[R-pkg-team] Bug in r-base and r-cran-rcppparallel
Dirk Eddelbuettel
edd at debian.org
Thu Feb 11 15:14:34 GMT 2021
On 11 February 2021 at 16:06, Johannes Ranke wrote:
| > | > The documentation does not list a search behaviour for bare library
| > | > names on non-Windows systems. So completely ignoring the system library
| > | > paths is kind of weird.
| > |
| > | I can see that it looks weird - but is it a bug?
| >
| > Exactly. It has been like that since the 1990s
|
| Mhm, I am not sure I am seeing an argument here :)
|
| > when R's packaging system was
| > set up. We have hundreds of per package shared libraries. Even the first
| > one I packaged for Debian (r-cran-rodbc, in 2003 if memory serves) used
| > that.
| >
| > "A feature not a bug" :)
|
| Or a missing feature, given that it was proposed to solve a problem...
Or a "merely perceived by some" problem that is a actually non-problem?
I have discussed prior CVEs with R Core. Poeple have over their code, the
CVEs (even for Linux) mostly only covered Windows-only code in the
more-or-less-eclipsed-by-RStudio IDE code (that we do not build, obviously,
as it very Windows only code).
Bastian knows more about security than I ever will but I still don't think
there is an issue here. I'd be happy to de-escalate all this, close it, let
Andreas figure what is up with RcppParallel (maybe not patching it is the
best path, I don't know) and we can take up what R does internally in another
venue more calmly.
Dirk
--
https://dirk.eddelbuettel.com | @eddelbuettel | edd at debian.org
More information about the R-pkg-team
mailing list