Guys, suddenly, I am being asked for a proof that R packages that are not '"base" are safe. I've never been asked this question before. Is there some documentation on CRAN that discusses how it's ensured that all "official" R packages have been "vetted" and are safe? Thanks a lot! -- Dimitri Liakhovitski
1. What does "Safe" mean??? 2. From the R banner on startup: "R is free software and comes with ABSOLUTELY NO WARRANTY." Don't think it could be clearer than that! Cheers, Bert Bert Gunter "The trouble with having an open mind is that people keep coming along and sticking things into it." -- Opus (aka Berkeley Breathed in his "Bloom County" comic strip ) On Thu, Dec 8, 2016 at 9:47 AM, Dimitri Liakhovitski <dimitri.liakhovitski at gmail.com> wrote:> Guys, > > suddenly, I am being asked for a proof that R packages that are not > '"base" are safe. I've never been asked this question before. > > Is there some documentation on CRAN that discusses how it's ensured > that all "official" R packages have been "vetted" and are safe? > > Thanks a lot! > > -- > Dimitri Liakhovitski > > ______________________________________________ > R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see > https://stat.ethz.ch/mailman/listinfo/r-help > PLEASE do read the posting guide http://www.R-project.org/posting-guide.html > and provide commented, minimal, self-contained, reproducible code.
> On Dec 8, 2016, at 11:47 AM, Dimitri Liakhovitski <dimitri.liakhovitski at gmail.com> wrote: > > Guys, > > suddenly, I am being asked for a proof that R packages that are not > '"base" are safe. I've never been asked this question before. > > Is there some documentation on CRAN that discusses how it's ensured > that all "official" R packages have been "vetted" and are safe? > > Thanks a lot! > > -- > Dimitri LiakhovitskiDimitri, You are going to need to define "safe". Also, note that the notion of "official R packages" is not defined, other than for those that bear the copyright of The R Foundation (Base + Recommended), as per: https://www.r-project.org/certification.html <https://www.r-project.org/certification.html> That packages are available on CRAN does not infer, implicitly or explicitly, that the packages are endorsed/certified/validated by any party. You can review the CRAN Policy here: https://cran.r-project.org/web/packages/policies.html <https://cran.r-project.org/web/packages/policies.html>. which provides a standardized framework for CRAN submissions. Does "safe" mean that they are virus/malware free? Does "safe" mean that they are extensively tested/validated, bug free and yield documented evidence of consistent and correct results, possibly having also been tested for "edge cases"? Regards, Marc Schwartz [[alternative HTML version deleted]]
I just thought maybe there is something - about the process of submitting packages or anything like that - that shows that at least some diligence is being done to ensure that a given package is not just a piece of malware from ISIS or Russia. But if you, Bert, say it's not the case, then I'll believe you. I've asked my question after I received the following email from a partner company (that is a SaS company): They are starting to work with R and we are delivering some R code to them that will run in the background. I mentioned that certain R packages have to be installed in order for the code to run and got this: "I?m also going to assume that our team will want to vet any package you request. We?re big fans of open source and leveraging 3rd party libraries but are keenly aware of the risks in ?inviting strangers into your house?." This is why I asked. So, I guess, my response should be - yes, please, go ahead and "vet" them any way you want. Thank you! On Thu, Dec 8, 2016 at 12:55 PM, Bert Gunter <bgunter.4567 at gmail.com> wrote:> 1. What does "Safe" mean??? > > 2. From the R banner on startup: > > "R is free software and comes with ABSOLUTELY NO WARRANTY." > > Don't think it could be clearer than that! > > Cheers, > Bert > > > Bert Gunter > > "The trouble with having an open mind is that people keep coming along > and sticking things into it." > -- Opus (aka Berkeley Breathed in his "Bloom County" comic strip ) > > > On Thu, Dec 8, 2016 at 9:47 AM, Dimitri Liakhovitski > <dimitri.liakhovitski at gmail.com> wrote: >> Guys, >> >> suddenly, I am being asked for a proof that R packages that are not >> '"base" are safe. I've never been asked this question before. >> >> Is there some documentation on CRAN that discusses how it's ensured >> that all "official" R packages have been "vetted" and are safe? >> >> Thanks a lot! >> >> -- >> Dimitri Liakhovitski >> >> ______________________________________________ >> R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see >> https://stat.ethz.ch/mailman/listinfo/r-help >> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html >> and provide commented, minimal, self-contained, reproducible code.-- Dimitri Liakhovitski
Thank you, Marc. That's helpful! I think, in this case it's mostly: That they are virus/malware free. And that they don't send out some info that they are not supposed to. Thank you! Dimitri On Thu, Dec 8, 2016 at 1:04 PM, Marc Schwartz <marc_schwartz at me.com> wrote:> > On Dec 8, 2016, at 11:47 AM, Dimitri Liakhovitski > <dimitri.liakhovitski at gmail.com> wrote: > > Guys, > > suddenly, I am being asked for a proof that R packages that are not > '"base" are safe. I've never been asked this question before. > > Is there some documentation on CRAN that discusses how it's ensured > that all "official" R packages have been "vetted" and are safe? > > Thanks a lot! > > -- > Dimitri Liakhovitski > > > > Dimitri, > > You are going to need to define "safe". > > Also, note that the notion of "official R packages" is not defined, other > than for those that bear the copyright of The R Foundation (Base + > Recommended), as per: > > https://www.r-project.org/certification.html > > That packages are available on CRAN does not infer, implicitly or > explicitly, that the packages are endorsed/certified/validated by any party. > > You can review the CRAN Policy here: > > https://cran.r-project.org/web/packages/policies.html. > > which provides a standardized framework for CRAN submissions. > > Does "safe" mean that they are virus/malware free? > > Does "safe" mean that they are extensively tested/validated, bug free and > yield documented evidence of consistent and correct results, possibly having > also been tested for "edge cases"? > > Regards, > > Marc Schwartz > >-- Dimitri Liakhovitski
On the plus side, all binary packages on CRAN are built from source code automatically by the CRAN team, so it would be a bit audacious to include "unsafe" code when the source code had to reviewable at any time. There is nothing in R that would prevent a user from downloading a binary package from a non-CRAN source, though. The only legally defensible answer is No, you use this at your own risk. -- Sent from my phone. Please excuse my brevity. On December 8, 2016 9:55:17 AM PST, Bert Gunter <bgunter.4567 at gmail.com> wrote:>1. What does "Safe" mean??? > >2. From the R banner on startup: > >"R is free software and comes with ABSOLUTELY NO WARRANTY." > >Don't think it could be clearer than that! > >Cheers, >Bert > > >Bert Gunter > >"The trouble with having an open mind is that people keep coming along >and sticking things into it." >-- Opus (aka Berkeley Breathed in his "Bloom County" comic strip ) > > >On Thu, Dec 8, 2016 at 9:47 AM, Dimitri Liakhovitski ><dimitri.liakhovitski at gmail.com> wrote: >> Guys, >> >> suddenly, I am being asked for a proof that R packages that are not >> '"base" are safe. I've never been asked this question before. >> >> Is there some documentation on CRAN that discusses how it's ensured >> that all "official" R packages have been "vetted" and are safe? >> >> Thanks a lot! >> >> -- >> Dimitri Liakhovitski >> >> ______________________________________________ >> R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see >> https://stat.ethz.ch/mailman/listinfo/r-help >> PLEASE do read the posting guide >http://www.R-project.org/posting-guide.html >> and provide commented, minimal, self-contained, reproducible code. > >______________________________________________ >R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see >https://stat.ethz.ch/mailman/listinfo/r-help >PLEASE do read the posting guide >http://www.R-project.org/posting-guide.html >and provide commented, minimal, self-contained, reproducible code.