On 11 February 2021 at 16:06, Johannes Ranke wrote: | > | > The documentation does not list a search behaviour for bare library | > | > names on non-Windows systems. So completely ignoring the system library | > | > paths is kind of weird. | > | | > | I can see that it looks weird - but is it a bug? | > | > Exactly. It has been like that since the 1990s | | Mhm, I am not sure I am seeing an argument here :) | | > when R's packaging system was | > set up. We have hundreds of per package shared libraries. Even the first | > one I packaged for Debian (r-cran-rodbc, in 2003 if memory serves) used | > that. | > | > "A feature not a bug" :) | | Or a missing feature, given that it was proposed to solve a problem...
Or a "merely perceived by some" problem that is a actually non-problem? I have discussed prior CVEs with R Core. Poeple have over their code, the CVEs (even for Linux) mostly only covered Windows-only code in the more-or-less-eclipsed-by-RStudio IDE code (that we do not build, obviously, as it very Windows only code). Bastian knows more about security than I ever will but I still don't think there is an issue here. I'd be happy to de-escalate all this, close it, let Andreas figure what is up with RcppParallel (maybe not patching it is the best path, I don't know) and we can take up what R does internally in another venue more calmly. Dirk -- https://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org