> Nobody would seriously claim, I think, that one can algorithmically > determine whether a given fragment of Lua *source* code is malicious.
It is impossible, because the _very same code_ may be fairly called malicious when presented for execution by an attacker but not when presented for execution by a suitably authorized person. Therefore, information beyond the code itself is necessary to determine malice. Note, too, that there is nothing Lua-specific in the above argument. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B