[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] Linking monotone with the official lua shared libra
|
From: |
Nathaniel Smith |
|
Subject: |
Re: [Monotone-devel] Linking monotone with the official lua shared library as distributed by Debian |
|
Date: |
Sun, 24 Jul 2005 22:06:43 -0700 |
|
User-agent: |
Mutt/1.5.9i |
On Mon, Jul 25, 2005 at 12:28:58AM -0400, Graydon Hoare wrote:
> naturally I would appreciate if you did not link against the
> debian-provided lua library, as we have no way of performing QA on
> this library or customizing it to suit our needs. in this case you
> will be re-introducing a possible security hole; we will still not
> actually *use* popen in any of the scripts we provide, but it will be
> available to script authors and therefore more likely to be misused.
> we prefer to keep the lua environment we offer users very constrained
> by default.
>
> of course, being free software, I cannot really stop you from doing
> so. but I would appreciate if it you did not.
The other factor is that we do not and can not make any guarantee
that, even if monotone happened to work with some non-bundled library
_now_, it will continue to do so as monotone continues to evolve.
Historically, every bundled library has at some time or another
contained changes that monotone required to work, and so chances are
it will again; we don't just do this to be cute...
(For instance, the 0.20 release ran into problems because the debian
package used unbundled sqlite, and this stopped working.)
Hopefully as monotone and the libraries it uses matures, such
incidences will reduce in frequency, until we can safely use external
libraries...
-- Nathaniel
--
"The problem...is that sets have a very limited range of
activities -- they can't carry pianos, for example, nor drink
beer."