lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Wed, Aug 27, 2014 at 7:42 PM, Jonas Thiem <jonasthiem@googlemail.com> wrote:
> But how am I supposed to sandbox on a script level if all Lua versions
> shipped by common distributions don't have basic patches applied? Ship
> my sandboxing application with its own Lua then? I was recently advised
> not to do that, since it isn't me as an application dev who should worry
> about installing Lua hardened. But it appears nobody else worries
> either, so who does in the end? Noone?

I would take that advice with a grain of salt.

Lua is designed to be extensible and embeddable. Everyone has their
own favorite power patches. Generally speaking, if you don't like the
way that the "stock" Lua package behaves, you really SHOULD be
embedding your own. It's designed for that.

Yes, it means you need to be on your toes to update your own copy of
the library embedded in your software when there's updates. That's why
the advice was given. But SOMEONE'S got to update it. Might as well be
you, if your use depends on it.

/s/ Adam