Re: [R] Asking about R "Security" ..

2023-05-17 Thread CALUM POLWART 
Chris replied off list to say he hadn't directed the OP to NHS R Community
so it seems prudent to point a link here for eternity -- because there will
be another NHS Security Audit with questions that don't fit R properly and
the guys in the community may be best placed to answer them

Linky:
https://nhsrcommunity.com/


On Wed, 17 May 2023, 10:49 Chris Evans via R-help, 
wrote:

> Fortune nomination (if trimmed a little) ... thanks to Martin, Ivan and
> so many others who never cease to teach me things here!
>
> (As an ex-NHS person who has used R for countless centuries, slowly less
> awfully courtesy of this list and other angeles, I contacted Ms Majid
> off list to see if I can help!)
>
> Chris
>
> On 17/05/2023 11:11, Martin Maechler wrote:
> >> Ivan Krylov
> >>  on Wed, 17 May 2023 11:52:27 +0300 writes:
> >  > В Tue, 16 May 2023 13:47:19 +
> >  > "MAJID, Ayesha \(NHS ENGLAND - X26\) via R-help"<
> r-help@r-project.org>
> >
> > [ . ]
> > [ . ]
> > [ .. helpful & useful answers / pointers to public information .. ]
> > [ . ]
> > [ . ]
> >
> >  > (Did you mean to ask these questions at the public mailing list
> open
> >  > for J. Random Hackers like me to answer?)
> >
> >  > --
> >  > Best regards,
> >  > Ivan
> >
> > Actually, people typically ask "the R Foundation" or even
> > individual RF / R-core members such as me about this ...
> >
> > ... as if we were a company with staff to answer such questions;
> > but we (volunteering individuals) really do *not* have the time
> > resources for that,
> > and consequently, also in my function---shared with another few
> > individuals---as gatekeeper to the R foundation / R core / R webmaster
> > e-mail addresses, I typically deflect such questions to the
> > public web sites *and* public e-mail lists.
> >
> > The big advantage of this approach is that at least the answers
> > are findable by web searches in the future, and so, hopefully
> > have to be answered less frequently by volunteers as you, Ivan,
> > for whom we are really very grateful.
> >
> > Martin
> >
> > __
> > R-help@r-project.org  mailing list -- To UNSUBSCRIBE and more, see
> > https://stat.ethz.ch/mailman/listinfo/r-help
> > PLEASE do read the posting guidehttp://
> www.R-project.org/posting-guide.html
> > and provide commented, minimal, self-contained, reproducible code.
> --
> Chris Evans (he/him)
> Visiting Professor, UDLA, Quito, Ecuador & Honorary Professor,
> University of Roehampton, London, UK.
> Work web site: https://www.psyctc.org/psyctc/
> CORE site: http://www.coresystemtrust.org.uk/
> Personal site: https://www.psyctc.org/pelerinage2016/
> 
> 
> [[alternative HTML version deleted]]
>
> __
> R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide
> http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>

[[alternative HTML version deleted]]

__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

Re: [R] Recombining Mon and Year values

2023-05-17 Thread Eric Berger 
An alternative that does not use the zoo package but uses the built-in
constant month.abb

df1 <- data.frame(Year = c(2021, 2021, 2021),
   Mon = c("Mar", "Jan", "Apr"))

df1$mon_year <- df1$Year*100 + sapply(df1$Mon, \(x) match(x,month.abb))

sort(df1$mon_year)

On Wed, May 17, 2023 at 2:48 AM Jeff Newmiller  wrote:
>
> I don't use lubridate, but that package works with Date and POSIXt types, 
> which I do use. Just remember to include a day when converting (1st of month 
> is typical), and use an output format to hide the day when you plot.
>
> On May 16, 2023 1:29:27 PM PDT, Jeff Reichman  wrote:
> >R Help
> >
> >
> >
> >I have a data.frame where I've broken out the year  and an ordered
> >month  values. But I need to recombine them so I can graph mon-year in
> >order but when I recombine I lose the month order and the results are
> >plotted alphabetical.
> >
> >
> >
> >Yearmonth  mon_year
> >
> > 
> >
> >2021 MarMar-2021
> >
> >2021 Jan Jan-2021
> >
> >2021 Apr Apr-2021
> >
> >
> >
> >So do I need to convert the months back to an integer then recombine to
> >plot.
> >
> >
> >
> >Jeff Reichman
> >
> >
> >   [[alternative HTML version deleted]]
> >
> >__
> >R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
> >https://stat.ethz.ch/mailman/listinfo/r-help
> >PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> >and provide commented, minimal, self-contained, reproducible code.
>
> --
> Sent from my phone. Please excuse my brevity.
>
> __
> R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.

