Page MenuHomePhabricator
Create Task
Maniphest T188152

Sent out announcement for LuaSandbox 3.0.0 / 3.0.1 release
Closed, DeclinedPublic
Actions

Description

Important commits in 3.0.0:

4061be2 Add basic information to README and generate PHP documentation
df0ab7c SECURITY: Reduce precision on os.clock() to mitigate timing attacks
58f3b52 Remove LuaJIT support
122132a Sanify handling of array keys
76122a0 Remove PHP→Lua object conversion

And in 3.0.1:

47ac17d Don't test round-tripping "long" on 32-bit systems

We can also highlight the new wiki page, documentation, and Debian package.

Related Objects

Event Timeline

Legoktm created this task.Feb 23 2018, 10:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 23 2018, 10:42 PM
MarcoAurelio subscribed.Feb 23 2018, 10:55 PM

User-notice ?

Aklapper added a comment.Feb 24 2018, 12:32 PM
In T188152#3998044, @MarcoAurelio wrote:

User-notice ?

Which specific changes do you have in mind that are important enough to tell all users?

MarcoAurelio added a comment.Feb 24 2018, 12:49 PM

This task reads "sent out announcement", but doesn't say to who; so I guess users as destinataries of the features, yet as I was unsure, I didn't added the tag.

Legoktm added a comment.Mar 7 2018, 4:25 AM

This is more Developer-notice if anything, I was anticipating sending the email to wikitech-l and mediawiki-l. I don't think it makes sense for Wikimedia users, since nothing will change until T187673, and even then those changes are extremely minor.

Legoktm renamed this task from Sent out announcement for LuaSandbox 3.0 release to Sent out announcement for LuaSandbox 3.0.0 / 3.0.1 release.Mar 7 2018, 4:30 AM
Legoktm updated the task description. (Show Details)
Legoktm added a comment.Mar 7 2018, 4:52 AM

Proposed:

Hi,

LuaSandbox 3.0 has been released. If you're not familiar with it, LuaSandbox is a PHP extension that allows for safe and secure execution of arbitrary Lua code, and is primarily used to power the Scribunto MediaWiki extension. 3.0 supports PHP 5.5-7.2 and HHVM.

As part of this release, LuaSandbox has a new homepage on mediawiki.org[1], and autogenerated documentation is published on doc.wikimedia.org[2].

Instructions on how to build and install LuaSandbox are available[3], and a package is also available for Debian 9 users in the backports repository. It will also be included in the upcoming Ubuntu 18.04 LTS release. On MediaWiki 1.30+, Scribunto will automatically take advantage of LuaSandbox if it is installed.

The only breaking change was the removal of unmaintained and likely unused luajit support. Other changes include:

* Remove PHP→Lua object conversion
* Sanify handling of array keys
* Reduce precision on os.clock() to mitigate potential future timing attacks
* Fix tests on 32-bit systems

[1] https://www.mediawiki.org/wiki/LuaSandbox
[2] https://doc.wikimedia.org/mediawiki-php-luasandbox/master/
[3] https://www.mediawiki.org/wiki/LuaSandbox#Installation
Anomie added a comment.Mar 7 2018, 3:00 PM

"Remove PHP→Lua object conversion" is a breaking change too.

Anomie closed this task as Declined.Jan 21 2019, 4:49 PM

Seems a bit late to bother with it now, 10 months later.

Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits