[vlc-devel] [lua] Proposal for a standard-included playlistscript...

John Oyler john.m.oyler at gmail.com
Mon Aug 20 15:48:09 CEST 2012

On Mon, Aug 20, 2012 at 8:30 AM, Rémi Denis-Courmont <remi at remlab.net> wrote:
> Le vendredi 17 août 2012 17:28:51 John Oyler, vous avez écrit :
>> As for securing lua, I've already got that figured out. Supposing I can
>> convince everyone here, the trick would be to have the downloader script
>> md5 the file and check back to a webapp at http://videolan.org whether
>> this md5 is trusted. If it is, it installs it, if not, it discards it.
> If VLC developers need to review the scripts, then the scripts might just as
> well be included in the VLC source code. I don't see the point.
>> While this would still require some review, at least some of the scripts
>> could be set as trusted by an automatic process...
> That looks an awful lot like solving the halting problem to me. I dare express
> my skepticism.

C'mon. If I give you a known safe lua script, and all you do is change
the website
url that it triggers for in probe(), and some minor regex twiddling in
the parse()...

It is not solving the halting problem for code (and simple code at
that) to see that
the new script is just as safe as the old.

Since a great many scripts might hold to such a pattern, the majority of
submitted scripts might never need to be read by human eyes. And before anyone
makes the claim that such scripts wouldn't be useful, I can already demonstrate
that this is not so and refer you to a few hundred people who want to see such
functionality as viewers and a dozen who want it as "tv channel runners".


John O.

More information about the vlc-devel mailing list