07.05.2016, 17:48, Nick Coghlan kirjoitti:
On 7 May 2016 13:00, "Nathaniel Smith" <n...@pobox.com
<mailto:n...@pobox.com>> wrote:
>
> Here's that one-stop writeup/comparison of all the major configuration
> languages that I mentioned:
>
> https://gist.github.com/njsmith/78f68204c5d969f8c8bc645ef77d4a8f
Thanks for that, and "yikes" on the comment handling variations in
ConfigParser - you can tell I've never even tried to use end-of-line
comments in INI files, and apparently neither has anyone I've worked
with :)
For YAML, my main concern isn't quirkiness of the syntax, or code
quality in PyYAML, it's the ease with which you can expose yourself to
security problems (even if *pip* loads the config file safely, that
doesn't mean every other tool will). Since we don't need the extra
power, the easiest way to reduce the collective attack surface is to
use a strictly less powerful (but still sufficient) format.
Sounds like a far-fetched hypothetical problem. You're concerned about
the custom tags provided by PyYAML? Do you happen to know a tool that
defaults to loading files in unsafe mode?
For ast.literal_eval, we'd still need to come up with a way to do
sections, key:value mappings and define rules for comments.
For completeness, I'll note that XML combines even more user
unfriendly syntax than JSON with similar security risks to YAML.
So with the trade-offs laid out like that (and particularly the
inconsistent comment and Unicode handling in ConfigParser), I'm
prompted to favour following Rust in adopting TOML.
Cheers,
Nick.
P.S. I particularly like the idea of using extension sections to
eventually consolidate other static config into a common file - that
nicely addresses my concern with config file proliferation, since it
opens the door to eventually subsuming other files like MANIFEST.in
and setup.cfg as archiving and build systems are updated
>
> -n
>
> --
> Nathaniel J. Smith -- https://vorpus.org
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG@python.org
<mailto:Distutils-SIG@python.org>
> https://mail.python.org/mailman/listinfo/distutils-sig
_______________________________________________
Distutils-SIG maillist - Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig
_______________________________________________
Distutils-SIG maillist - Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig