Hi, An additional resource that was not listed below is the R Software Development Life Cycle (SDLC) document that is available here:
https://www.r-project.org/certification.html which addresses a subset of the issues raised. Regards, Marc Schwartz On May 17, 2023 at 4:52:27 AM, Ivan Krylov (krylov.r...@gmail.com (mailto:krylov.r...@gmail.com)) wrote: > В Tue, 16 May 2023 13:47:19 +0000 > "MAJID, Ayesha \(NHS ENGLAND - X26\) via R-help" > пишет: > > > * When was the application last updated? > > * How often is it updated? > > This information is publicly available at > by looking for "Release plans". You > can reach this page by starting at and > clicking the "Developer Pages" link. The developer pages are admittedly > harder to navigate than the main website, but I think that they could > answer some of your other questions too. > > You can also obtain this information by looking for "News" under > and by checking the dates of all released > versions of R at . > > > * Is the source code anywhere? If so where is > > Yes, you can download release source code by following the "download R" > link at , ending up at > https://cloud.r-project.org/ (or your preferred CRAN mirror) and > clicking the link for the currently-latest version, R-4.3.0.tar.gz. > > The link to the Subversion repository containing yet unreleased code > can be located at https://developer.r-project.org/. > > > and is it secure? > > What's the threat model? > > > * Are there any common vulnerabilities? > > What would be considered a vulnerability in a piece of software that > was never supposed to be a security boundary? > > (Will R run arbitrary code typed at its prompt? Yes, by design. Is it > possible to feed maliciously-constructed data into R's unserialize() > and cause arbitrary code execution this way? Probably, but typing code > at the prompt is much easier. Can third-party R packages that start TCP > servers be convinced to run arbitrary code on attacker's behalf? > Consider that a given.) > > > * Do your employees (e.g., developers or system administrators) > > have access to customer data? > > By itself, R processes any data fed into it locally, on the computer > where it's running, without contacting R developers about it. > > The same cannot be guaranteed about third-party packages, although > there are tests and reviews at both CRAN and Bioconductor in order to > prevent the packages from doing anything considered "anti-social". (See > for more > information on this.) A sufficiently motivated malicious actor could > circumvent them, of course, but that can be said about anything. > > If someone at NHS wants to use R, they will probably want to use CRAN > and Bioconductor packages too. Potentially, they might need packages > published elsewhere as well. All these packages will have to be > reviewed separately from R, because they are maintained by different > people. > > > * Does R require third party authorization/connections? > > No, but shouldn't you be more concerned with third-party software > dependencies? > > (Did you mean to ask these questions at the public mailing list open > for J. Random Hackers like me to answer?) > > -- > Best regards, > Ivan > > ______________________________________________ > R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see > https://stat.ethz.ch/mailman/listinfo/r-help > PLEASE do read the posting guide http://www.R-project.org/posting-guide.html > and provide commented, minimal, self-contained, reproducible code. ______________________________________________ R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
