[R-pkg-devel] Urgent Review of R Packages in Light of Recent RDS Exploit

[Maciej Nasinski]

Hey All,

Once more, Ivan, thank you for your great blog post.
I found the https://github.com/hrbrmstr/rdaradar solution and ran it on the
100 most downloaded R packages.
Happily, all data/inst rda files are safe/non-exposed to RDS exploit (using
the linked solution).
Please access my fork for the results
https://github.com/Polkas/rdaradar/blob/main/cran_top_results.txt and the
run https://github.com/Polkas/rdaradar/blob/main/iter_all.R

It will be great to run it on all CRAN packages, but I imagine we should be
sure that the check is decent enough to not overload the servers without a
need.

KR
Maciej Nasinski
University of Warsaw

On Fri, 3 May 2024 at 12:23, Maciej Nasinski <nasinski.maciej using gmail.com>
wrote:

> Dear Ivan,
>
> Your blog post is fantastic and I already start to promote it on LinkedIn
> with full credit to you.
>
> KR
> Maciej Nasinski
> University of Warsaw
>
> > On 3 May 2024, at 12:04, Maciej Nasinski <nasinski.maciej using gmail.com>
> wrote:
> >
> > Dear Ivan,
> >
> > Thank you for such a quick response.
> > “It may be worth teaching people that, in general, R data files should be
> > as trusted as R code.” I totally agree and that why I wrote that any
> code can be dangerous if run without proper scrutiny.
> > A few linkedin post generated most probably by Chat GPT (a lot of icons
> in them) make a lot of harm lastly. For sure I will try to make a post in
> my community and will remind that any code can be dangerous.
> >
> > BTW. we can limit the possible scan with crandb downloads stats to only
> those which have more than x downloads a day:) I image it will be a
> demanding project.
> >
> > KR
> > Maciej Nasinski
> > University of Warsaw
> >
> >> On 3 May 2024, at 11:52, Ivan Krylov <ikrylov using disroot.org> wrote:
> >>
> >> It may be worth teaching people that in general, R data files should be
> >> as trusted as R code.
>

	[[alternative HTML version deleted]]