[R-pkg-devel] Urgent Review of R Packages in Light of Recent RDS Exploit
Maciej Nasinski
n@@|n@k|@m@c|ej @end|ng |rom gm@||@com
Sat May 4 08:09:28 CEST 2024
Thank you all for the discussion.
Then, we should promote "code awareness" and count on the CRAN Team to
continue their great work:)
What do you think about promoting containers?
Nowadays, containers are more accessible, with GitHub codespaces being more
affordable (mostly free for students and the educational sector).
I feel containers can help a little bit in making the R work more
secure, but once more when used properly.
KR
Maciej Nasinski
University of Warsaw
On Sat, 4 May 2024 at 07:17, Vladimir Dergachev <volodya using mindspring.com>
wrote:
>
>
> On Fri, 3 May 2024, Ivan Krylov via R-package-devel wrote:
>
> > Dear Maciej Nasinski,
> >
> > On Fri, 3 May 2024 11:37:57 +0200
> > Maciej Nasinski <nasinski.maciej using gmail.com> wrote:
> >
> >> I believe we must conduct a comprehensive review of all existing CRAN
> >> packages.
> >
> > Why now? R packages are already code. You don't need poisoned RDS files
> > to wreak havoc using an R package.
> >
> > On the other hand, R data files contain R objects, which contain code.
> > You don't need exploits to smuggle code inside an R object.
> >
>
> I think the confusion arises because users expect "R data files" to only
> contain data, i.e. numbers, but they can contain any R object, including
> functions.
>
> I, personally, never use them out of concern that accidentally saved
> function can override some functionality and be difficult to debug. And,
> of course, I never save R sessions.
>
> If you need to pass data it is a good idea to use some common format like
> tab-separated CSV files with column names. One can also use MVL files
> (RMVL package).
>
> best
>
> Vladimir Dergachev
>
>
[[alternative HTML version deleted]]
More information about the R-package-devel
mailing list