It blows my mind that the author of htop and gobolinux and luarocks are the same person. Much respect. I use htop every day. And Nix and GoboLinux are architectural inspirations.
What I am saying about luarocks is that all code pulled over the wire should be signed and or encrypted to maintain the chain of trust. Maven just went through this, as it was only accessible over HTTP unless users paid a fee.
I could setup a MITM on a local wifi network (hacker space, coffee shop, school network, etc) and installed backdoors via luarocks because the traffic goes in the clear and the packages are not signed.
Luarocks should be secure by default. I found it really hard to activate SSL in luarocks.
It blows my mind that the author of htop and gobolinux and luarocks are the same person. Much respect. I use htop every day. And Nix and GoboLinux are architectural inspirations.
What I am saying about luarocks is that all code pulled over the wire should be signed and or encrypted to maintain the chain of trust. Maven just went through this, as it was only accessible over HTTP unless users paid a fee.
http://www.infoq.com/news/2014/08/Maven-SSL-Default
I could setup a MITM on a local wifi network (hacker space, coffee shop, school network, etc) and installed backdoors via luarocks because the traffic goes in the clear and the packages are not signed.
Luarocks should be secure by default. I found it really hard to activate SSL in luarocks.