Thank you all for the discussion. Then, we should promote "code awareness" and count on the CRAN Team to continue their great work:)
What do you think about promoting containers? Nowadays, containers are more accessible, with GitHub codespaces being more affordable (mostly free for students and the educational sector). I feel containers can help a little bit in making the R work more secure, but once more when used properly. KR Maciej Nasinski University of Warsaw On Sat, 4 May 2024 at 07:17, Vladimir Dergachev <volo...@mindspring.com> wrote: > > > On Fri, 3 May 2024, Ivan Krylov via R-package-devel wrote: > > > Dear Maciej Nasinski, > > > > On Fri, 3 May 2024 11:37:57 +0200 > > Maciej Nasinski <nasinski.mac...@gmail.com> wrote: > > > >> I believe we must conduct a comprehensive review of all existing CRAN > >> packages. > > > > Why now? R packages are already code. You don't need poisoned RDS files > > to wreak havoc using an R package. > > > > On the other hand, R data files contain R objects, which contain code. > > You don't need exploits to smuggle code inside an R object. > > > > I think the confusion arises because users expect "R data files" to only > contain data, i.e. numbers, but they can contain any R object, including > functions. > > I, personally, never use them out of concern that accidentally saved > function can override some functionality and be difficult to debug. And, > of course, I never save R sessions. > > If you need to pass data it is a good idea to use some common format like > tab-separated CSV files with column names. One can also use MVL files > (RMVL package). > > best > > Vladimir Dergachev > > [[alternative HTML version deleted]] ______________________________________________ R-package-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-package-devel