Thanks a lot, guys - it's very helpful! On Thu, Dec 8, 2016 at 1:24 PM, Marc Schwartz <marc_schwa...@me.com> wrote: > Dimitri, > > Even if you narrowly define "safe" as being virus/malware free and even if > the CRAN maintainers have extensive screening in place, the burden will still > be on the end users to test/scan the downloaded packages (whether in source > or binary form), according to some a priori defined standard operating > procedures, to achieve a level of confidence, that the packages pass those > tests/scans. > > As you know, virus and malware are moving targets and there are so-called > "zero day" exploits, which means that even actively updated virus and malware > scanning software can be defeated. > > With respect to the security issue you raised, to the best of my knowledge, > no CRAN packages are tested for such exploits (it would be an impossible task > to extensively check for overt, much less covert channels of communications) > and that again, would be a local issue. CRAN packages are, of course, not the > only potential source of such exploits, as we know. > > As Bert noted in his reply, even the official R distribution comes with no > warranty, and that will be the case with most OSS. > > Regards, > > Marc > > >> On Dec 8, 2016, at 12:08 PM, Dimitri Liakhovitski >> <dimitri.liakhovit...@gmail.com> wrote: >> >> Thank you, Marc. >> That's helpful! >> I think, in this case it's mostly: >> >> That they are virus/malware free. >> And that they don't send out some info that they are not supposed to. >> >> Thank you! >> Dimitri >> >> >> On Thu, Dec 8, 2016 at 1:04 PM, Marc Schwartz <marc_schwa...@me.com> wrote: >>> >>> On Dec 8, 2016, at 11:47 AM, Dimitri Liakhovitski >>> <dimitri.liakhovit...@gmail.com> wrote: >>> >>> Guys, >>> >>> suddenly, I am being asked for a proof that R packages that are not >>> '"base" are safe. I've never been asked this question before. >>> >>> Is there some documentation on CRAN that discusses how it's ensured >>> that all "official" R packages have been "vetted" and are safe? >>> >>> Thanks a lot! >>> >>> -- >>> Dimitri Liakhovitski >>> >>> >>> >>> Dimitri, >>> >>> You are going to need to define "safe". >>> >>> Also, note that the notion of "official R packages" is not defined, other >>> than for those that bear the copyright of The R Foundation (Base + >>> Recommended), as per: >>> >>> https://www.r-project.org/certification.html >>> >>> That packages are available on CRAN does not infer, implicitly or >>> explicitly, that the packages are endorsed/certified/validated by any party. >>> >>> You can review the CRAN Policy here: >>> >>> https://cran.r-project.org/web/packages/policies.html. >>> >>> which provides a standardized framework for CRAN submissions. >>> >>> Does "safe" mean that they are virus/malware free? >>> >>> Does "safe" mean that they are extensively tested/validated, bug free and >>> yield documented evidence of consistent and correct results, possibly having >>> also been tested for "edge cases"? >>> >>> Regards, >>> >>> Marc Schwartz >>> >>> >> >> >> >> -- >> Dimitri Liakhovitski >
-- Dimitri Liakhovitski ______________________________________________ R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
