On 15/12/2019 19:30, Dominique Dumont wrote: > On Fri, 13 Dec 2019 14:23:46 +0100 Andrej Shadura > <[email protected]> wrote: >> As a temporary workaround, I patched the locally used version to use >> YAML::XS, but as I see you won?t accept this patch upstream. Is there a >> solution that would satisfy both conditions of how having security >> issues and supporting proper YAML? > > YAML::XS security issues has been fixed upstream. Now > Config::Model::Backend::Yaml uses YAML:XS > > That said, YAML input and output is used in several places in libconfig-model- > dpkg-perl. I fail to see your use case which involves debian/copyright in > YAML > format. > > Could you provide more details on your use case?
In Apertis, we use scan-copyrights to verify the licenses for updates coming from Debian are under licenses we know we want, and that there are no new files with unclear terms. For that, we ship a YAML file under debian/apertis/ in the format of fill-copyright-blanks and a gitignore-formatted whitelist file. We also tell scan-copyrights to scan all files, not just whitelisted extensions. For this to work, we read our own config files, the config files in the normal scan-copyrights location, and parse debian/copyright to determine the license of debian/, and then merge them so that scan-copyrights uses the merged configuration. However, I was unable to make pyyaml to generate the YAML format YAML::Tiny is always able to read, and apparently ruamel (judging by the code) has the same issue. -- Cheers, Andrej

