R and R Package Security

Posit does not certify or verify that R or R packages are free from vulnerabilities. However, some license levels of Posit Package Manager allows the ability to flag packages with known vulnerabilities.

One of the most common questions we’ve gotten while talking to admins about R packages is whether or not Posit Products include virus scanners.  

The answer is no.

R is executed by the R interpreter at runtime, R programs are not pre-compiled. This feature of R is one of the reasons it is such a popular tool for interactive data science. However, because R programs are not compiled into executables, many techniques employed by virus scanners are not very effective against R packages. (R packages can contain source or compiled external code, such as C++ code, which marks the main difference between a “source package” and a “binary package”).

So how can we trust R packages?

This is a fascinating question that deserves a detailed response. Many in the R community are actively working on this challenging question, just as people in other open-source ecosystems tackle these challenges.

While not extensive, we offer these 4 considerations for users or admins wondering about package security:

1. For Posit Package Manager, Posit provides R packages to Posit Package Manager through an upstream Posit service designed specifically for this task. The connection between this service and Posit Package Manager is encrypted. Daily updates to CRAN are reviewed by our team before they are made available through this service. The review process checks for consistent package metadata and also updates the package checksum file, used by the R client to ensure downloaded package files are correct. We highly recommend that the connection between your R clients and Posit  Package Manager be encrypted by hosting your Posit Package Manager instance over HTTPS.

2. CRAN requires all submitted R packages to pass a series of checks prior to accepting them into the CRAN repository. These checks include installing the package alongside other CRAN packages and running package unit tests. While these tests do not specifically target malicious code, the tests provide a significant hurdle to uploading malicious packages to CRAN.

3. R code is almost always executed as a non-privileged user. The majority of R code, especially code run in Posit Workbench or Posit Connect, is executed on behalf of a restricted service or user accounts. Posit Workbench, for example, runs under an AppArmor profile that is inherited by the R processes it invokes on behalf of non-privileged users. Similarly, Posit Connect provides an extensive sandboxing process to run user code in an isolated environment. Additionally, while Posit Package Manager provides a means for users to download packages originating on the internet, most R code is executed in offline environments, often dedicated analytic sandboxes. These measures not only prevent malicious code, but also keep analysts from accidentally interfering with one another. Learn more about Posit’s security policy or common security FAQs .

4. Posit Package Manager allows you to control exactly what packages are brought into your organization through curated sources. It also includes the ability to report known package vulnerabilities at some license levels.