Am 07.05.2013 00:31 schröbte Jack Lawson: > Allowing any arbitrary person to update another person's rockspec sounds > very dangerous to me; I could imagine a developer of a popular library > going afk, and someone else uploading a "lua version change" rockspec that
That would be *a year* of AFK by now ... And Lua version changes don't happen that often. > also points the tar at a malicious source directory, for example. > Far-fetched, perhaps, but I'd lean more towards requiring more security and > away from letting anyone update rockspecs. > > If a package says >= Lua 5.1, and 5.3 breaks it, and nobody can get ahold > of the developer - make a new rock, rather than editing the old one. Make > it clear that it has a new maintainer. This reeks of security issues. I think a new rock cannot fix the dependency issues of older rocks: If the new rock forbids Lua 5.3, luarocks would simply pick the old one which still (incorrectly) declares compatibility, wouldn't it? ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Luarocks-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/luarocks-developers
