Re: Lua [in]security and the distributors

[Dirk Laurie <dirk.laurie@...>]

2014-08-26 19:27 GMT+02:00 Jonas Thiem <jonasthiem@googlemail.com>:

> There wasn't even a quick release of an update to 5.2.2 where this bug
> was found originally, just 5.2.3 a few months later after this bug was
> made public (though a patch was available to everyone willing to patch
> themselves until 5.2.3 was finally released).

The official description of Lua's mission is:

> Lua is intended to be used as a powerful, lightweight, embeddable
> scripting language for any program that needs one.

It goes on to say:

> Being an extension language, Lua has no notion of a "main" program:
> it only works embedded in a host client, called the embedding program
> or simply the host.

and:

> The Lua distribution includes a sample host program called lua

I.e. the Lua interpreter we all love is no more than a sample; you
should be rolling your own.

Its license inter alia says this:

> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY
> OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
> LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
> FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

I think using Lua in a security-sensitive environment goes beyond
what the designers claim it is good for. It's not that they are insensitive
to security issues, it's that they're not paranoid about them. But: the
only good security people are those considered to be paranoid by
everybody else.

In particular, Lua has a policy that there is one final release of the
outgoing release when a new release comes out. No further fixes,
even if there is a bug reported to be present already in Lua 3.1,
even if it offers a security exploit. That policy says there will never
be an official Lua 5.1.6.

I see only one solution. Someone who _is_ paranoid about security
should maintain a Secure Lua website, where for example
lua-5.1.5-secure.tar.gz would be available. When that site has built up
a reputation for excellence, ask lua.org to feature a link to it.