__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

Re: [R] Asking about R "Security" ..

2023-05-17 Thread CALUM POLWART 
Chris

Presumably you've also pointed her to the NHS R community and in particular
is slack group?

There are so many variables in what was even being asked it's going to take
some time to work through, did the mean R or R Studio or R Studio Cloud...
Before any packages..

On Wed, 17 May 2023, 10:49 Chris Evans via R-help, 
wrote:

> Fortune nomination (if trimmed a little) ... thanks to Martin, Ivan and
> so many others who never cease to teach me things here!
>
> (As an ex-NHS person who has used R for countless centuries, slowly less
> awfully courtesy of this list and other angeles, I contacted Ms Majid
> off list to see if I can help!)
>
> Chris
>
> On 17/05/2023 11:11, Martin Maechler wrote:
> >> Ivan Krylov
> >>  on Wed, 17 May 2023 11:52:27 +0300 writes:
> >  > В Tue, 16 May 2023 13:47:19 +
> >  > "MAJID, Ayesha \(NHS ENGLAND - X26\) via R-help"<
> r-help@r-project.org>
> >
> > [ . ]
> > [ . ]
> > [ .. helpful & useful answers / pointers to public information .. ]
> > [ . ]
> > [ . ]
> >
> >  > (Did you mean to ask these questions at the public mailing list
> open
> >  > for J. Random Hackers like me to answer?)
> >
> >  > --
> >  > Best regards,
> >  > Ivan
> >
> > Actually, people typically ask "the R Foundation" or even
> > individual RF / R-core members such as me about this ...
> >
> > ... as if we were a company with staff to answer such questions;
> > but we (volunteering individuals) really do *not* have the time
> > resources for that,
> > and consequently, also in my function---shared with another few
> > individuals---as gatekeeper to the R foundation / R core / R webmaster
> > e-mail addresses, I typically deflect such questions to the
> > public web sites *and* public e-mail lists.
> >
> > The big advantage of this approach is that at least the answers
> > are findable by web searches in the future, and so, hopefully
> > have to be answered less frequently by volunteers as you, Ivan,
> > for whom we are really very grateful.
> >
> > Martin
> >
> > __
> > R-help@r-project.org  mailing list -- To UNSUBSCRIBE and more, see
> > https://stat.ethz.ch/mailman/listinfo/r-help
> > PLEASE do read the posting guidehttp://
> www.R-project.org/posting-guide.html
> > and provide commented, minimal, self-contained, reproducible code.
> --
> Chris Evans (he/him)
> Visiting Professor, UDLA, Quito, Ecuador & Honorary Professor,
> University of Roehampton, London, UK.
> Work web site: https://www.psyctc.org/psyctc/
> CORE site: http://www.coresystemtrust.org.uk/
> Personal site: https://www.psyctc.org/pelerinage2016/
> 
> 
> [[alternative HTML version deleted]]
>
> __
> R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide
> http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>

[[alternative HTML version deleted]]

__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

Re: [R] mclapply enters into an infinite loop....

2023-05-17 Thread akshay kulkarni 
Dear Jeff,
There was a problem in LYGH and lapply threw an error, but 
mclapply got stuck in an infinite loop. The doc for mclapply says that mclapply 
runs under try() with silent = TRUE. So that means mclapply should run 
properly, i.e output a try class object and exit. But it didn't. Can you shed 
some light on why this happened?

THanking you,
Yours sincerely,
AKSHAY M KULKARNI

From: R-help  on behalf of Jeff Newmiller 

Sent: Wednesday, May 17, 2023 5:24 AM
To: r-help@r-project.org 
Subject: Re: [R] mclapply enters into an infinite loop

It does not look to me like you are providing the necessary arguments to arfima.

Try making this work with lapply first... then try mclapply.

