Thank you, Marc. That's helpful! I think, in this case it's mostly: That they are virus/malware free. And that they don't send out some info that they are not supposed to. Thank you! Dimitri On Thu, Dec 8, 2016 at 1:04 PM, Marc Schwartz <marc_schwartz at me.com> wrote:> > On Dec 8, 2016, at 11:47 AM, Dimitri Liakhovitski > <dimitri.liakhovitski at gmail.com> wrote: > > Guys, > > suddenly, I am being asked for a proof that R packages that are not > '"base" are safe. I've never been asked this question before. > > Is there some documentation on CRAN that discusses how it's ensured > that all "official" R packages have been "vetted" and are safe? > > Thanks a lot! > > -- > Dimitri Liakhovitski > > > > Dimitri, > > You are going to need to define "safe". > > Also, note that the notion of "official R packages" is not defined, other > than for those that bear the copyright of The R Foundation (Base + > Recommended), as per: > > https://www.r-project.org/certification.html > > That packages are available on CRAN does not infer, implicitly or > explicitly, that the packages are endorsed/certified/validated by any party. > > You can review the CRAN Policy here: > > https://cran.r-project.org/web/packages/policies.html. > > which provides a standardized framework for CRAN submissions. > > Does "safe" mean that they are virus/malware free? > > Does "safe" mean that they are extensively tested/validated, bug free and > yield documented evidence of consistent and correct results, possibly having > also been tested for "edge cases"? > > Regards, > > Marc Schwartz > >-- Dimitri Liakhovitski
Dimitri, Even if you narrowly define "safe" as being virus/malware free and even if the CRAN maintainers have extensive screening in place, the burden will still be on the end users to test/scan the downloaded packages (whether in source or binary form), according to some a priori defined standard operating procedures, to achieve a level of confidence, that the packages pass those tests/scans. As you know, virus and malware are moving targets and there are so-called "zero day" exploits, which means that even actively updated virus and malware scanning software can be defeated. With respect to the security issue you raised, to the best of my knowledge, no CRAN packages are tested for such exploits (it would be an impossible task to extensively check for overt, much less covert channels of communications) and that again, would be a local issue. CRAN packages are, of course, not the only potential source of such exploits, as we know. As Bert noted in his reply, even the official R distribution comes with no warranty, and that will be the case with most OSS. Regards, Marc> On Dec 8, 2016, at 12:08 PM, Dimitri Liakhovitski <dimitri.liakhovitski at gmail.com> wrote: > > Thank you, Marc. > That's helpful! > I think, in this case it's mostly: > > That they are virus/malware free. > And that they don't send out some info that they are not supposed to. > > Thank you! > Dimitri > > > On Thu, Dec 8, 2016 at 1:04 PM, Marc Schwartz <marc_schwartz at me.com> wrote: >> >> On Dec 8, 2016, at 11:47 AM, Dimitri Liakhovitski >> <dimitri.liakhovitski at gmail.com> wrote: >> >> Guys, >> >> suddenly, I am being asked for a proof that R packages that are not >> '"base" are safe. I've never been asked this question before. >> >> Is there some documentation on CRAN that discusses how it's ensured >> that all "official" R packages have been "vetted" and are safe? >> >> Thanks a lot! >> >> -- >> Dimitri Liakhovitski >> >> >> >> Dimitri, >> >> You are going to need to define "safe". >> >> Also, note that the notion of "official R packages" is not defined, other >> than for those that bear the copyright of The R Foundation (Base + >> Recommended), as per: >> >> https://www.r-project.org/certification.html >> >> That packages are available on CRAN does not infer, implicitly or >> explicitly, that the packages are endorsed/certified/validated by any party. >> >> You can review the CRAN Policy here: >> >> https://cran.r-project.org/web/packages/policies.html. >> >> which provides a standardized framework for CRAN submissions. >> >> Does "safe" mean that they are virus/malware free? >> >> Does "safe" mean that they are extensively tested/validated, bug free and >> yield documented evidence of consistent and correct results, possibly having >> also been tested for "edge cases"? >> >> Regards, >> >> Marc Schwartz >> >> > > > > -- > Dimitri Liakhovitski
On 12/8/2016 12:08 PM, Dimitri Liakhovitski wrote:> Thank you, Marc. > That's helpful! > I think, in this case it's mostly: > > That they are virus/malware free. > And that they don't send out some info that they are not supposed to.Doing those things are absolutely against CRAN policies, but you should get one of the CRAN maintainers to tell you the extent to which they check these things. CRAN will reject a violation of these rules if they catch them, and they do scan for many possible problems. For example, I don't know if they'd catch a call to "q()" in a package if that line of code was not exercised in any of the standard tests. Even of they could catch that, I don't know if they'd catch "do.call(q, list())" Best Wishes, Spencer Graves> > Thank you! > Dimitri > > > On Thu, Dec 8, 2016 at 1:04 PM, Marc Schwartz <marc_schwartz at me.com> wrote: >> On Dec 8, 2016, at 11:47 AM, Dimitri Liakhovitski >> <dimitri.liakhovitski at gmail.com> wrote: >> >> Guys, >> >> suddenly, I am being asked for a proof that R packages that are not >> '"base" are safe. I've never been asked this question before. >> >> Is there some documentation on CRAN that discusses how it's ensured >> that all "official" R packages have been "vetted" and are safe? >> >> Thanks a lot! >> >> -- >> Dimitri Liakhovitski >> >> >> >> Dimitri, >> >> You are going to need to define "safe". >> >> Also, note that the notion of "official R packages" is not defined, other >> than for those that bear the copyright of The R Foundation (Base + >> Recommended), as per: >> >> https://www.r-project.org/certification.html >> >> That packages are available on CRAN does not infer, implicitly or >> explicitly, that the packages are endorsed/certified/validated by any party. >> >> You can review the CRAN Policy here: >> >> https://cran.r-project.org/web/packages/policies.html. >> >> which provides a standardized framework for CRAN submissions. >> >> Does "safe" mean that they are virus/malware free? >> >> Does "safe" mean that they are extensively tested/validated, bug free and >> yield documented evidence of consistent and correct results, possibly having >> also been tested for "edge cases"? >> >> Regards, >> >> Marc Schwartz >> >> > >
Thanks a lot, guys - it's very helpful! On Thu, Dec 8, 2016 at 1:24 PM, Marc Schwartz <marc_schwartz at me.com> wrote:> Dimitri, > > Even if you narrowly define "safe" as being virus/malware free and even if the CRAN maintainers have extensive screening in place, the burden will still be on the end users to test/scan the downloaded packages (whether in source or binary form), according to some a priori defined standard operating procedures, to achieve a level of confidence, that the packages pass those tests/scans. > > As you know, virus and malware are moving targets and there are so-called "zero day" exploits, which means that even actively updated virus and malware scanning software can be defeated. > > With respect to the security issue you raised, to the best of my knowledge, no CRAN packages are tested for such exploits (it would be an impossible task to extensively check for overt, much less covert channels of communications) and that again, would be a local issue. CRAN packages are, of course, not the only potential source of such exploits, as we know. > > As Bert noted in his reply, even the official R distribution comes with no warranty, and that will be the case with most OSS. > > Regards, > > Marc > > >> On Dec 8, 2016, at 12:08 PM, Dimitri Liakhovitski <dimitri.liakhovitski at gmail.com> wrote: >> >> Thank you, Marc. >> That's helpful! >> I think, in this case it's mostly: >> >> That they are virus/malware free. >> And that they don't send out some info that they are not supposed to. >> >> Thank you! >> Dimitri >> >> >> On Thu, Dec 8, 2016 at 1:04 PM, Marc Schwartz <marc_schwartz at me.com> wrote: >>> >>> On Dec 8, 2016, at 11:47 AM, Dimitri Liakhovitski >>> <dimitri.liakhovitski at gmail.com> wrote: >>> >>> Guys, >>> >>> suddenly, I am being asked for a proof that R packages that are not >>> '"base" are safe. I've never been asked this question before. >>> >>> Is there some documentation on CRAN that discusses how it's ensured >>> that all "official" R packages have been "vetted" and are safe? >>> >>> Thanks a lot! >>> >>> -- >>> Dimitri Liakhovitski >>> >>> >>> >>> Dimitri, >>> >>> You are going to need to define "safe". >>> >>> Also, note that the notion of "official R packages" is not defined, other >>> than for those that bear the copyright of The R Foundation (Base + >>> Recommended), as per: >>> >>> https://www.r-project.org/certification.html >>> >>> That packages are available on CRAN does not infer, implicitly or >>> explicitly, that the packages are endorsed/certified/validated by any party. >>> >>> You can review the CRAN Policy here: >>> >>> https://cran.r-project.org/web/packages/policies.html. >>> >>> which provides a standardized framework for CRAN submissions. >>> >>> Does "safe" mean that they are virus/malware free? >>> >>> Does "safe" mean that they are extensively tested/validated, bug free and >>> yield documented evidence of consistent and correct results, possibly having >>> also been tested for "edge cases"? >>> >>> Regards, >>> >>> Marc Schwartz >>> >>> >> >> >> >> -- >> Dimitri Liakhovitski >-- Dimitri Liakhovitski
On 12/8/2016 12:24 PM, Marc Schwartz wrote:> Dimitri, > > Even if you narrowly define "safe" as being virus/malware free and even if the CRAN maintainers have extensive screening in place, the burden will still be on the end users to test/scan the downloaded packages (whether in source or binary form), according to some a priori defined standard operating procedures, to achieve a level of confidence, that the packages pass those tests/scans. > > As you know, virus and malware are moving targets and there are so-called "zero day" exploits, which means that even actively updated virus and malware scanning software can be defeated. > > With respect to the security issue you raised, to the best of my knowledge, no CRAN packages are tested for such exploits (it would be an impossible task to extensively check for overt, much less covert channels of communications) and that again, would be a local issue. CRAN packages are, of course, not the only potential source of such exploits, as we know. > > As Bert noted in his reply, even the official R distribution comes with no warranty, and that will be the case with most OSS.Will an organization like RStudio provide some sort of testing service -- for a fee of course? Spencer> > Regards, > > Marc > > >> On Dec 8, 2016, at 12:08 PM, Dimitri Liakhovitski <dimitri.liakhovitski at gmail.com> wrote: >> >> Thank you, Marc. >> That's helpful! >> I think, in this case it's mostly: >> >> That they are virus/malware free. >> And that they don't send out some info that they are not supposed to. >> >> Thank you! >> Dimitri >> >> >> On Thu, Dec 8, 2016 at 1:04 PM, Marc Schwartz <marc_schwartz at me.com> wrote: >>> On Dec 8, 2016, at 11:47 AM, Dimitri Liakhovitski >>> <dimitri.liakhovitski at gmail.com> wrote: >>> >>> Guys, >>> >>> suddenly, I am being asked for a proof that R packages that are not >>> '"base" are safe. I've never been asked this question before. >>> >>> Is there some documentation on CRAN that discusses how it's ensured >>> that all "official" R packages have been "vetted" and are safe? >>> >>> Thanks a lot! >>> >>> -- >>> Dimitri Liakhovitski >>> >>> >>> >>> Dimitri, >>> >>> You are going to need to define "safe". >>> >>> Also, note that the notion of "official R packages" is not defined, other >>> than for those that bear the copyright of The R Foundation (Base + >>> Recommended), as per: >>> >>> https://www.r-project.org/certification.html >>> >>> That packages are available on CRAN does not infer, implicitly or >>> explicitly, that the packages are endorsed/certified/validated by any party. >>> >>> You can review the CRAN Policy here: >>> >>> https://cran.r-project.org/web/packages/policies.html. >>> >>> which provides a standardized framework for CRAN submissions. >>> >>> Does "safe" mean that they are virus/malware free? >>> >>> Does "safe" mean that they are extensively tested/validated, bug free and >>> yield documented evidence of consistent and correct results, possibly having >>> also been tested for "edge cases"? >>> >>> Regards, >>> >>> Marc Schwartz >>> >>> >> >> >> -- >> Dimitri Liakhovitski > ______________________________________________ > R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see > https://stat.ethz.ch/mailman/listinfo/r-help > PLEASE do read the posting guide http://www.R-project.org/posting-guide.html > and provide commented, minimal, self-contained, reproducible code.