Page MenuHomePhabricator

Add support for a newer Lua version than Lua 5.1 to luasandbox
Open, Stalled, Needs TriagePublic


At present, luasandbox is tied to Lua 5.1, which is so out of date that certain features of Lua 5.2 are backported to luasandbox's implementation of Lua.

Perhaps it is time to move on.

To begin with, references to Lua version hardcoded into luasandbox source code could be removed and made configurable in the options for cmake or ./configure (defaulting to Lua 5.1).

The hardcoded Lua version is found in config.cmake and config.m4. The file FindLua51cpp.cmake ought to be, I guess, cloned into FindLua52cpp.cmake and FindLua53cpp.cmake or parametrised somehow.

Event Timeline

Note, that probably part of this is the version of Lua WMF servers have available on the installed Debian version. There are plans to upgrade to Stretch (version 9), see T174431: Upgrade mw* servers to Debian Stretch (using HHVM) which may potentially block this

I do note liblua5.2 seems to be available on a few hosts checked, and it's in debian stable (as is liblua5.1)

So, I suspect, there might be scope to be able to build luasandbox against newer lua (or, at least, not preventing it), support for 5.1 possibly isn't going to be dropped anytime soon. However, I'm not sure (I'm sure someone will correct me) why we're still using 5.1 if 5.2 is available on WMF servers

The main blocker, as far as I know, is that 5.2 completely changed how function environments work and function environments are heavily used for our sandboxing. To be able to use 5.2, someone would have to redo the sandboxing and it would have to be reviewed for security.

Krinkle renamed this task from Enable luasandbox to use Lua 5.2/5.3 to Add support for Lua 5.2 or 5.3 to luasandbox.Jan 15 2019, 4:42 AM
Legoktm changed the task status from Open to Stalled.Jan 16 2019, 3:47 AM
Legoktm added a subscriber: tstarling.

To quote @tstarling:

For some background material about why I don't like the idea of moving to Lua 5.2, you could read:

It was mentioned there that LuaJIT is based on Lua 5.1 -- that is still the case.

"And the second important point is, that it's worthy to sometimes look at each Lua version as a totally unrelated language, "only accidentally bearing a somewhat similar name". It is not considered as something "bad" if you stick with your chosen version of Lua forever in your product (although this surely also has some drawbacks) [1][2]. You can even consider taking it sideways, by adding some patches etc."

So I would mark this as declined, but he also said (in 2014):

Like I said at the start of this project, maybe in a decade or so. Unless there is some actual reason to want to do it?

So marking as stalled for re-evaluation in 2024.

Lua 5.4 is now available as well. It would be nice to see it use the latest version.

Aklapper renamed this task from Add support for Lua 5.2 or 5.3 to luasandbox to Add support for a newer Lua version than Lua 5.1 to luasandbox.Nov 1 2021, 10:47 AM