My organization is relatively new to R and RStudio. We have an RStudio Server Pro environment where 20+ statisticians and analysts do their work. Currently, we use the default
.libPaths() setup where each user has a package library for each
x.y version of R. We have a folder in the network that hosts our 2 internal packages and it is added to the
Our IT Security department recently added firewalls that blocked
devtools::install_github(). Now we need to develop a package management solution that addresses their concerns of installing unverified code.
A few questions:
- Do your organizations have a tool to scan/verify/vet R packages and R code for vulnerabilities?
- Do you manually review the code for CRAN or Github packages that users want to use?
- Do you have a specified level of trust that extends to CRAN/MRAN/Bioconductor or beyond?
- If necessary, how do you come up with the list of “blessed” packages?
- How do you deal with bugs that are fixed on Github but not yet on CRAN? Or visualization/statistical packages that haven’t made it to CRAN yet?
- Do you enforce your protocol with one of the miniCRAN / internal mirroring solutions?