[R] registry vulnerabilities in R

Marc Schwartz marc_schwartz at me.com
Wed May 9 18:41:43 CEST 2012 

On May 9, 2012, at 11:00 AM, Barry Rowlingson wrote:

>>> Someone said:
> 
>>> Once R is accepted, you could ask for an RStudio test if you want.
> 
> I had another thought shortly after my initial email. Suppose yes, R
> is accepted. Great. You run R.
> 
> Then you think, "Oh, I need ggplot2" (yes you do). Do you then have
> to get security clearance for every package you want to download from
> CRAN?
> 
> Barry

That will depend upon their internal procedures/policies.

Presuming that the initial hurdle for R itself is overcome, for third party packages, whether from CRAN or elsewhere, Paul might see if the folks involved in the review process would allow him to install these to a local private folder tree, where it may be possible that security related concerns may be more mitigated and provide more flexibility than if for a system-wide install. In other words, see if there is some way to, in effect, sandbox the additional components, that would be acceptable.

A quick review of the lengthy output that Paul provided in the original post seems to suggest that the majority, if not all, of the registry related issues are specific to R-Studio itself and not to R.

Third party packages, of course, may have additional code that can perform a variety of activities (access/modify local system resources, access external IP's, etc.), so it would not be a surprise to me that there may need to be a package by package review and approval process.

Of course, the mere process of downloading and installing CRAN or other packages means that access to external IP's would be required, which appear to be part of the restrictions. It would be interesting to find out how updates "over the net" are handled for the approved applications. Are these allowed or are they controlled by a central authority?

So an internal discussion would be required to understand how R would fit within the policy and procedure constraints in place. It is clear that despite the subject heading for this thread, registry related issues are only a part of the underlying "problem".

It would also be of value to know how other folks, operating in similar 'restricted' environments, either inside or outside the U.S., have overcome these issues, so that Paul may learn from their experience. We do, for example, get posts here now and then from folks with U.S. ".mil" domain e-mail addresses. So there appear to be folks using R in such environments, unless they are using R, but not on DOD owned systems.

Regards,

Marc

More information about the R-help mailing list