> Oh, my ... it's worse than I thought. Not only does it run things so you have > to wait forever - it actually installs packages behind your back! Wow, now > there is the nightmare abuse of \Sexpr - the malicious package retrieves > private data from your machine and deletes your files... and I was worrying > about leaving a tiny crack open for Rhttpd injection attacks - yet there is a > big gaping door open to all packages ... Does it mean we need more stringent > checks on Rd files now as well since they contain code?
As long as you realise Rd files can run arbitrary R code, you're no worse off than you were before Rd files could run code. No one is checking that there's not a function in ggplot2 that secretly sends me all your code and data ;) Hadley -- Assistant Professor / Dobelman Family Junior Chair Department of Statistics / Rice University http://had.co.nz/ ______________________________________________ R-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-devel
