Re: [R] Current version of R, 4.4.0 and patch to correct the bug fix related to the RStudio viewer pane on Windows systems

[Vega, Ann (she/her/hers) via R-help]

We are a government agency so it's an issue.

But I appreciate your input and Duncan's as well.  We have the answer we needed 
based on Duncan's response.

Thank you for your time!

av

Ann Vega, PSPO
She/Her/Hers (Learn More)
Office of Science Information Management, Data Architect
EPA Office of Research and Development
Cincinnati, OH

Mobile: 513-418-1922 - or reach out to me on Teams!
Hours:  Monday-Thursday, 7:30am - 6:00 pm, CDO:  Fridays
Email: vega@epa.gov


From: CALUM POLWART 
Sent: Thursday, May 16, 2024 1:38 PM
To: Vega, Ann (she/her/hers) 
Cc: R-help@r-project.org
Subject: Re: [R] Current version of R, 4.4.0 and patch to correct the bug fix 
related to the RStudio viewer pane on Windows systems

Caution: This email originated from outside EPA, please exercise additional 
caution when deciding whether to open attachments or click on provided links.

Do you receive RDS objects from unknown (untrusted) sources?

?? If not - the security issue is a non-issue as I understand it.

On Thu, 16 May 2024, 16:21 Vega, Ann (she/her/hers) via R-help, 
mailto:r-help@r-project.org>> wrote:
I help to coordinate the USEPA's R user group.  We have over 500 members and 
our security officer has required us to update to R version 4.4.0 because of 
the security vulnerability to versions prior.  However, we cannot download the 
patched version because it does not have a signed certificate and Microsoft 
Defender won't allow us to install it.

Most of our users rely on the RStudio viewer pane so we are in a bit of a 
quandary.  We suspect other government agencies are impacted by this as well.

Can you give me an estimated time for when another official version will be 
released with the patch included?  I may be able to ask our security officer to 
allow us to delay our install until that official version is released.  
Alternatively, if the patched version could have a signed certificate, that 
would allow us to install it.

Thank you.

Ann Vega, PSPO
She/Her/Hers (Learn More)
Office of Science Information Management, Data Architect
EPA Office of Research and Development
Cincinnati, OH

Mobile: 513-418-1922 - or reach out to me on Teams!
Hours:  Monday-Thursday, 7:30am - 6:00 pm, CDO:  Fridays
Email: 
vega@epa.gov>



[[alternative HTML version deleted]]

__
R-help@r-project.org mailing list -- To 
UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide 
http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

[[alternative HTML version deleted]]

__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

Re: [R] Current version of R, 4.4.0 and patch to correct the bug fix related to the RStudio viewer pane on Windows systems

[Ben Bolker]

  Yes, but this sounds more like a bureaucratic requirement ("all 
available patches must be installed") and less like something someone 
has thought through.


  It's conceivable that one might be able to talk to a security officer 
and convince them that this is not in fact an important issue, but I'm 
not optimistic about that ...


  Ben Bolker

On 2024-05-16 1:38 p.m., CALUM POLWART wrote:

Do you receive RDS objects from unknown (untrusted) sources?

?? If not - the security issue is a non-issue as I understand it.


On Thu, 16 May 2024, 16:21 Vega, Ann (she/her/hers) via R-help, <
r-help@r-project.org> wrote:


I help to coordinate the USEPA's R user group.  We have over 500 members
and our security officer has required us to update to R version 4.4.0
because of the security vulnerability to versions prior.  However, we
cannot download the patched version because it does not have a signed
certificate and Microsoft Defender won't allow us to install it.

Most of our users rely on the RStudio viewer pane so we are in a bit of a
quandary.  We suspect other government agencies are impacted by this as
well.

Can you give me an estimated time for when another official version will
be released with the patch included?  I may be able to ask our security
officer to allow us to delay our install until that official version is
released.  Alternatively, if the patched version could have a signed
certificate, that would allow us to install it.

Thank you.

Ann Vega, PSPO
She/Her/Hers (Learn More



 [[alternative HTML version deleted]]

__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide
http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.



[[alternative HTML version deleted]]

__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.


__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

Re: [R] Current version of R, 4.4.0 and patch to correct the bug fix related to the RStudio viewer pane on Windows systems

[CALUM POLWART]

Do you receive RDS objects from unknown (untrusted) sources?

?? If not - the security issue is a non-issue as I understand it.


