On Fri, 3 May 2024, Ivan Krylov via R-package-devel wrote:
Dear Maciej Nasinski,
On Fri, 3 May 2024 11:37:57 +0200
Maciej Nasinski <nasinski.mac...@gmail.com> wrote:
I believe we must conduct a comprehensive review of all existing CRAN
packages.
Why now? R packages are already code. You don't need poisoned RDS files
to wreak havoc using an R package.
On the other hand, R data files contain R objects, which contain code.
You don't need exploits to smuggle code inside an R object.
I think the confusion arises because users expect "R data files" to only
contain data, i.e. numbers, but they can contain any R object, including
functions.
I, personally, never use them out of concern that accidentally saved
function can override some functionality and be difficult to debug. And,
of course, I never save R sessions.
If you need to pass data it is a good idea to use some common format like
tab-separated CSV files with column names. One can also use MVL files
(RMVL package).
best
Vladimir Dergachev
______________________________________________
R-package-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-package-devel
