From 58dc86b8fc27207f38106d4df9d7b83622f2ac82 Mon Sep 17 00:00:00 2001 From: Scott Chamberlain Date: Wed, 1 Nov 2023 11:53:16 -0700 Subject: [PATCH] first bits of security content added #6 --- security.qmd | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/security.qmd b/security.qmd index f1b0ef8..aece517 100644 --- a/security.qmd +++ b/security.qmd @@ -1,3 +1,34 @@ # Security {{< iconify fa6-solid lock >}} {#sec-security} -xxx \ No newline at end of file +## Package security + +Keeping secrets a secret is an important task and should not be an afterthought - but instead considered from the beginning of a package. + +In general, the rOpenSci Development Guide has good advice on [package security](https://devguide.ropensci.org/package-development-security-best-practices.html). + +As time goes on we'll document here if we have any strong opinions about security related aspects of packages. + +## Data + +Software created in the WILDS may touch PII/PHI data. + +### Package Data + +Do not include any PII/PHI data within a package. If data needs to be included in a package for tests, examples, etc., use fake data that is similar enough to be able to run tests/examples, etc. + +There's many packages in both R (e.g. [charlatan][], [wakefield][]. [fakir][]) and Python (e.g. [faker][]) for creating fake data. + +### Examples + +We strongly encourage all exported, user-facing functions, to have examples. However, when PII/PHI data is a crucial part of an example for a function/class/etc. we need to take extra precautions. + +In package documentation created with pkgdown (see @sec-docs) examples should use fake data included with the package. + +If it makes sense to have examples that run with real data that might be PII/PHI data, those examples should xxxx + + + +[faker]: https://github.com/joke2k/faker +[charlatan]: https://github.com/ropensci/charlatan +[wakefield]: https://github.com/trinker/wakefield +[fakir]: https://github.com/Thinkr-open/fakir/