[R] (no subject)

Bert Gunter bgunter@4567 @end|ng |rom gm@||@com
Wed Oct 6 15:56:14 CEST 2021 

Perhaps it's R packages and the security policies -- checks for malicious
software, etc. -- of the repositories on which they reside that Thomas
should be concerned with. R, itself, is fine(checksums are provided), but,
as you say, can be programmed to do anything. So R packages can certainly
do damage. For CRAN, at least, I believe it's download at your own risk.
Presumably, virus checking capabilities at the local level could check all
such downloads, as per usual.

Correction and clarification of any of the above welcome of course.

Bert Gunter

"The trouble with having an open mind is that people keep coming along and
sticking things into it."
-- Opus (aka Berkeley Breathed in his "Bloom County" comic strip )


On Wed, Oct 6, 2021 at 2:53 AM Ivan Krylov <krylov.r00t using gmail.com> wrote:

> On Tue, 5 Oct 2021 22:20:33 +0000
> Thomas Subia <thomas.subia using fmindustries.com> wrote:
>
> > Some co-workers are wondering about how secure R software is.
>
> I'm afraid that this question is too hard to answer without their
> threat model. Secure against what, specifically?
>
> > Is there any documentation on this which I can forward to them?
>
> Well, R is a programming language. It's Turing-complete (see halting
> problem), will happily run machine code from shared objects (see
> dyn.load, .C, .Call), and install.packages() is there to download
> third-party code from the Internet. But that's the case with all
> programming languages I know that are used for statistics, which aren't
> supposed to run untrusted code.
>
> Maybe you're concerned about data input/output instead. Functions are
> first-class objects, so it's possible to save and load them from data
> files. Not sure if there's a way to run code on data load, but you can
> do it on print() (e.g. print.nls(x) calling x$m$getAllPars()), so don't
> load()/readRDS() untrusted data files. There are known bugs in the
> deserialiser, too: https://bugs.r-project.org/show_bug.cgi?id=16034
>
> Don't know if it's documented anywhere, though. What are your
> co-workers concerned about?
>
> --
> Best regards,
> Ivan
>
> ______________________________________________
> R-help using r-project.org mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide
> http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>

	[[alternative HTML version deleted]]

More information about the R-help mailing list