On 6 May 2013 20:02, Philipp Janda <siffie...@gmx.net> wrote: > Am 07.05.2013 00:31 schröbte Jack Lawson: >> Allowing any arbitrary person to update another person's rockspec sounds >> very dangerous to me; I could imagine a developer of a popular library >> going afk, and someone else uploading a "lua version change" rockspec that > > That would be *a year* of AFK by now ... > And Lua version changes don't happen that often. > >> also points the tar at a malicious source directory, for example. >> Far-fetched, perhaps, but I'd lean more towards requiring more security and >> away from letting anyone update rockspecs. >> >> If a package says >= Lua 5.1, and 5.3 breaks it, and nobody can get ahold >> of the developer - make a new rock, rather than editing the old one. Make >> it clear that it has a new maintainer. This reeks of security issues. > > I think a new rock cannot fix the dependency issues of older rocks: If > the new rock forbids Lua 5.3, luarocks would simply pick the old one > which still (incorrectly) declares compatibility, wouldn't it?
In the current version of LuaRocks, it wouldn't. It always tries the latest rock only, even if an older rock would satisfy the dependencies. This has pros and cons, though. I've been thinking about generating separate manifests for Lua 5.1 and 5.2 and let LuaRocks use the correct one, so that Lua 5.1 users still have easy access to older versions of rocks as new versions that are Lua 5.2 only replace them, but I'm not sure if this is worth the effort. -- Hisham http://hisham.hm/ ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Luarocks-developers mailing list Luarocks-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/luarocks-developers
