[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Lua [in]security and the distributors
- From: Jonas Thiem <jonasthiem@...>
- Date: Wed, 27 Aug 2014 18:47:59 +0200
On 08/26/2014 08:57 PM, Roberto Ierusalimschy wrote:
> Probably I am missing something...
>
> IIUC, more popular languages similar to Lua have dozens of "crash" bugs
> in their current distributions with no patches applied, because there
> are no patches for them. Is this ok (no patches applied because there
> are no patches)? Would our sin be smaller if our single crash bug had no
> known patch?
>
> -- Roberto
>
I see two obvious choices:
1. You could simply announce Lua is unsuitable for sandboxing. However,
that would be sad since in practice many use it for that, and they
probably won't stop doing that.
2. You could make more visible security announcements on the homepage
when crash bugs (or other critical things) appear. (compare libpng
website with very prominent security notices)
I think the only problem here is communication, mainly that the website
offers an example demo sandbox and doesn't necessarily communicate 1.,
and that 2. wasn't really followed either.
It is very commendable that you released a timely patch in April 2013
and as you correctly noted: not all scripting languages watch their
crash exploits so closely. This makes Lua a lot more suitable and safer
for sandboxing than other languages, which is awesome!
It is more a case of "we can do even better with slight alterations",
rather than "Lua screwed up": it is just sad the patch WAS available,
and still wasn't adopted. That isn't a sin, but rather just awesomeness
that could have been but wasn't - and which would be worth pursuing.
Regards,
Jonas Thiem