On May 16, 2023 3:10:45 PM PDT, akshay kulkarni  wrote:
>Dear members,
> I am using arfima in an mclapply construction (from 
> the parallel package):
>
>Browse[2]> LYG <- mclapply(LYGH, FUN = arfima, mc.cores = detectCores())
>^C
>Browse[2]> LYG <- mclapply(LYGH[1:10], FUN = arfima, mc.cores = detectCores())
>^C
>Browse[2]> LYG <- mclapply(LYGH[1:2], FUN = arfima, mc.cores = detectCores())
>^C
>
>You can see that I am aborting the execution of mclapply. It doesn't finish 
>even if I reduce the elements to be iterated over to 2. Why is it entering an 
>infinite loop?
>
>Please exhort me if this is to be posted in HPC list.
>
>THanking you,
>Yours sincerely,
>ALSHAY M KULKARNI
>
>   [[alternative HTML version deleted]]
>
>__
>R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
>https://stat.ethz.ch/mailman/listinfo/r-help
>PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
>and provide commented, minimal, self-contained, reproducible code.

--
Sent from my phone. Please excuse my brevity.

__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

[[alternative HTML version deleted]]

__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

Re: [R] R Tools Security Posture

2023-05-17 Thread Marc Schwartz via R-help 
Hi,

An additional resource that was not listed below is the R Software Development 
Life Cycle (SDLC) document that is available here:

  https://www.r-project.org/certification.html

which addresses a subset of the issues raised.

Regards,

Marc Schwartz


On May 17, 2023 at 4:52:27 AM, Ivan Krylov (krylov.r...@gmail.com 
(mailto:krylov.r...@gmail.com)) wrote:

> В Tue, 16 May 2023 13:47:19 +
> "MAJID, Ayesha \(NHS ENGLAND - X26\) via R-help"  
> пишет:
>
> > * When was the application last updated?
> > * How often is it updated?
>
> This information is publicly available at
> by looking for "Release plans". You
> can reach this page by starting at and
> clicking the "Developer Pages" link. The developer pages are admittedly
> harder to navigate than the main website, but I think that they could
> answer some of your other questions too.
>
> You can also obtain this information by looking for "News" under
> and by checking the dates of all released
> versions of R at .
>
> > * Is the source code anywhere? If so where is
>
> Yes, you can download release source code by following the "download R"
> link at , ending up at
> https://cloud.r-project.org/ (or your preferred CRAN mirror) and
> clicking the link for the currently-latest version, R-4.3.0.tar.gz.
>
> The link to the Subversion repository containing yet unreleased code
> can be located at https://developer.r-project.org/.
>
> > and is it secure?
>
> What's the threat model?
>
> > * Are there any common vulnerabilities?
>
> What would be considered a vulnerability in a piece of software that
> was never supposed to be a security boundary?
>
> (Will R run arbitrary code typed at its prompt? Yes, by design. Is it
> possible to feed maliciously-constructed data into R's unserialize()
> and cause arbitrary code execution this way? Probably, but typing code
> at the prompt is much easier. Can third-party R packages that start TCP
> servers be convinced to run arbitrary code on attacker's behalf?
> Consider that a given.)
>
> > * Do your employees (e.g., developers or system administrators)
> > have access to customer data?
>
> By itself, R processes any data fed into it locally, on the computer
> where it's running, without contacting R developers about it.
>
> The same cannot be guaranteed about third-party packages, although
> there are tests and reviews at both CRAN and Bioconductor in order to
> prevent the packages from doing anything considered "anti-social". (See
> for more
> information on this.) A sufficiently motivated malicious actor could
> circumvent them, of course, but that can be said about anything.
>
> If someone at NHS wants to use R, they will probably want to use CRAN
> and Bioconductor packages too. Potentially, they might need packages
> published elsewhere as well. All these packages will have to be
> reviewed separately from R, because they are maintained by different
> people.
>
> > * Does R require third party authorization/connections?
>
> No, but shouldn't you be more concerned with third-party software
> dependencies?
>
> (Did you mean to ask these questions at the public mailing list open
> for J. Random Hackers like me to answer?)
>
> --
> Best regards,
> Ivan
>
> __
> R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.

__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

Re: [R] Asking about R "Security" ..

