[R] registry vulnerabilities in R

Paul Martin pamartin at alum.mit.edu
Tue Jun 5 20:58:51 CEST 2012


Update:

The IT people agreed to test R separately. R is now approved and RStudio 
is not.
The folks at RStudio are baffled as to why all those registry entries 
are being
recorded. They directed me to the source code which details the known 
accesses
to the registry during installation. I have not yet followed the link. I 
suspect the
registry vulnerability software is flawed, or perhaps their procedures. 
(Are they
installing into a clean image? No idea.)

So, limited progress. I may just move my R work to Linux, where the 
rules are
different.

Thank you, everyone.

Paul Martin

On 5/9/2012 12:57 PM, Richard M. Heiberger wrote:
> One more item.  Have you given a copy of the document
>     R: Regulatory Compliance and Validation Issues A Guidance Document
> for the Use of R in Regulated Clinical Trial Environments
>     http://www.r-project.org/doc/R-FDA.pdf
> to your security office?
>
> It addresses overlapping, not identical, security issues.
>
> Rich
>
> On 5/9/12, Paul Martin<pamartin at alum.mit.edu>  wrote:
>> I don't have much new to add, but I want to make some clarifying comments:
>>
>> First, there are clearly workarounds available. I am using one now. R is
>> installed on a personal laptop which I bring to work every day. I take
>> extreme care with the nature of the files I move back and forth, and
>> none of this is classified. This is common practice here. Yes, it would
>> be nice if I could get R onto my desktop machine at work. It would save
>> me burning CDs to move plots back and forth. But it's not the end of the
>> world. My ability to get work done is not the issue here.
>>
>> The issue is the following: Is there anything her which is of concern to
>> the R community? I suspect the answer is no, but cannot say anything for
>> sure at this point.
>>
>> The registry analysis tool looks like it is custom software developed by
>> the Air Force. I can't get any specific information beyond that. That is
>> unfortunate, since it would be nice if the tests could be duplicated and
>> confirmed.
>>
>> We will get separate tests on R without RStudio.
>>
>> The registry analysis reports results in two sections: Registry entries
>> added and registry entries modified. There were no vulnerabilities found
>> in the "entries modified" section. All of the vulnerabilities are listed
>> under "entries added".
>>
>> I will let you know if I find out anything else. Certainly the isolated
>> test of the R software without RStudio will be of interest.
>>
>> Thank you all or your comments,
>>
>> Paul Martin
>>
>> On 5/9/2012 10:00 AM, Barry Rowlingson wrote:
>>>>> Someone said:
>>>>> Once R is accepted, you could ask for an RStudio test if you want.
>>>    I had another thought shortly after my initial email. Suppose yes, R
>>> is accepted. Great. You run R.
>>>
>>>    Then you think, "Oh, I need ggplot2" (yes you do). Do you then have
>>> to get security clearance for every package you want to download from
>>> CRAN?
>>>
>>> Barry
>>>
>> ______________________________________________
>> R-help at r-project.org mailing list
>> https://stat.ethz.ch/mailman/listinfo/r-help
>> PLEASE do read the posting guide
>> http://www.R-project.org/posting-guide.html
>> and provide commented, minimal, self-contained, reproducible code.
>>



More information about the R-help mailing list