Caughman, Vanessa (OATH)
2019-Sep-24 22:35 UTC
[R] Requesting Assistance with a Backend Question
Good Evening All, A unit in my agency - The Office of Administrative Trials and Hearings - is requesting R programming software be made accessible within our network. Because it is an Open Source application, our Cyber Security group has asked for the following information, about the application, be sought - Does this application require any access, on the backend, when processing or performing analytics; to any parts of the Cloud environment. I have read through a lot of the information on the R website and FAQs, but I am not finding any clear answers regarding whether there is any need or ability for the application to access the Cloud. The unit is working in a Windows, networked environment. Any assistance in answering these questions will assist in the decision to introduce the application into our networked environment. Thank you and Kind Regards, Vanessa Vanessa J. Caughman-NeSmith Certified Network Administrator (LAN/WAN) Office of Administrative Trials and Hearings 100 Church Street, 12th Floor New York, NY 10007 212.933.3028 [[alternative HTML version deleted]]
On Tue, 24 Sep 2019 22:35:39 +0000 "Caughman, Vanessa (OATH)" <vcaughman at oath.nyc.gov> wrote:> Does this application require any access, on the backend, when > processing or performing analytics; to any parts of the Cloud > environment.The answer is: no, but see the fine print. Core R code (i.e. the one you can get by navigating to https://cran.r-project.org/ and clicking "Download R for (operating system)") does *not* use Internet services to perform analytics. A part of core R is its package system (not used to perform analytics per se), and its functions like install.packages() function do access CRAN servers by default (though one could specify the repos = ... argument to make it access local filesystem or another server of your choice) to download packages of code provided by other users of R. Packages installed from CRAN may want to access the Internet or execute arbitrary code with local user access rights. Though there is a policy [*] to keep things sane and a review process, mistakes may slip though. Same goes for any kind of programming environment with a repository of user-supplied code (Perl and CPAN, Python and PyPI, Rust and crates.io, JavaScript and NPM...). There are also distributions of R prepared by third parties, such as Anaconda R, Microsoft R Open, and third party graphical front-ends for R, such as R-Studio, R commander, RKWard, JGR, which are also outside of the scope of core R. But one shouldn't trust the advice of J. Random Hacker from the Internet to determine whether R is safe (subject to whatever definition of "safe"). Since R is, indeed, free software, it is possible to exercise the freedom to study how the program works by looking at the source code [**] and conducting a security audit. -- Best regards, Ivan [*] https://cran.r-project.org/web/packages/policies.html [**] https://cloud.r-project.org/src/base/R-3/R-3.6.1.tar.gz