There are more than 12,000 packages for R available on CRAN, and many others available on Github and elsewhere. But how can you be sure that a given R package follows best development practices for high-quality, secure software?
Based on a recent survey of R users related to challenges in selecting R packages, the R Consortium now recommends a way for package authors to self-validate that their package follows best practices for development. The CII Best Practices Badge Program, developed by the Linux Foundation's Core Infrastructure Initiative, defines a set of criteria that open-source software projects should follow for quality and security. The criteria relate to open-source license standards, documentation, secure development and delivery practices, version control and bug reporting practices, build and test processes, and much more. R packages that meet these standards are a signal to R users that can be relied upon, and as the standards document notes:
There is no set of practices that can guarantee that software will never have defects or vulnerabilities; even formal methods can fail if the specifications or assumptions are wrong. Nor is there any set of practices that can guarantee that a project will sustain a healthy and well-functioning development community. However, following best practices can help improve the results of projects. For example, some practices enable multi-person review before release, which can both help find otherwise hard-to-find technical vulnerabilities and help build trust and a desire for repeated interaction among developers from different organizations.
Developers can self-validate their packages (free of charge) using an online tool to check their adherence to the standards and get a "passing", "silver" or "gold" rating. Passing projects are eligible to display the badge (shown above) as a sign of quality and security, and almost 200 projects qualify as of this writing. A number of R packages have already gone through or started the certification process, including ggplot2, R Consortium projects covr and DBI, and the built-in R package Matrix Matrix. For more details on how R packages can get to a passing certification, and the R Consortium survey they led to the recommendation, see the R Consortium blog post at the link below.
R Consortium: Should R Consortium Recommend CII Best Practices Badge for R Packages: Latest Survey Results
How do you intend to fulfill the secure software programming component?
Posted by: Avraham Adler | July 30, 2018 at 11:00