After having two security issues related to using YAML, it is time to move away from it on the network. We can get around the issue, for now, by using safe_yaml (which has caused some performance regressions), which is what we are doing, but the better, longer term thing is to just stop using YAML on the network.
To that end Patrick and I have been working on https://projects.puppetlabs.com/issues/21427. While working on this we had to make a change, which I think should get some wider audience before it lands: * The agent after this change will stop sending YAML to the master by default (it can be changed using the preferred_serialization_format) * The master needs some changes to be able to handle some things being sent that are not YAML (queries that contain arrays are encoded in YAML at the moment, and will be encoded as multi-valued query parameters after these changes) * The agent is GOING TO REQUIRE A NEWER MASTER The reason I'm calling this out is because it might be an unexpected requirement. We always say that a newer master can talk to an older agent, but not that an older master can talk to a newer agent. In this case we will really be making a change that requires that compatibility guarantee to the full extent. The master will still accept YAML, and will work with older agents, but it will issue deprecation warnings during those communications. This sets us up for removing YAML entirely (on the network, we are keeping it for files) when puppet 4 comes along and sets us up for fewer security problems around handling data from the network. -- Andrew Parker [email protected] Freenode: zaphod42 Twitter: @aparker42 Software Developer *Join us at PuppetConf 2013, August 22-23 in San Francisco - * http://bit.ly/pupconf13* **Register now and take advantage of the Early Bird discount - save 25%!* -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-dev. For more options, visit https://groups.google.com/groups/opt_out.
