Allowing any arbitrary person to update another person's rockspec sounds
very dangerous to me; I could imagine a developer of a popular library
going afk, and someone else uploading a "lua version change" rockspec that
also points the tar at a malicious source directory, for example.
Far-fetched, perhaps, but I'd lean more towards requiring more security and
away from letting anyone update rockspecs.
If a package says >= Lua 5.1, and 5.3 breaks it, and nobody can get ahold
of the developer - make a new rock, rather than editing the old one. Make
it clear that it has a new maintainer. This reeks of security issues.
On Mon, May 6, 2013 at 3:01 PM, Thijs Schreijer <th...@thijsschreijer.nl>wrote:
> > -----Original Message-----
> > From: Doug Currie [mailto:doug.cur...@gmail.com]
> > Sent: maandag 6 mei 2013 23:34
> > To: luarocks-developers@lists.sourceforge.net
> > Subject: Re: [Luarocks-developers] Hostile rockspec takeover
> >
> >
> > On May 6, 2013, at 5:16 PM, Paul K <paulclin...@yahoo.com> wrote:
> >
> > > For example, my Mobdebug module specified "lua >= 5.1" as its
> > > dependency and it indeed works with 5.1 and 5.2 as advertised (or at
> > > least as much as I tested it with 5.2). I wouldn't want that to be
> > > interpreted as "< 5.2".
> >
> > Yeah, that's why I just changed lsqlite3 to "lua >= 5.1, < 5.3" since it
> > is compatible with Lua 5.2 (but cannot claim to be compatible with Lua
> > 5.3!).
> >
> > e
>
> The problem is Lua releases breaking compatibility (except the patch
> releases). So adding a maximum version compatibility is not bad imo.
> Wrt hostile takeover; It has been mentioned before to split the role of
> developer and packager.
>
> Thijs
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and
> their applications. This 200-page book is written by three acclaimed
> leaders in the field. The early access version is available now.
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
> _______________________________________________
> Luarocks-developers mailing list
> Luarocks-developers@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/luarocks-developers
>
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Luarocks-developers mailing list
Luarocks-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/luarocks-developers
