[R-pkg-devel] Questions about third-party package distribution, especially with respect to security

Mark van der Loo mark.vanderloo at gmail.com
Mon Sep 18 05:57:02 CEST 2017

Dear Robert,

R supports package repositories out of the box. A repository is just a way
of organizing files. The most popular repositories are CRAN and
Bioconductor. There is even a package that allows you to set up your own
repository on Github (the drat package).

It depends on the repository maintainer if and how things are checked. My
experience is limited to CRAN, so I'll comment on that.

The main point of reference is the CRAN repository policy:

Before a package is accepted, CRAN performs an extensive number of
automated checks, ranging from whether code is valid R, to running coded
examples and unit tests (if any). Also, some consistency between exported
functionality and documentation is enforced. When packages are submitted
the first time, there is also some manual checking regarding intellectual
property. Importantly, packages that are updated are not allowed to break
any package depending on them. This is checked as well.

For an introduction to CRAN it is also worth checking out Uwe Ligges'
keynote at this year's useR! conference.


Op zo 17 sep. 2017 om 21:56 schreef Robert Dodier <robert.dodier at gmail.com>:

> Hi, people other than the R developers can create packages which use R
> to do interesting things. I gather such packages are mostly
> distributed via CRAN, is that right? I am curious to know about the
> process for approving such packages.
> How much effort goes into reviewing and vetting packages? Is there any
> process for approving packages before publication? Have any security
> problems ever been encountered in third-party packages? Does the
> package distributor make any statements as to guarantees about
> security or the lack of them?
> The reason I ask these questions is that we are debating package
> distribution over in the Maxima project, and I would just like to
> check in and see what you have encountered and how it has been
> resolved. Thanks for any light you can shed on this topic.
> best,
> Robert Dodier
> Maxima project administrator and developer
> ______________________________________________
> R-package-devel at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-package-devel

	[[alternative HTML version deleted]]

More information about the R-package-devel mailing list