lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Thu, May 22, 2014 at 9:15 AM, hasufell <hasufell@gentoo.org> wrote:
> hasufell:
>> Luiz Henrique de Figueiredo:
>>>
>>> Bottom line: Lua is not a fundamental software component in an OS.
>>
>> Yes, it is. Every library that is used by multiple programs is a
>> fundamental software component.
>>
>> Lua is currently used by 127 packages. If that is not fundamental, then
>> what is?
>>
>>
>
> And btw... if that wasn't clear enough.
>
> In case of a severe lua vulnerability, we would have to track 127 bug
> trackers instead of one (in case they all bundle it).
>
> That completely destroys the idea of distribution-level security.
>

I think you missed the point LHF was trying to make.

He's not saying that Lua shouldn't be distributed as a shared library
on platforms where it makes sense. He's saying that Lua (at least in
the major OSes right now, not counting niche or toy implementations)
isn't used at the lowest level of software -- not for kernels, not for
drivers, not for common fundamental libraries. It's used at the
application level, not at any level more fundamental than that.

The actual point here is that PUC-Rio doesn't want to be concerned
with making sure that the default makefile works unmodified on your
platform of choice with your behavior of choice. The default makefile
exists to show you how to build Lua, and if its behavior is
insufficient, you aren't just permitted but ENCOURAGED to modify it or
make your own. From Lua's perspective, the makefile is essentially a
config file, not a part of the source code.

For a contrasting point, Mike Pall explicitly says you SHOULDN'T try
to build LuaJIT with anything but the provided makefile. This should
be illustrative of the differences in the projects.

/s/ Adam