[R-pkg-devel] Urgent Review of R Packages in Light of Recent RDS Exploit
Vladimir Dergachev
vo|ody@ @end|ng |rom m|nd@pr|ng@com
Sat May 4 07:17:34 CEST 2024
On Fri, 3 May 2024, Ivan Krylov via R-package-devel wrote:
> Dear Maciej Nasinski,
>
> On Fri, 3 May 2024 11:37:57 +0200
> Maciej Nasinski <nasinski.maciej using gmail.com> wrote:
>
>> I believe we must conduct a comprehensive review of all existing CRAN
>> packages.
>
> Why now? R packages are already code. You don't need poisoned RDS files
> to wreak havoc using an R package.
>
> On the other hand, R data files contain R objects, which contain code.
> You don't need exploits to smuggle code inside an R object.
>
I think the confusion arises because users expect "R data files" to only
contain data, i.e. numbers, but they can contain any R object, including
functions.
I, personally, never use them out of concern that accidentally saved
function can override some functionality and be difficult to debug. And,
of course, I never save R sessions.
If you need to pass data it is a good idea to use some common format like
tab-separated CSV files with column names. One can also use MVL files
(RMVL package).
best
Vladimir Dergachev
More information about the R-package-devel
mailing list