[vlc-devel] [lua] Proposal for a standard-included playlistscript...

Rémi Denis-Courmont remi at remlab.net
Mon Aug 20 15:30:54 CEST 2012

Le vendredi 17 août 2012 17:28:51 John Oyler, vous avez écrit :
> As for securing lua, I've already got that figured out. Supposing I can
> convince everyone here, the trick would be to have the downloader script
> md5 the file and check back to a webapp at http://videolan.org whether
> this md5 is trusted. If it is, it installs it, if not, it discards it.

If VLC developers need to review the scripts, then the scripts might just as 
well be included in the VLC source code. I don't see the point.

> While this would still require some review, at least some of the scripts
> could be set as trusted by an automatic process...

That looks an awful lot like solving the halting problem to me. I dare express 
my skepticism.

> a safe script would be one that only returns true in probe() for a single
> specific web address that also happens to be new (and not someone trying
> to hijack youtube.com), and one that doesn't make use of the filesystem
> access or other unsafe statements.

So not only someone needs to review the Lua environment to determine what is 
safe and what is not, but someone also needs to write an extra parser and a 
web service.

Yeah right... how is that easier than securing the Lua environment directly?

Rémi Denis-Courmont
C/C++ software engineer looking for a job

More information about the vlc-devel mailing list