Packaging of a standalone program (Digestif)

Augusto Stoffel arstoffel at
Tue Nov 29 01:11:05 CET 2022

On Fri, 25 Nov 2022 at 22:53, Zeping Lee wrote:

> Hi Augusto,
> I've also written a Lua project <> and
> it works in TeX Live.  I hope the following helps.

Cool project!  I'd venture say this is the right way to do
bibliographies: besides tapping into a huge style collection, there's no
need for intermediate programs.

> The path finding scheme in LuaTeX with TDS is different from standard Lua.
> Besides the file name issue mentioned by Karl, the code related to path finding
> may also need adaption for TDS. In general, `kpse.set_program_name("luatex")`
> is required in the main executable script to load Lua modules from the TDS (see
> also section 4.2.2 in the LuaTeX manual).  It replaces `package.searchers[2]`
> with the kpse loader which, unlike in standard Lua, looks for Lua modules by
> only their basenames.  This means
> `TEXMF/scripts/digestif/digestif-langserver.lua` can be loaded via
> `require("digestif-langserver")` (provided it's prepended with`digestif-`).
> The `.tags` files can be put in `TEXMF/tex/generic/digestif/`and they are
> accessed via `kpse.find_file("digestif-primitives.tags")` .

The issue is that I don't want to rename the files, because I want to
retain the usual hierarchical module system that distinguishes
require("digestif.util") from require("other_program.util") from

In any case, after talking with Karl I figured out a way to avoid
renaming anything by teaching the Lua module loader to look into zip
files.  I'll make this available when I get the time to finish working
out the details.

> BTW, you can install the files to `kpsewhich -var-value=TEXMFHOME` to test the
> TDS structure.

Yes.  You can also just place the files in the current directory since

     $ kpsewhich -var-brace-value TEXINPUTS | awk -F: '{print $1}'

which in my view is a potential security issue in LuaTeX.  For instance,
if someone sends you a directory containing a file and a tex
file that eventually calls require("citeproc"), then they can get your
machine to execute arbitrary code from if kpathsearch
doesn't find a file citeproc.lua somewhere else (e.g. if you haven't
installed citeproc-lua yet).

I think it should be a goal of LuaTeX to be safe to run it on a
directory containing evil files.  This is especially true if scripts
with the "#!/usr/bin/env texlua" shebang become common.  (Of course one
should always assume TEXMFHOME and the system TeX directories only
contain trusted code, otherwise you can't get anywhere.)

More information about the tex-live mailing list.