Re: [R] are R packages safe?

Thu, 08 Dec 2016 10:28:23 -0800 


On 12/8/2016 12:08 PM, Dimitri Liakhovitski wrote:

Thank you, Marc.
That's helpful!
I think, in this case it's mostly:

That they are virus/malware free.
And that they don't send out some info that they are not supposed to.




      Doing those things are absolutely against CRAN policies, but you 
should get one of the CRAN maintainers to tell you the extent to which 
they check these things.




      CRAN will reject a violation of these rules if they catch them, 
and they do scan for many possible problems.  For example, I don't know 
if they'd catch a call to "q()" in a package if that line of code was 
not exercised in any of the standard tests.  Even of they could catch 
that, I don't know if they'd catch "do.call(q, list())"



      Best Wishes,
      Spencer Graves


Thank you!
Dimitri


On Thu, Dec 8, 2016 at 1:04 PM, Marc Schwartz <marc_schwa...@me.com> wrote:

On Dec 8, 2016, at 11:47 AM, Dimitri Liakhovitski
<dimitri.liakhovit...@gmail.com> wrote:

Guys,

suddenly, I am being asked for a proof that R packages that are not
'"base" are safe. I've never been asked this question before.

Is there some documentation on CRAN that discusses how it's ensured
that all "official" R packages have been "vetted" and are safe?

Thanks a lot!

--
Dimitri Liakhovitski



Dimitri,

You are going to need to define "safe".

Also, note that the notion of "official R packages" is not defined, other
than for those that bear the copyright of The R Foundation (Base +
Recommended), as per:

   https://www.r-project.org/certification.html

That packages are available on CRAN does not infer, implicitly or
explicitly, that the packages are endorsed/certified/validated by any party.

You can review the CRAN Policy here:

   https://cran.r-project.org/web/packages/policies.html.

which provides a standardized framework for CRAN submissions.

Does "safe" mean that they are virus/malware free?

Does "safe" mean that they are extensively tested/validated, bug free and
yield documented evidence of consistent and correct results, possibly having
also been tested for "edge cases"?

Regards,

Marc Schwartz







______________________________________________
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.























					Reply via email to