Inline below... > On Dec 8, 2016, at 12:27 PM, Spencer Graves > <spencer.gra...@effectivedefense.org> wrote: > > > > On 12/8/2016 12:24 PM, Marc Schwartz wrote: >> Dimitri, >> >> Even if you narrowly define "safe" as being virus/malware free and even if >> the CRAN maintainers have extensive screening in place, the burden will >> still be on the end users to test/scan the downloaded packages (whether in >> source or binary form), according to some a priori defined standard >> operating procedures, to achieve a level of confidence, that the packages >> pass those tests/scans. >> >> As you know, virus and malware are moving targets and there are so-called >> "zero day" exploits, which means that even actively updated virus and >> malware scanning software can be defeated. >> >> With respect to the security issue you raised, to the best of my knowledge, >> no CRAN packages are tested for such exploits (it would be an impossible >> task to extensively check for overt, much less covert channels of >> communications) and that again, would be a local issue. CRAN packages are, >> of course, not the only potential source of such exploits, as we know. >> >> As Bert noted in his reply, even the official R distribution comes with no >> warranty, and that will be the case with most OSS. > > > Will an organization like RStudio provide some sort of testing service > -- for a fee of course? > > > Spencer
Spencer, That would be a question for them, Microsoft, Mango, ... >From a business perspective, that might be a "value added" service that some >class of useRs might be interested in paying for, much like the difference >between CentOS and RHEL as server distributions of Linux. As with such things, what is the standard that you want them to abide by and be able to support/defend and for what kinds of issues (virus, malware, security, statistical performance, regulatory qualification/validation, ...). Regards, Marc >> >> Regards, >> >> Marc >> >> >>> On Dec 8, 2016, at 12:08 PM, Dimitri Liakhovitski >>> <dimitri.liakhovit...@gmail.com> wrote: >>> >>> Thank you, Marc. >>> That's helpful! >>> I think, in this case it's mostly: >>> >>> That they are virus/malware free. >>> And that they don't send out some info that they are not supposed to. >>> >>> Thank you! >>> Dimitri >>> >>> >>> On Thu, Dec 8, 2016 at 1:04 PM, Marc Schwartz <marc_schwa...@me.com> wrote: >>>> On Dec 8, 2016, at 11:47 AM, Dimitri Liakhovitski >>>> <dimitri.liakhovit...@gmail.com> wrote: >>>> >>>> Guys, >>>> >>>> suddenly, I am being asked for a proof that R packages that are not >>>> '"base" are safe. I've never been asked this question before. >>>> >>>> Is there some documentation on CRAN that discusses how it's ensured >>>> that all "official" R packages have been "vetted" and are safe? >>>> >>>> Thanks a lot! >>>> >>>> -- >>>> Dimitri Liakhovitski >>>> >>>> >>>> >>>> Dimitri, >>>> >>>> You are going to need to define "safe". >>>> >>>> Also, note that the notion of "official R packages" is not defined, other >>>> than for those that bear the copyright of The R Foundation (Base + >>>> Recommended), as per: >>>> >>>> https://www.r-project.org/certification.html >>>> >>>> That packages are available on CRAN does not infer, implicitly or >>>> explicitly, that the packages are endorsed/certified/validated by any >>>> party. >>>> >>>> You can review the CRAN Policy here: >>>> >>>> https://cran.r-project.org/web/packages/policies.html. >>>> >>>> which provides a standardized framework for CRAN submissions. >>>> >>>> Does "safe" mean that they are virus/malware free? >>>> >>>> Does "safe" mean that they are extensively tested/validated, bug free and >>>> yield documented evidence of consistent and correct results, possibly >>>> having >>>> also been tested for "edge cases"? >>>> >>>> Regards, >>>> >>>> Marc Schwartz >>>> >>>> >>> >>> >>> -- >>> Dimitri Liakhovitski >> ______________________________________________ >> R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see >> https://stat.ethz.ch/mailman/listinfo/r-help >> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html >> and provide commented, minimal, self-contained, reproducible code. > > ______________________________________________ > R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see > https://stat.ethz.ch/mailman/listinfo/r-help > PLEASE do read the posting guide http://www.R-project.org/posting-guide.html > and provide commented, minimal, self-contained, reproducible code. ______________________________________________ R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
