gz