We already addressed the licensing question; the JSON gem's license is compatible with ours, and permits this sort of bundling.
The security implications are minimal since 1) the library is primarily being used to exchange data internally between components of the puppet system; there is the possibility that the generated data could someday be made available to other programs, but that would essentially be using it as an *export* format, 2) the endpoints are already authenticating with SSL certs, 3) the ultimate source of the data is under the user's control (site.pp and friends). All things considered, having a trusted serialization engine as part of the provided stack is much lower risk than the default which amounts to looking around for something called JSON in the search path, loading it and hoping for the best. As for the upgrade issue, our concerns are pretty much the opposite of what a distro maintainer faces (but analogous to what drove Rails to bundle their JSON library). For a distro, you are packaging code *for others to use*; and need to aim for a sort of "track the bleeding edge as closely as possible but not too closely, and thus annoy everyone equally" compromise; we, on the other hand, are packaging code for internal use and need to worry first and foremost about compatibility with other versions of puppet. We not only aren't asking unrelated systems to use our bundled version we are actually taking affirmative steps to keep them from using it by accident. We have users who can't use marshal because their clients and server are running different versions of ruby, and this leads to segfaults. We have users who can't use yaml because of similar versioning issues (e.g. stock RHEL4 clients against RHEL5 servers) which cause data corruption. We have users who can't use json because of different json version (e.g. Rails on some machine, the gem on others). And so on and so forth. What we need is a serialization format that we can manage on both ends and guarantee the behavior of, regardless of what else happens to be installed (or not installed) on the various machines. -- Markus --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en -~----------~----~----~----~------~----~------~--~---
