[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Lua [in]security and the distributors
- From: Coda Highland <chighland@...>
- Date: Wed, 27 Aug 2014 20:06:56 -0700
On Wed, Aug 27, 2014 at 7:42 PM, Jonas Thiem <jonasthiem@googlemail.com> wrote:
> But how am I supposed to sandbox on a script level if all Lua versions
> shipped by common distributions don't have basic patches applied? Ship
> my sandboxing application with its own Lua then? I was recently advised
> not to do that, since it isn't me as an application dev who should worry
> about installing Lua hardened. But it appears nobody else worries
> either, so who does in the end? Noone?
I would take that advice with a grain of salt.
Lua is designed to be extensible and embeddable. Everyone has their
own favorite power patches. Generally speaking, if you don't like the
way that the "stock" Lua package behaves, you really SHOULD be
embedding your own. It's designed for that.
Yes, it means you need to be on your toes to update your own copy of
the library embedded in your software when there's updates. That's why
the advice was given. But SOMEONE'S got to update it. Might as well be
you, if your use depends on it.
/s/ Adam
- References:
- Lua [in]security and the distributors, Jonas Thiem
- Re: Lua [in]security and the distributors, Enrico Tassi
- Re: Lua [in]security and the distributors, Jonas Thiem
- Re: Lua [in]security and the distributors, Pierre Chapuis
- Re: Lua [in]security and the distributors, Jonas Thiem
- Re: Lua [in]security and the distributors, David Heiko Kolf
- Re: Lua [in]security and the distributors, Jonas Thiem
- Re: Lua [in]security and the distributors, Dirk Laurie
- Re: Lua [in]security and the distributors, Roberto Ierusalimschy
- Re: Lua [in]security and the distributors, Jonas Thiem
- Re: Lua [in]security and the distributors, William Ahern
- Re: Lua [in]security and the distributors, Jonas Thiem