> On May 7, 2016, at 7:05 PM, Alex Grönholm <alex.gronh...@nextday.fi> wrote: > > 07.05.2016, 17:48, Nick Coghlan kirjoitti: >> >> On 7 May 2016 13:00, "Nathaniel Smith" < >> <mailto:n...@pobox.com>n...@pobox.com <mailto:n...@pobox.com>> wrote: >> > >> > Here's that one-stop writeup/comparison of all the major configuration >> > languages that I mentioned: >> > >> > https://gist.github.com/njsmith/78f68204c5d969f8c8bc645ef77d4a8f >> > <https://gist.github.com/njsmith/78f68204c5d969f8c8bc645ef77d4a8f> >> Thanks for that, and "yikes" on the comment handling variations in >> ConfigParser - you can tell I've never even tried to use end-of-line >> comments in INI files, and apparently neither has anyone I've worked with :) >> >> For YAML, my main concern isn't quirkiness of the syntax, or code quality in >> PyYAML, it's the ease with which you can expose yourself to security >> problems (even if *pip* loads the config file safely, that doesn't mean >> every other tool will). Since we don't need the extra power, the easiest way >> to reduce the collective attack surface is to use a strictly less powerful >> (but still sufficient) format. >> > Sounds like a far-fetched hypothetical problem. You're concerned about the > custom tags provided by PyYAML? Do you happen to know a tool that defaults to > loading files in unsafe mode?
Yea, pyYAML itself does (yaml.load() does it unsafely, you have to use yaml.safe_load()). I don’t think it’s that big of a deal though, we could easily add a thing to PyPI that rejects any YAML file that can’t be parsed in safe mode. The bigger deal to me is just that the library to work with it is a bit of a bear to use as a dependency. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
