Re: Lua Ecosystem

[Dirk Laurie <dirk.laurie@...>]

2013/11/26 Sean Conner <sean@conman.org>:

> A problem with LuaRocks is that the name used to install a module isn't
> the actual name of the module you use in Lua---that still doesn't solve the
> issue of overlapping modules.  For instance:
>
> [spc]lucy:~>luarocks install luuid
>         ...
> [spc]lucy:~>lua
> Lua 5.1.5  Copyright (C) 1994-2012 Lua.org, PUC-Rio
>> uuid = require "uuid"
>> show = require "org.conman.table".show
>> show(uuid)
> version  "uuid library for Lua 5.1 / Nov 2010"
> new      function: 0x905cab0
> time     function: 0x90541d8
> isvalid  function: 0x905ca78
>
> [spc]lucy:~>luarocks install uuid
>         ...
> [spc]lucy:~>lua
> Lua 5.1.5  Copyright (C) 1994-2012 Lua.org, PUC-Rio
>> uuid = require "uuid"
>> show = require "org.conman.table".show
>> show(uuid)
> randomseed  function: 0xa0136f8
> seed        function: 0xa0136d8
> new         function: 0xa013788
>
>   No warning that module "uuid" was being overwritten.  Now, what if I
> installed (via LuaRocks) LuaFoo that uses luuid (which is installed, because
> of dependency tracking), and LuaBar that uses uuid (which is also installed,
> because of dependency tracking)?

Not knowing all those modules, I'm tempted to think that
the con man at that org is performing a three-card trick :-)

More seriously, four questions about LuaRocks:

1. Is there any moderation whatsoever, or can any idiot,
con man or whoever upload something and suddenly
it's got rock status?
2. Once I have uploaded a rock, is there any way that
someone who is not me can upload something claiming
to be a newer version of it?
3. Is there any mechanism in place where users can give
just +1 and -1 feedback?
4. Would it be utterly and completely impractical to impose
certain minimal standardizations, e.g.

- require "module" always returns something callable
- require "module" "_SIGNATURE" returns a unique
string that is automatically allocated when that version
of the rock is uploaded.