[R-pkg-devel] Urgent Review of R Packages in Light of Recent RDS Exploit

Vladimir Dergachev vo|ody@ @end|ng |rom m|nd@pr|ng@com
Sat May 4 07:17:34 CEST 2024



On Fri, 3 May 2024, Ivan Krylov via R-package-devel wrote:

> Dear Maciej Nasinski,
>
> On Fri, 3 May 2024 11:37:57 +0200
> Maciej Nasinski <nasinski.maciej using gmail.com> wrote:
>
>> I believe we must conduct a comprehensive review of all existing CRAN
>> packages.
>
> Why now? R packages are already code. You don't need poisoned RDS files
> to wreak havoc using an R package.
>
> On the other hand, R data files contain R objects, which contain code.
> You don't need exploits to smuggle code inside an R object.
>

I think the confusion arises because users expect "R data files" to only 
contain data, i.e. numbers, but they can contain any R object, including 
functions.

I, personally, never use them out of concern that accidentally saved 
function can override some functionality and be difficult to debug. And, 
of course, I never save R sessions.

If you need to pass data it is a good idea to use some common format like 
tab-separated CSV files with column names. One can also use MVL files 
(RMVL package).

best

Vladimir Dergachev



More information about the R-package-devel mailing list