Re: Some thoughts on security

Subject: Re: Some thoughts on security
From: Rain Gloom &lt;raingloom42@ ... &gt;
Date: Tue, 13 Dec 2016 23:07:13 +0000

There is also the path the Multi Theft Auto mod[1] took: they host a compiler[2] on a server that signs code, trying to load() bytecode that was not compiled there (ie.: string.dump-ed or emitted by luac) gives you a runtime error.

Not sure if that's a good idea though, I always found it weird that servers are so protective of their mods and want to compile and obfuscate everything.

[1] https://mtasa.com/
[2] https://luac.mtasa.com/

On Mon, Dec 12, 2016 at 12:17 AM, Luiz Henrique de Figueiredo <lhf@tecgraf.puc-rio.br> wrote:

For the record, it is perfectly safe to run bytecode from trusted sources,
such as resources built into your program. Running bytecode from untrusted
sources is of course dangerous. The point is that bytecode emitted by the
Lua compiler is safe; handcrafted malicious bytecode is not.