Add support for a newer Lua version than Lua 5.1 to luasandbox
Open, Needs TriagePublic
Actions

Assigned To

None

Authored By

	alex-mashin
	Oct 13 2017, 9:14 AM

Description

At present, luasandbox is tied to Lua 5.1, which is so out of date that certain features of Lua 5.2 are backported to luasandbox's implementation of Lua.

Perhaps it is time to move on.

To begin with, references to Lua version hardcoded into luasandbox source code could be removed and made configurable in the options for cmake or ./configure (defaulting to Lua 5.1).

The hardcoded Lua version is found in config.cmake and config.m4. The file FindLua51cpp.cmake ought to be, I guess, cloned into FindLua52cpp.cmake and FindLua53cpp.cmake or parametrised somehow.

Related Objects

Mentioned In: T165935: "Lua error: not enough memory" on certain en.wiktionary pages
T189767: RFC: Future of Scribunto
Mentioned Here: T174431: Upgrade mw* servers to Debian Stretch (using HHVM)

Event Timeline

alex-mashin created this task.Oct 13 2017, 9:14 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 13 2017, 9:14 AM

alex-mashin added a project: Scribunto.Oct 13 2017, 9:15 AM

alex-mashin updated the task description. (Show Details)Oct 13 2017, 9:21 AM

alex-mashin updated the task description. (Show Details)Oct 13 2017, 9:28 AM

Note, that probably part of this is the version of Lua WMF servers have available on the installed Debian version. There are plans to upgrade to Stretch (version 9), see T174431: Upgrade mw* servers to Debian Stretch (using HHVM) which may potentially block this

I do note liblua5.2 seems to be available on a few hosts checked, and it's in debian stable (as is liblua5.1)

So, I suspect, there might be scope to be able to build luasandbox against newer lua (or, at least, not preventing it), support for 5.1 possibly isn't going to be dropped anytime soon. However, I'm not sure (I'm sure someone will correct me) why we're still using 5.1 if 5.2 is available on WMF servers

The main blocker, as far as I know, is that 5.2 completely changed how function environments work and function environments are heavily used for our sandboxing. To be able to use 5.2, someone would have to redo the sandboxing and it would have to be reviewed for security.

Paladox subscribed.Oct 17 2017, 3:12 PM

Legoktm added a project: LuaSandbox.Feb 3 2018, 10:53 PM

Tim left comments on https://gerrit.wikimedia.org/r/#/c/139479/ that are pretty relevant here.

Anomie mentioned this in T189767: RFC: Future of Scribunto.Mar 15 2018, 11:49 AM

PerfektesChaos subscribed.Jul 3 2018, 12:49 PM

Krinkle renamed this task from Enable luasandbox to use Lua 5.2/5.3 to Add support for Lua 5.2 or 5.3 to luasandbox.Jan 15 2019, 4:42 AM

To quote @tstarling:

For some background material about why I don't like the idea of moving to Lua 5.2, you could read:

http://lua-users.org/lists/lua-l/2012-02/msg00127.html

It was mentioned there that LuaJIT is based on Lua 5.1 -- that is still the case.

http://lua-users.org/lists/lua-l/2012-02/msg00150.html

"And the second important point is, that it's worthy to sometimes look at each Lua version as a totally unrelated language, "only accidentally bearing a somewhat similar name". It is not considered as something "bad" if you stick with your chosen version of Lua forever in your product (although this surely also has some drawbacks) [1][2]. You can even consider taking it sideways, by adding some patches etc."

So I would mark this as declined, but he also said (in 2014):

Like I said at the start of this project, maybe in a decade or so. Unless there is some actual reason to want to do it?

So marking as stalled for re-evaluation in 2024.

jberkel subscribed.Mar 14 2020, 10:21 PM

Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:01 PM

Aklapper mentioned this in T165935: "Lua error: not enough memory" on certain en.wiktionary pages.Apr 3 2021, 7:34 AM

Erutuon subscribed.Jun 28 2021, 11:21 PM

ExE-Boss subscribed.Aug 26 2021, 4:59 AM

Lua 5.4 is now available as well. It would be nice to see it use the latest version.

Aklapper renamed this task from Add support for Lua 5.2 or 5.3 to luasandbox to Add support for a newer Lua version than Lua 5.1 to luasandbox.Nov 1 2021, 10:47 AM

Izno subscribed.Nov 18 2021, 6:45 PM

Jaideraf subscribed.Dec 23 2022, 8:11 PM

Lens0021 subscribed.Feb 28 2023, 4:32 PM

In T178146#4883378, @Legoktm wrote:

To quote @tstarling:

For some background material about why I don't like the idea of moving to Lua 5.2, you could read:

http://lua-users.org/lists/lua-l/2012-02/msg00127.html

It was mentioned there that LuaJIT is based on Lua 5.1 -- that is still the case.

http://lua-users.org/lists/lua-l/2012-02/msg00150.html

"And the second important point is, that it's worthy to sometimes look at each Lua version as a totally unrelated language, "only accidentally bearing a somewhat similar name". It is not considered as something "bad" if you stick with your chosen version of Lua forever in your product (although this surely also has some drawbacks) [1][2]. You can even consider taking it sideways, by adding some patches etc."

So I would mark this as declined, but he also said (in 2014):

Like I said at the start of this project, maybe in a decade or so. Unless there is some actual reason to want to do it?

So marking as stalled for re-evaluation in 2024.