Closed stephlocke closed 7 years ago
noamross
commented
7 years ago A related project is @hrbrmstr and @dirkschumacher's https://github.com/hrbrmstr/rpwnd, which demonstrates security issues related to R packages by showing just how much an R package can do to your computer (benignly).
stephlocke
commented
7 years ago Of course, @hrbrmstr has a package for that! Brilliant :)
stephlocke
commented
7 years ago Is anyone else interested in developing support or guidance for package devs to help do sensible things around security?
stephlocke
commented
7 years ago We're working on security docs & packages supporting signed activities in R.
Look out for Oliver Keyes or me to join us
benmarwick
commented
7 years ago Is the notary pkg and this blog post the outcome of this thread: https://ropensci.org/blog/blog/2017/07/25/notary ?
sckott
commented
7 years ago i think so? @stephlocke ?
stephlocke
commented
7 years ago Plus this Security book WIP ropenscilabs.github.io/r-security-practices/
For installing gganimate I had to install ImageMagick, which Windows identified as containing a Trojan (see #482). It passes some virus scans but not others.
magick bundles its own copies of some of the important libraries from ImageMagick. That's great because I don't have to install ImageMagick directly, but if there was indeed something malicious in the ImageMagick libs (which there isn't AFAIK), then magick would be inadvertently spreading it.
It got me to thinking about what we can do to improve security-conscious development practices.
What can we do to help our R code and the things it depends on are not a risk to people's environments?
What sort of guidance can be produced to inform people, who are often not full-time developers, to make it easier for them to be security conscious?