[vlc-devel] [lua] Proposal for a standard-included playlistscript...

Mon Aug 20 15:32:59 CEST 2012

On Mon, Aug 20, 2012 at 7:48 AM, Mirsal Ennaime <mirsal at videolan.org> wrote:
> Hello John,
>
> On Fri, 2012-08-17 at 09:28 -0500, John Oyler wrote:
>> Install this: http://75.109.71.79:8000/~john/spacepotato/spacepotato.lua
>> Then open this: http://75.109.71.79:8000/~john/spacepotato/
>>
>> As for securing lua, I've already got that figured out. Supposing I can convince
>> everyone here, the trick would be to have the downloader script md5 the file
>> and check back to a webapp at http://videolan.org whether this md5 is trusted.
>> If it is, it installs it, if not, it discards it.
>>
>> While this would still require some review, at least some of the scripts could
>> be set as trusted by an automatic process... a safe script would be one that
>> only returns true in probe() for a single specific web address that also happens
>> to be new (and not someone trying to hijack youtube.com), and one that
>> doesn't make use of the filesystem access or other unsafe statements.
>
> The scripts would have to be reviewed the same way as in the usual
> process for applying patches.
>
> Having lots of new scripts added might trigger the decision to make a
> minor release quicker, which users willing so will get through their
> regular update channel (either with the update checker on windows or via
> their os distributors' regular channel)
>
> IMVHO, short-cutting any step of the release process for lua scripts
> isn't any more relevant than for other code.

Why would you want to trigger a new VLC release for new scripts? Once this
was in place, VLC would no longer need to host scripts.

As for them requiring the same level of scrutiny as patches, I disagree. A
simple script that is tied to a single url and makes use of no suspicious
lua instructions could skip the inspection phase entirely. Give the
script-writers a template, have the web-app check that it doesn't deviate from
that, and it can automatically be "trusted" and advertised as such. Only those
scripts more complicated would require human inspection before being
blessed as trusted.

So the flow of all this would look like: script-writer writes a script
that only
probe()s true for a specific (non-high-profile) website without any filesystem
statements or whatever. He uploads it to a web-app on videolan.org, which
regexes through making sure he didn't deviate from the template for such. If
he did deviate, it's binned until someone someone can take a look at it, if he
didn't, it's marked as trusted and anytime the zzzzzzzz.lua script from a VLC
client checks if it is trusted, it will install that script for the
client in question.

For more complicated scripts, eventually someone gets around to taking a
look, marks it as trusted, and then that script will also auto-install.

At that point, only high-profile website scripts (youtube.com, etc) would be
handled as if they were an official component of VLC. None of the scripts
handled as above would ever be included in VLC.

John O.