LuaRocks search should use not luasec

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

LuaRocks search should use not luasec

Dirk Laurie-2
... or it should use it more effectively.

I recently installed 'luasec' because 'luarocks search sqlite' gives
me about two seconds to look at this message:

    Warning: falling back to wget - install luasec to get native HTTPS support

before starting to display Search Results.

I looked with gratification at nothing, which turned into dismay when
it now gave me nine seconds to do so.

I have no experience with luasec, having managed to get by with
luacurl, but surely if we are warned that we should install it, it is
not unreasonable to expect that the experience will then be better?

Reply | Threaded
Open this post in threaded view
|

Re: LuaRocks search should use not luasec

Hisham
On Mon, 10 Sep 2018 at 03:28, Dirk Laurie <[hidden email]> wrote:

>
> ... or it should use it more effectively.
>
> I recently installed 'luasec' because 'luarocks search sqlite' gives
> me about two seconds to look at this message:
>
>     Warning: falling back to wget - install luasec to get native HTTPS support
>
> before starting to display Search Results.
>
> I looked with gratification at nothing, which turned into dismay when
> it now gave me nine seconds to do so.
>
> I have no experience with luasec, having managed to get by with
> luacurl, but surely if we are warned that we should install it, it is
> not unreasonable to expect that the experience will then be better?

Please provide more information for debugging the issue:

Which LuaRocks version was this on? Which Lua version? Which
OS/distro? Which LuaSec version?

LuaRocks bugs are tracked in
https://github.com/luarocks/luarocks/issues so feel free to open an
issue there!

Thanks!

-- Hisham

Reply | Threaded
Open this post in threaded view
|

Re: LuaRocks search should use not luasec

Daurnimator
On 10 September 2018 at 10:16, Hisham <[hidden email]> wrote:

> On Mon, 10 Sep 2018 at 03:28, Dirk Laurie <[hidden email]> wrote:
>>
>> ... or it should use it more effectively.
>>
>> I recently installed 'luasec' because 'luarocks search sqlite' gives
>> me about two seconds to look at this message:
>>
>>     Warning: falling back to wget - install luasec to get native HTTPS support
>>
>> before starting to display Search Results.
>>
>> I looked with gratification at nothing, which turned into dismay when
>> it now gave me nine seconds to do so.
>>
>> I have no experience with luasec, having managed to get by with
>> luacurl, but surely if we are warned that we should install it, it is
>> not unreasonable to expect that the experience will then be better?
>
> Please provide more information for debugging the issue:
>
> Which LuaRocks version was this on? Which Lua version? Which
> OS/distro? Which LuaSec version?
>
> LuaRocks bugs are tracked in
> https://github.com/luarocks/luarocks/issues so feel free to open an
> issue there!
>
> Thanks!
>
> -- Hisham
>

I don't believe this is a bug report or issue, but a roundabout way to
ask question:
"Why does luarocks warn that luasec isn't available if using wget works fine?"

Reply | Threaded
Open this post in threaded view
|

Re: LuaRocks search should use not luasec

Dirk Laurie-2
Op Ma., 10 Sep. 2018 om 19:36 het Daurnimator <[hidden email]> geskryf:

>
> On 10 September 2018 at 10:16, Hisham <[hidden email]> wrote:
> > On Mon, 10 Sep 2018 at 03:28, Dirk Laurie <[hidden email]> wrote:
> >>
> >> ... or it should use it more effectively.
> >>
> >> I recently installed 'luasec' because 'luarocks search sqlite' gives
> >> me about two seconds to look at this message:
> >>
> >>     Warning: falling back to wget - install luasec to get native HTTPS support
> >>
> >> before starting to display Search Results.
> >>
> >> I looked with gratification at nothing, which turned into dismay when
> >> it now gave me nine seconds to do so.
> >>
> >> I have no experience with luasec, having managed to get by with
> >> luacurl, but surely if we are warned that we should install it, it is
> >> not unreasonable to expect that the experience will then be better?
> >
> > Please provide more information for debugging the issue:
> >
> > Which LuaRocks version was this on? Which Lua version? Which
> > OS/distro? Which LuaSec version?
> >
> > LuaRocks bugs are tracked in
> > https://github.com/luarocks/luarocks/issues so feel free to open an
> > issue there!
> >
> > Thanks!
> >
> > -- Hisham
> >
>
> I don't believe this is a bug report or issue, but a roundabout way to
> ask question:
> "Why does luarocks warn that luasec isn't available if using wget works fine?"

It's actually a direct way of saying "LuaRocks search should use not luasec".
I.e. not only should it not warn, it should not even test whether luasec is
available. We're not transmitting any secrets or downloading any packages,
it's just a search.

Reply | Threaded
Open this post in threaded view
|

Re: LuaRocks search should use not luasec

Sean Conner
It was thus said that the Great Dirk Laurie once stated:

> Op Ma., 10 Sep. 2018 om 19:36 het Daurnimator <[hidden email]> geskryf:
> >
> > I don't believe this is a bug report or issue, but a roundabout way to
> > ask question: "Why does luarocks warn that luasec isn't available if
> > using wget works fine?"
>
> It's actually a direct way of saying "LuaRocks search should use not luasec".
> I.e. not only should it not warn, it should not even test whether luasec is
> available. We're not transmitting any secrets or downloading any packages,
> it's just a search.

  There are some in the security industry who would think otherwise.  Why
else the push for DNS over HTTPS? [1]  That's just a search as well.

