В Tue, 29 Aug 2023 15:43:24 +0000 "Jones, Jonathan D [US] (SP)" <jonathan.jo...@ngc.com> пишет:
> Has any consideration or work been done to document or perform > vulnerability testing for the R packages? Is is specifically about third-party R packages or about R ecosystem as a whole, including R itself? This depends on your threat model, but generally, it's best not to process untrusted data in R. As an example, see the stack overflow in unserialize(), reported on R Bugzilla a few years ago. I am not aware of any current vulnerabilities in R's built-in help server or the network server packages hosted on CRAN, but I am not aware of them having passed security audits, either, so it's best not to let R listen on network ports on public networks. > It would be a huge help to have a way to package whatever > tools/libraries/etc into a adhoc package CRAN packages are supposed to declare their third-party dependencies in the SystemRequirements: field of their DESCRIPTION, but that's not the only way a package could be bringing third-party code in the address space of the R process. For example, some packages bundle their dependencies inside the package archive without declaring anything, which may mean falling behind in terms of security updates. The CRAN team does their best to enforce the policy regarding the third-party dependencies [*], but CRAN packages come with no warranty. > or a breakdown of an R release contents Would R Installation and Administration [**] help? R has a few third-party dependencies, slightly different depending on the platform (Windows/macOS/Unix-alikes), so make sure to check the sections for all operating systems. > Developers ask for specific library files and if I could map them to > a package it would greatly reduce the amount of research. By library files, do you mean external dependencies of a package, the packages themselves, or something completely different? -- Best regards, Ivan [*] https://cran.r-project.org/web/packages/policies.html [**] https://cran.r-project.org/doc/manuals/r-release/R-admin.html ______________________________________________ R-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-devel
