Hi Alex,
Another good question is the amount of bandwidth currently used for
rock downloads. I'd guess fairly low meaning it wouldn't be too
expensive to host on on something like Amazon Cloudfront. That said,
lots of people have VPSes with spare space and bandwidth and it could
be relatively easy to set up mirrors. Furthermore, the main luarocks
site seems plenty fast so I suppose a mirror would be most important
for failover rather than speed.
Security is a concern though (and of course already is, even with the
single luarocks mirror). I don't believe there's currently any sort of
signing of the luarocks archive is there?
I'm guessing the repository itself isn't signed, but rockspecs include
an MD5 hash of the source archive. I haven't studied packed rocks (since
I only learned about them today :-)) but I suppose they could also
include a hash of some sort? (I wonder about the chicken/egg problem
this might imply)
Of course if someone were to gain unauthorized write access to a
mirrored repository they could just change the hash after sneaking
unwanted code into a rock.
One complex solution might be to have a trusted person (e.g. Hisham)
encrypt the packed rocks with a private key and have LR decrypt the
packed rocks using the public key. So long as the private key stays a
secret no one should be able to change existing rocks. Of course this
requires LR to depend on a crypto library which could complicate things.
- Peter Odding
_______________________________________________
Luarocks-developers mailing list
[email protected]
http://lists.luaforge.net/cgi-bin/mailman/listinfo/luarocks-developers