2023-05-17 Thread Chris Evans via R-help 
Fortune nomination (if trimmed a little) ... thanks to Martin, Ivan and 
so many others who never cease to teach me things here!

(As an ex-NHS person who has used R for countless centuries, slowly less 
awfully courtesy of this list and other angeles, I contacted Ms Majid 
off list to see if I can help!)

Chris

On 17/05/2023 11:11, Martin Maechler wrote:
>> Ivan Krylov
>>  on Wed, 17 May 2023 11:52:27 +0300 writes:
>  > В Tue, 16 May 2023 13:47:19 +
>  > "MAJID, Ayesha \(NHS ENGLAND - X26\) via R-help"
>
> [ . ]
> [ . ]
> [ .. helpful & useful answers / pointers to public information .. ]
> [ . ]
> [ . ]
>
>  > (Did you mean to ask these questions at the public mailing list open
>  > for J. Random Hackers like me to answer?)
>
>  > --
>  > Best regards,
>  > Ivan
>
> Actually, people typically ask "the R Foundation" or even
> individual RF / R-core members such as me about this ...
>
> ... as if we were a company with staff to answer such questions;
> but we (volunteering individuals) really do *not* have the time
> resources for that,
> and consequently, also in my function---shared with another few
> individuals---as gatekeeper to the R foundation / R core / R webmaster
> e-mail addresses, I typically deflect such questions to the
> public web sites *and* public e-mail lists.
>
> The big advantage of this approach is that at least the answers
> are findable by web searches in the future, and so, hopefully
> have to be answered less frequently by volunteers as you, Ivan,
> for whom we are really very grateful.
>
> Martin
>
> __
> R-help@r-project.org  mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guidehttp://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
-- 
Chris Evans (he/him)
Visiting Professor, UDLA, Quito, Ecuador & Honorary Professor, 
University of Roehampton, London, UK.
Work web site: https://www.psyctc.org/psyctc/
CORE site: http://www.coresystemtrust.org.uk/
Personal site: https://www.psyctc.org/pelerinage2016/


[[alternative HTML version deleted]]

__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

[R] Asking about R "Security" ..

2023-05-17 Thread Martin Maechler 
> Ivan Krylov 
> on Wed, 17 May 2023 11:52:27 +0300 writes:

> В Tue, 16 May 2023 13:47:19 +
> "MAJID, Ayesha \(NHS ENGLAND - X26\) via R-help" 

[ . ]
[ . ]
[ .. helpful & useful answers / pointers to public information .. ]
[ . ]
[ . ]

> (Did you mean to ask these questions at the public mailing list open
> for J. Random Hackers like me to answer?)

> -- 
> Best regards,
> Ivan

Actually, people typically ask "the R Foundation" or even
individual RF / R-core members such as me about this ...

... as if we were a company with staff to answer such questions;
but we (volunteering individuals) really do *not* have the time
resources for that,
and consequently, also in my function---shared with another few
individuals---as gatekeeper to the R foundation / R core / R webmaster
e-mail addresses, I typically deflect such questions to the
public web sites *and* public e-mail lists.

The big advantage of this approach is that at least the answers
are findable by web searches in the future, and so, hopefully
have to be answered less frequently by volunteers as you, Ivan,
for whom we are really very grateful.

Martin

__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

Re: [R] R Tools Security Posture

2023-05-17 Thread Ivan Krylov 
В Tue, 16 May 2023 13:47:19 +
"MAJID, Ayesha \(NHS ENGLAND - X26\) via R-help" 
пишет:

>   *   When was the application last updated?
>   *   How often is it updated?

This information is publicly available at
 by looking for "Release plans". You
can reach this page by starting at  and
clicking the "Developer Pages" link. The developer pages are admittedly
harder to navigate than the main website, but I think that they could
answer some of your other questions too.

You can also obtain this information by looking for "News" under
 and by checking the dates of all released
versions of R at .

>   *   Is the source code anywhere? If so where is

Yes, you can download release source code by following the "download R"
link at , ending up at
https://cloud.r-project.org/ (or your preferred CRAN mirror) and
clicking the link for the currently-latest version, R-4.3.0.tar.gz.

The link to the Subversion repository containing yet unreleased code
can be located at https://developer.r-project.org/.

> and is it secure?

