Actually, Nathaniel didn't test vendorability of the libraries, and pip needs that. Pyyaml isn't in good shape there. On 8 May 2016 11:06 AM, "Alex Grönholm" <alex.gronh...@nextday.fi> wrote:
> 07.05.2016, 17:48, Nick Coghlan kirjoitti: > > > On 7 May 2016 13:00, "Nathaniel Smith" <n...@pobox.com> wrote: > > > > Here's that one-stop writeup/comparison of all the major configuration > > languages that I mentioned: > > > > https://gist.github.com/njsmith/78f68204c5d969f8c8bc645ef77d4a8f > > Thanks for that, and "yikes" on the comment handling variations in > ConfigParser - you can tell I've never even tried to use end-of-line > comments in INI files, and apparently neither has anyone I've worked with :) > > For YAML, my main concern isn't quirkiness of the syntax, or code quality > in PyYAML, it's the ease with which you can expose yourself to security > problems (even if *pip* loads the config file safely, that doesn't mean > every other tool will). Since we don't need the extra power, the easiest > way to reduce the collective attack surface is to use a strictly less > powerful (but still sufficient) format. > > Sounds like a far-fetched hypothetical problem. You're concerned about the > custom tags provided by PyYAML? Do you happen to know a tool that defaults > to loading files in unsafe mode? > > For ast.literal_eval, we'd still need to come up with a way to do > sections, key:value mappings and define rules for comments. > > For completeness, I'll note that XML combines even more user unfriendly > syntax than JSON with similar security risks to YAML. > > So with the trade-offs laid out like that (and particularly the > inconsistent comment and Unicode handling in ConfigParser), I'm prompted to > favour following Rust in adopting TOML. > > Cheers, > Nick. > > P.S. I particularly like the idea of using extension sections to > eventually consolidate other static config into a common file - that nicely > addresses my concern with config file proliferation, since it opens the > door to eventually subsuming other files like MANIFEST.in and setup.cfg as > archiving and build systems are updated > > > > > -n > > > > -- > > Nathaniel J. Smith -- https://vorpus.org > > _______________________________________________ > > Distutils-SIG maillist - Distutils-SIG@python.org > > https://mail.python.org/mailman/listinfo/distutils-sig > > > _______________________________________________ > Distutils-SIG maillist - > Distutils-SIG@python.orghttps://mail.python.org/mailman/listinfo/distutils-sig > > > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig > >
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
