lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Yes, but in practise all linux users would hate me for shipping Lua when
their system already has it, so they might as well ignore it (not
realizing the consequences). And it doesn't make too much of sense either.

Why can't we work together to make people more aware of security issues
popping up so the Lua copies out there are safe to start with?

Instead of denying there is a problem with the website and making joking
remarks about the sins of having a patch, maybe some productive thoughts
on how to improve the situation would be a better idea.

On 08/28/2014 05:06 AM, Coda Highland wrote:
> On Wed, Aug 27, 2014 at 7:42 PM, Jonas Thiem <jonasthiem@googlemail.com> wrote:
>> But how am I supposed to sandbox on a script level if all Lua versions
>> shipped by common distributions don't have basic patches applied? Ship
>> my sandboxing application with its own Lua then? I was recently advised
>> not to do that, since it isn't me as an application dev who should worry
>> about installing Lua hardened. But it appears nobody else worries
>> either, so who does in the end? Noone?
> 
> I would take that advice with a grain of salt.
> 
> Lua is designed to be extensible and embeddable. Everyone has their
> own favorite power patches. Generally speaking, if you don't like the
> way that the "stock" Lua package behaves, you really SHOULD be
> embedding your own. It's designed for that.
> 
> Yes, it means you need to be on your toes to update your own copy of
> the library embedded in your software when there's updates. That's why
> the advice was given. But SOMEONE'S got to update it. Might as well be
> you, if your use depends on it.
> 
> /s/ Adam
>