Add R and Python to the Open Resource Exchange about open-source-logiciel-libre HOT 10 CLOSED

Just to mention, centralized assessments of tools / frameworks that have already been approved would allow for deduplication of security assessment teams, ideally leading to more rapid approvals.

from open-source-logiciel-libre.

I think we also need to make sure the Open Resources Exchange purpose is properly understood.

It's not a list of TBS sectioned tools and projects, it's a list of used software by departments.

The objective is to share who's using what so that we can more easily share how and why amongst each other.

from open-source-logiciel-libre.

@manolo20 IF you want to create a pull request to add them, I'd be glad to accept it. PHP is already on the list.

@dbuijs I think the ORE can contain both programming languages for those using them directly and RStudio, Jupyter, Anaconda, .. as well

from open-source-logiciel-libre.

This is critical and needs to happen ASAP.

from open-source-logiciel-libre.

With respect to R and Python, these are Turing-complete languages, not applications. The actual practical issues with deploying and supporting these languages have to do with how they are implemented.

For R, perhaps what you're actually hoping for is RStudio on the desktop (or perhaps server hosted)?

For Python, perhaps what you're hoping for is something like JupyterHub that allows Python code to be run in a notebook?

from open-source-logiciel-libre.

@dbuijs Good point regarding programming languages vs applications per say.

I think the idea here will be to ensure that security assessments can be shared. Will be including this part in the directive on Open Source Software

from open-source-logiciel-libre.

As a application/software security guy it makes little sense to me to do assessments for a lot of development tools, though of course some supply chain stuff makes sense. Better to do supply chain on libraries etc. to use and on your colleagues to see that people writing software "know what they are doing" - Python and R seem to "encourage" shadow IT. (And of course rigorous assessments on all produced code/applications, which is hard if shadow development is ongoing.)

from open-source-logiciel-libre.

@keithdouglas Developers and data scientists want to code in Python and R because it makes them more productive. Whether that's "shadow IT" or not depends on management not the tools.

from open-source-logiciel-libre.

Regarding the comment: "With respect to R and Python, these are Turing-complete languages, not applications"

I think it is important to recognize that both the R Project and Python Software Foundation use the respective terms to refer to a suite of things, one of which is a language specification, but also you get libraries, and one or more end-user applications.

When a person installs and then executes either R or Python on any major OS, it runs it in "interactive mode" meaning users are running a non-gui application to write in the language and make use of other facilities of the application and in some cases other non-library software that ships with the "language."

Not all programming languages -- even ones where we generally include standard libraries as part of what we mean when we say "language" -- include non-gui terminal applications that allow "interactive" modes like this.

from open-source-logiciel-libre.

Closing both languages are pending review :
canada-ca/ore-ero#805
+
canada-ca/ore-ero#804

from open-source-logiciel-libre.