On Mon, Apr 11, 2022 at 1:01 PM Norbert Preining
Hi Hans, hi Roland,
thanks for your answer.
it actually defeats one of the security properties of lua (which was explicitly introduced at some point: make sure that hashes have random order each run so that it's harder to retrieve sensitive data from mem)
Well, that is a good point to *not* implement the change.
Roland, do you have any comments? I guess the reproducability strive is not as important as security.
So if something in this way should be done, it would need to changes sort order if and only if FORCE_SOURCE_DATE=1 in the env (this is what has required for tex engines to obey SOURCE_DATE_EPOCH settings).
not only fmt, every output could suffer from the same problem if it depends on a lua table that is not an array -- temp data, log and pdf . The format should serialize only array, or use a metatable (e.g. https://stackoverflow.com/questions/30970034/lua-in-pairs-with-same-order-as... ) Even if we hard code in some way an ordered table data structure, it's still the responsibility of the format to use it -- but then metatables are more flexible. -- luigi