Security of package code

[wlandau]

Discussed in https://github.com/r-multiverse/help/discussions/76

^{Originally posted by **wlandau** July 19, 2024} This might be an R-universe issue, but what can/should we do to prevent hosting malicious code from both community and production?

I really hope we can delegate to GitHub to handle this. Maybe we require the standard security scanning features to be enabled? @jeroen, @shikokuchuo, @maelle, would that be enough?

What about packages hosted on GitLab? If GitLab doesn't have enough built-in security, maybe we require manual review for those packages, and the bot reminds reviewers to run some sort of ad hoc security scan (not sure what is possible on that front).

[maelle]

This is a great question. :sweat_smile: (I'm no security expert at all)

[wlandau]

@tylfin mentioned OSV-Scanner as a possible resource (c.f. https://github.com/rconsortium/r-advisory-database). Apparently we can run it at the level of a whole universe to detect R packages with vulnerabilities or malware.

The group's opinion from today's meeting was that GitHub security scanning and Dependabot is heavy-handed and might not be very effective.