> -----Original Message----- > From: Jack Lawson [mailto:ajacksif...@gmail.com] > Sent: dinsdag 7 mei 2013 0:32 > To: luarocks-developers@lists.sourceforge.net > Subject: Re: [Luarocks-developers] Hostile rockspec takeover > > Allowing any arbitrary person to update another person's rockspec sounds > very dangerous to me; I could imagine a developer of a popular library
True, but a few rules of notifications, transition and adoption on the list could easily be established to mitigate this. > going afk, and someone else uploading a "lua version change" rockspec that > also points the tar at a malicious source directory, for example. Far- > fetched, perhaps, but I'd lean more towards requiring more security and > away from letting anyone update rockspecs. > > If a package says >= Lua 5.1, and 5.3 breaks it, and nobody can get ahold > of the developer - make a new rock, rather than editing the old one. Make > it clear that it has a new maintainer. This reeks of security issues. A new rock with a new name will not satisfy existing dependencies, like already mentioned by others. I do agree that some tighter security controls would be nice on LuaRocks and its community, but the reality is that it is still a one-man-operation. Don't get me wrong; I prefer a better security model, but the trick is to get a realistic one. Thijs ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Luarocks-developers mailing list Luarocks-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/luarocks-developers
