Skip to content

Rocks Devlog #003

Published: at 12:00 AM

Rocks Devlog #3

It’s been a while (about a month) since the last update post! For those out of the loop, rocks is a rewrite of luarocks in an attempt to vastly improve the Lua ecosystem. A lot has happened since the last update, so let’s break down all the new stuff.

Soundness Check

We’ve squashed many bugs related to the installation of C + Lua libraries, most notably the incorrect installation of lib.c modules. We also caught a bug where the --lua-version passed to rocks would not be respected whenever the rockspec of the thing you’re installing had a different target version. The rockspec shouldn’t dictate what Lua version to use, you should!

We’ve also fixed some issues with platform overrides, a feature of rockspecs which allow you to modify aspects of the rockspec based on the operating system that the rock is being installed to. We’ll soon be writing a compatibility test, seeing what percentage of packages on luarocks.org we currently support!

I’ve Hacked into Their Mainframe

This month sees the full implementation of rocks upload! This one was quite the challenge, mostly due to potential security flaws. luarocks.org expects to receive the API key in the URL of the request… yikes. If you didn’t flinch there, take my word for it, that’s not secure at all. It’s like this by design though, so what can you do, shrug.

To prevent any API key leakages, we’ve taken care to make sure that all connections to luarocks.org are forced to use HTTPS. In the code, the API key is stored in a sealed struct with no way to access the underlying API key string without using unsafe. Instead of passing the key as a flag, like you do in luarocks (luarocks upload --api-key <KEY>), we force you to supply the key under $ROCKS_API_KEY instead. While all this can’t possibly prevent man-in-the-middle attacks that intercept your URL and grab your API key, it’s as much as we can do!

rocks upload is much more convenient than its counterpart, partly because it directly interfaces with projects. You don’t need 20 rockspecs lying around in a directory somewhere, just run rocks upload and it works™!

CLI - Comfy Luarocks Interface

We’ve changed the signature of rocks install. Previously, it was rocks install package version. Now, you can supply multiple packages to install in a single invocation: rocks install package@0.2.3 other-package@0.1.0. You can even use version constraints: rocks install mypackage>=0.2.0!

As for other CLI changes, we’ve implemented two massive features: rocks test, which automatically runs busted on your code, and rocks run, letting you run any binary you installed from luarocks.org without needing to add it to your $PATH!

For easy debugging, we’ve also provided a rocks lua command, which runs lua with its version and paths automatically configured.

The Elephant(s) in the Room

The end of this month marks the coolest feature thus far - parallel installs! rocks now installs dependencies as well as multiple packages on separate threads, making everything work asynchronously. This system is possible because of our hashing system, described in the previous blog post.

Because every rock evaluates to some sort of short hash, we can grab all dependencies of a package ahead of time, remove any duplicate hashes (since they’ll all evaluate to the exact same package) and run all operations concurrently! This ensures that we’ll never have data races between rocks, since they all have different hashes, meaning they’ll all output to different directories.

Let’s provide some numbers: busted is our current stress test package when it comes to testing how well our code works. In luarocks’s case, it needs 22.3 seconds to fully installed busted. rocks needs… wait for it… 5.6 seconds!

That’s a substantial increase in speed. You may be asking where our bottleneck is - most of these 5 seconds is actually spent waiting for network operations to complete (responses from luarocks.org, cloning from git). We plan to take this time down to roughly 2 or 3 seconds by rewriting our manifest caching to be much more efficient.

Conclusion

This month has seen a lot of great work on rocks. We plan to have a functional 1.0 release by Christmas, let’s see if we can pull it off. We’re currently focusing on bug squashing and Lua interoperability, allowing rocks to be embedded directly in Lua scripts.

To the lua moon! 🚀