  -spc

[1] http://boston.conman.org/2018/05/29.1


Reply | Threaded
Open this post in threaded view
|

Re: LuaRocks search should use not luasec

Dirk Laurie-2
Op Ma., 10 Sep. 2018 om 22:49 het Sean Conner <[hidden email]> geskryf:

>
> It was thus said that the Great Dirk Laurie once stated:
> > Op Ma., 10 Sep. 2018 om 19:36 het Daurnimator <[hidden email]> geskryf:
> > >
> > > I don't believe this is a bug report or issue, but a roundabout way to
> > > ask question: "Why does luarocks warn that luasec isn't available if
> > > using wget works fine?"
> >
> > It's actually a direct way of saying "LuaRocks search should use not luasec".
> > I.e. not only should it not warn, it should not even test whether luasec is
> > available. We're not transmitting any secrets or downloading any packages,
> > it's just a search.
>
>   There are some in the security industry who would think otherwise.  Why
> else the push for DNS over HTTPS? [1]  That's just a search as well.
>
>   -spc
>
> [1]     http://boston.conman.org/2018/05/29.1
>

>From the blog post that you cite:

> We now get to make expensive network queries during the establishment of a phone call.

Seems he has the same sort of gripe as I.

Reply | Threaded
Open this post in threaded view
|

Re: LuaRocks search should use not luasec

Daurnimator
In reply to this post by Sean Conner
On 10 September 2018 at 13:49, Sean Conner <[hidden email]> wrote:

> It was thus said that the Great Dirk Laurie once stated:
>> We're not transmitting any secrets or downloading any packages,
>> it's just a search.
>
>   There are some in the security industry who would think otherwise.  Why
> else the push for DNS over HTTPS? [1]  That's just a search as well.
>
>   -spc
>
> [1]     http://boston.conman.org/2018/05/29.1
>

See RFC 7258 and the discussions around it.

Beyond government surveillance, there is the well-known issue of ISPs
who interfere with your traffic.
e.g. https://gist.github.com/ryankearney/4146814

Reply | Threaded
Open this post in threaded view
|

Re: LuaRocks search should use not luasec

Sean Conner
In reply to this post by Dirk Laurie-2
It was thus said that the Great Dirk Laurie once stated:

> Op Ma., 10 Sep. 2018 om 22:49 het Sean Conner <[hidden email]> geskryf:
> >
> > It was thus said that the Great Dirk Laurie once stated:
> > > Op Ma., 10 Sep. 2018 om 19:36 het Daurnimator <[hidden email]> geskryf:
> > > >
> > > > I don't believe this is a bug report or issue, but a roundabout way to
> > > > ask question: "Why does luarocks warn that luasec isn't available if
> > > > using wget works fine?"
> > >
> > > It's actually a direct way of saying "LuaRocks search should use not luasec".
> > > I.e. not only should it not warn, it should not even test whether luasec is
> > > available. We're not transmitting any secrets or downloading any packages,
> > > it's just a search.
> >
> >   There are some in the security industry who would think otherwise.  Why
> > else the push for DNS over HTTPS? [1]  That's just a search as well.
> >
> >   -spc
> >
> > [1]     http://boston.conman.org/2018/05/29.1
> >
>
> >From the blog post that you cite:
>
> > We now get to make expensive network queries during the establishment of a phone call.
>
> Seems he has the same sort of gripe as I.

  Oddly enough, I have the same gripe.

  -spc (So much so that I actually wrote that blog post 8-)


Reply | Threaded
Open this post in threaded view
|

Re: LuaRocks search should use not luasec

Pierre Chapuis
In reply to this post by Dirk Laurie-2
On Mon, Sep 10, 2018, at 20:17, Dirk Laurie wrote:

> It's actually a direct way of saying "LuaRocks search should use not luasec".
> I.e. not only should it not warn, it should not even test whether luasec is
> available. We're not transmitting any secrets or downloading any packages,
> it's just a search.

This does not make much sense to me. External downloaders like wget
use HTTPS too. If LuaSec is slower, it's not because of the extra security.

If there is a performance issue with LuaSec it looks like a bug which
should be reported properly...

Reply | Threaded
Open this post in threaded view
|

Re: LuaRocks search should use not luasec

Dirk Laurie-2
Op Di., 11 Sep. 2018 om 09:29 het Pierre Chapuis <[hidden email]> geskryf:

>
> On Mon, Sep 10, 2018, at 20:17, Dirk Laurie wrote:
>
> > It's actually a direct way of saying "LuaRocks search should use not luasec".
> > I.e. not only should it not warn, it should not even test whether luasec is
> > available. We're not transmitting any secrets or downloading any packages,
> > it's just a search.
>
> This does not make much sense to me. External downloaders like wget
> use HTTPS too. If LuaSec is slower, it's not because of the extra security.
>
> If there is a performance issue with LuaSec it looks like a bug which
> should be reported properly...

I'm sorry, but I am not a LuaSec user. I have already removed that rock.

Anyway, I am not sure it is a bug to be 4-5 times slower than wget.
Quite a few things are that much slower via Lua than directly in C.

luacurl, which I use, is also slower than wget, but if the server's
API is sophisticated enough, you can get by with just a couple of
accesses. The problem arises when you are trying to conduct a
conversation with dozens of messages purely in URLs. As Sean said:
"expensive network queries" dominate the elapsed time.