[Dev-luatex] Bug#1009196: texlive-binaries: Reproducible content of .fmt files
luigi.scarso at gmail.com
Mon Apr 11 13:48:44 CEST 2022
On Mon, Apr 11, 2022 at 1:01 PM Norbert Preining <norbert at preining.info>
> Hi Hans, hi Roland,
> thanks for your answer.
> > it actually defeats one of the security properties of lua (which was
> > explicitly introduced at some point: make sure that hashes have random
> > each run so that it's harder to retrieve sensitive data from mem)
> Well, that is a good point to *not* implement the change.
> Roland, do you have any comments? I guess the reproducability strive is
> not as important as security.
> So if something in this way should be done, it would need to
> changes sort order if and only if FORCE_SOURCE_DATE=1 in the env
> (this is what has required for tex engines to obey SOURCE_DATE_EPOCH
not only fmt, every output could suffer from the same problem if it
depends on a lua table that is not an array -- temp data, log and pdf .
The format should serialize only array, or use a metatable
Even if we hard code in some way an ordered table data structure, it's
still the responsibility of the format to use it -- but then metatables
are more flexible.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dev-luatex