[R-pkg-devel] Urgent Review of R Packages in Light of Recent RDS Exploit

Vladimir Dergachev vo|ody@ @end|ng |rom m|nd@pr|ng@com
Sat May 4 18:53:07 CEST 2024 


On Sat, 4 May 2024, Maciej Nasinski wrote:

> Thank you all for the discussion.Then, we should promote "code awareness" and count on the CRAN Team to continue their great work:)
> 
> What do you think about promoting containers?
> Nowadays, containers are more accessible, with GitHub codespaces being more affordable (mostly free for students and the educational sector).
> I feel containers can help a little bit in making the R work more secure, but once more when used properly.

I think it is not a good idea to focus on one use case. Some people will 
find containers more convenient some don't.

If you want security, I am sure containers are not the right approach - 
get a separate physical computer instead.

>From a convenience point of view containers are only ok as long as you 
don't need to interface with outside software, then it gets tricky as the 
security keeping things containerized starts interfering with getting work 
done. (Prime example: firefox snap on ubuntu)

One situation where containers can be helpful is distribution of 
commercial applications. Containers allow you to freeze library versions, 
so your app can still run with old C library or a specific version of 
Python. You can then _hope_ that containers will have fewer compatibility 
issues, or at least you can sell containers to your management on this 
idea.

But this is not really a good thing for an open source project like R.

best

Vladimir Dergachev

> 
> KR
> Maciej Nasinski
> University of Warsaw
> 
> On Sat, 4 May 2024 at 07:17, Vladimir Dergachev <volodya using mindspring.com> wrote:
> 
>
>       On Fri, 3 May 2024, Ivan Krylov via R-package-devel wrote:
>
>       > Dear Maciej Nasinski,
>       >
>       > On Fri, 3 May 2024 11:37:57 +0200
>       > Maciej Nasinski <nasinski.maciej using gmail.com> wrote:
>       >
>       >> I believe we must conduct a comprehensive review of all existing CRAN
>       >> packages.
>       >
>       > Why now? R packages are already code. You don't need poisoned RDS files
>       > to wreak havoc using an R package.
>       >
>       > On the other hand, R data files contain R objects, which contain code.
>       > You don't need exploits to smuggle code inside an R object.
>       >
>
>       I think the confusion arises because users expect "R data files" to only
>       contain data, i.e. numbers, but they can contain any R object, including
>       functions.
>
>       I, personally, never use them out of concern that accidentally saved
>       function can override some functionality and be difficult to debug. And,
>       of course, I never save R sessions.
>
>       If you need to pass data it is a good idea to use some common format like
>       tab-separated CSV files with column names. One can also use MVL files
>       (RMVL package).
>
>       best
>
>       Vladimir Dergachev
> 
> 
>

More information about the R-package-devel mailing list