[Dev-luatex] Bug#1009196: texlive-binaries: Reproducible content of .fmt files

Norbert Preining norbert at preining.info
Mon Apr 11 13:01:32 CEST 2022

Hi Hans, hi Roland,

thanks for your answer.

> it actually defeats one of the security properties of lua (which was
> explicitly introduced at some point: make sure that hashes have random order
> each run so that it's harder to retrieve sensitive data from mem)

Well, that is a good point to *not* implement the change.

Roland, do you have any comments? I guess the reproducability strive is
not as important as security.

So if something in this way should be done, it would need to
changes sort order if and only if FORCE_SOURCE_DATE=1 in the env
(this is what has required for tex engines to obey SOURCE_DATE_EPOCH

Roland, if you have time, please adjust the patch to work within the
above constraints.

Best regards


PREINING Norbert                              https://www.preining.info
Mercari Inc.     +     IFMGA Guide     +     TU Wien     +     TeX Live
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

More information about the dev-luatex mailing list