What's the threat model?

>   *   Are there any common vulnerabilities?

What would be considered a vulnerability in a piece of software that
was never supposed to be a security boundary?

(Will R run arbitrary code typed at its prompt? Yes, by design. Is it
possible to feed maliciously-constructed data into R's unserialize()
and cause arbitrary code execution this way? Probably, but typing code
at the prompt is much easier. Can third-party R packages that start TCP
servers be convinced to run arbitrary code on attacker's behalf?
Consider that a given.)

>   *   Do your employees (e.g., developers or system administrators)
> have access to customer data?

By itself, R processes any data fed into it locally, on the computer
where it's running, without contacting R developers about it.

The same cannot be guaranteed about third-party packages, although
there are tests and reviews at both CRAN and Bioconductor in order to
prevent the packages from doing anything considered "anti-social". (See
 for more
information on this.) A sufficiently motivated malicious actor could
circumvent them, of course, but that can be said about anything.

If someone at NHS wants to use R, they will probably want to use CRAN
and Bioconductor packages too. Potentially, they might need packages
published elsewhere as well. All these packages will have to be
reviewed separately from R, because they are maintained by different
people.

>   *   Does R require third party authorization/connections?

No, but shouldn't you be more concerned with third-party software
dependencies?

(Did you mean to ask these questions at the public mailing list open
for J. Random Hackers like me to answer?)

-- 
Best regards,
Ivan

__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

[R] R Tools Security Posture

2023-05-17 Thread MAJID, Ayesha (NHS ENGLAND - X26) via R-help 


Hi

Hope you are well. I work for NHS England and I have been asked to conduct a 
security review of R, I am unable to locate information around the security 
posture of R. Would someone please be able to direct me to the correct page or 
alternatively answer the questions below:


  *   When was the application last updated?
  *   How often is it updated?
  *   Are there any guidance that is followed such as OWASP Application 
Security Verification Standards?
  *   Do you conform with a recognised security standard? (e.g., SOC1/2/3, 
ISO27001)
  *   Do you have an Information Security Policy with supporting Standards and 
Procedures? Please provide details (or provide a copy of the policy).
  *   Do you have formal change control and release management processes to 
manage code changes? Please provide details (or provide a copy of the 
documented process).
  *   Is the source code anywhere? If so where is and is it secure?
  *   Do you follow secure development processes? How is this achieved?
  *   Are there any common vulnerabilities?
  *   Is there a reporting process for reporting vulnerabilities and 
remediation processes? Please provide details/a copy of the documented process
  *   Do you undertake audits or other reviews to ensure that security controls 
are being implemented and operating effectively? How is this done? Can you 
provide details of this?
  *   Do you undertake regular penetration testing (or similar technical 
security testing, code review or vulnerability assessment); and are you able to 
provide a summary of results/findings?
  *   Do your employees (e.g., developers or system administrators) have access 
to customer data? How is this access controlled and monitored?
  *   Are all personnel required to sign Non-Disclosure Agreement (NDA) or 
Confidentiality Agreements (CA) as a condition of employment to protect 
customer information?
  *   Do you have Business Continuity and/or Disaster Recovery Plans? If Yes, 
please provide details including backup and redundancy mechanisms.
  *   Is there a  dedicated security team?
  *   Is there a contact for security issues?
  *   Has a vulnerability disclosure program?
  *   Is there a bug bounty program?
  *   Does R require third party authorization/connections?



Thank you

Regards

Ayesha Majid
Cyber Security Advisor | Cyber Operations
Transformation Directorate
NHS England

Mobile: 07842323170
Email: ayesha.ma...@nhs.net

Website: www.england.nhs.uk
NHS England and NHS Digital have merged. Learn more 


Address: Head Office, 5th Floor, 7 & 8 Wellington Place, Leeds, West Yorkshire, 
LS1 4AP

Pronouns: she/her

This email is intended only for use by the named addressee. It may contain 
confidential and/or privileged information. If you are not the intended 
recipient, you should contact us immediately and should not disclose, use or 
rely on this email. We do not accept any liability arising from a third party 
taking action, or refraining from taking action, on the basis of information 
contained in this email. Thank you.



**
 **

This message may contain confidential information. If yo...{{dropped:22}}

__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.