On Thu, 16 May 2024, 16:21 Vega, Ann (she/her/hers) via R-help, <
r-help@r-project.org> wrote:

> I help to coordinate the USEPA's R user group.  We have over 500 members
> and our security officer has required us to update to R version 4.4.0
> because of the security vulnerability to versions prior.  However, we
> cannot download the patched version because it does not have a signed
> certificate and Microsoft Defender won't allow us to install it.
>
> Most of our users rely on the RStudio viewer pane so we are in a bit of a
> quandary.  We suspect other government agencies are impacted by this as
> well.
>
> Can you give me an estimated time for when another official version will
> be released with the patch included?  I may be able to ask our security
> officer to allow us to delay our install until that official version is
> released.  Alternatively, if the patched version could have a signed
> certificate, that would allow us to install it.
>
> Thank you.
>
> Ann Vega, PSPO
> She/Her/Hers (Learn More >)
> Office of Science Information Management, Data Architect
> EPA Office of Research and Development
> Cincinnati, OH
>
> Mobile: 513-418-1922 - or reach out to me on Teams!
> Hours:  Monday-Thursday, 7:30am - 6:00 pm, CDO:  Fridays
> Email: vega@epa.gov
>
>
>
> [[alternative HTML version deleted]]
>
> __
> R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide
> http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>

[[alternative HTML version deleted]]

__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

Re: [R] Current version of R, 4.4.0 and patch to correct the bug fix related to the RStudio viewer pane on Windows systems

[Duncan Murdoch]

The developer.r-project.org site lists plans for releases, and no plan 
is in place yet for a 4.4.1 release.


You can look at the history of previous versions if you want to make a 
guess:


4.3.1: June, 2023
4.2.1: June, 2022
4.1.1: August, 2021
4.0.1: June, 2020
3.6.1: July, 2019
3.5.1: July, 2018
3.4.1: June, 2017
3.3.1: June, 2016

So it's a good guess that it will happen before September, and better 
than even odds it will be before July.


Duncan Murdoch

On 2024-05-16 7:39 a.m., Vega, Ann (she/her/hers) via R-help wrote:

I help to coordinate the USEPA's R user group.  We have over 500 members and 
our security officer has required us to update to R version 4.4.0 because of 
the security vulnerability to versions prior.  However, we cannot download the 
patched version because it does not have a signed certificate and Microsoft 
Defender won't allow us to install it.

Most of our users rely on the RStudio viewer pane so we are in a bit of a 
quandary.  We suspect other government agencies are impacted by this as well.

Can you give me an estimated time for when another official version will be 
released with the patch included?  I may be able to ask our security officer to 
allow us to delay our install until that official version is released.  
Alternatively, if the patched version could have a signed certificate, that 
would allow us to install it.

Thank you.

Ann Vega, PSPO
She/Her/Hers (Learn More)
Office of Science Information Management, Data Architect
EPA Office of Research and Development
Cincinnati, OH

Mobile: 513-418-1922 - or reach out to me on Teams!
Hours:  Monday-Thursday, 7:30am - 6:00 pm, CDO:  Fridays
Email: vega@epa.gov



[[alternative HTML version deleted]]

__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.


__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

[R] Current version of R, 4.4.0 and patch to correct the bug fix related to the RStudio viewer pane on Windows systems

[Vega, Ann (she/her/hers) via R-help]

I help to coordinate the USEPA's R user group.  We have over 500 members and 
our security officer has required us to update to R version 4.4.0 because of 
the security vulnerability to versions prior.  However, we cannot download the 
patched version because it does not have a signed certificate and Microsoft 
Defender won't allow us to install it.

Most of our users rely on the RStudio viewer pane so we are in a bit of a 
quandary.  We suspect other government agencies are impacted by this as well.

Can you give me an estimated time for when another official version will be 
released with the patch included?  I may be able to ask our security officer to 
allow us to delay our install until that official version is released.  
Alternatively, if the patched version could have a signed certificate, that 
would allow us to install it.

Thank you.

Ann Vega, PSPO
She/Her/Hers (Learn More)
Office of Science Information Management, Data Architect
EPA Office of Research and Development
Cincinnati, OH

Mobile: 513-418-1922 - or reach out to me on Teams!
Hours:  Monday-Thursday, 7:30am - 6:00 pm, CDO:  Fridays
Email: vega@epa.gov



[[alternative HTML version deleted]]

__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.