My organization is relatively new to R and RStudio. We have an RStudio Server Pro environment where 20+ statisticians and analysts do their work. Currently, we use the default .libPaths()
setup where each user has a package library for each x.y
version of R. We have a folder in the network that hosts our 2 internal packages and it is added to the options(repos)
.
Our IT Security department recently added firewalls that blocked install.packages()
and devtools::install_github()
. Now we need to develop a package management solution that addresses their concerns of installing unverified code.
A few questions:
- Do your organizations have a tool to scan/verify/vet R packages and R code for vulnerabilities?
- Do you manually review the code for CRAN or Github packages that users want to use?
- Do you have a specified level of trust that extends to CRAN/MRAN/Bioconductor or beyond?
- If necessary, how do you come up with the list of "blessed" packages?
- How do you deal with bugs that are fixed on Github but not yet on CRAN? Or visualization/statistical packages that haven't made it to CRAN yet?
- Do you enforce your protocol with one of the miniCRAN / internal mirroring solutions?