<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
08.05.2016, 02:08, Donald Stufft kirjoitti:<br>
<blockquote
cite="mid:E2099A11-44AB-480B-884C-22A5C8531EFB@stufft.io"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On May 7, 2016, at 7:05 PM, Alex Grönholm <<a
moz-do-not-send="true"
href="mailto:alex.gronholm@nextday.fi" class=""><a class="moz-txt-link-abbreviated" href="mailto:alex.gronholm@nextday.fi">alex.gronholm@nextday.fi</a></a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class=""><span style="font-family: Helvetica; font-size:
12px; font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px; background-color:
rgb(255, 255, 255); float: none; display: inline
!important;" class="">07.05.2016, 17:48, Nick Coghlan
kirjoitti:</span><br style="font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);" class="">
<blockquote
cite="mid:CADiSq7cQ4pS0qPB_i4byqYkNoBe_K9Hkw_vesWytRqDmOSmmXA@mail.gmail.com"
type="cite" style="font-family: Helvetica; font-size:
12px; font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px; background-color:
rgb(255, 255, 255);" class="">
<p dir="ltr" class=""><br class="">
On 7 May 2016 13:00, "Nathaniel Smith" <<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:njs@pobox.com"><a class="moz-txt-link-abbreviated" href="mailto:njs@pobox.com">njs@pobox.com</a></a>>
wrote:<br class="">
><br class="">
> Here's that one-stop writeup/comparison of all the
major configuration<br class="">
> languages that I mentioned:<br class="">
><br class="">
><span class="Apple-converted-space"> </span><a
moz-do-not-send="true"
href="https://gist.github.com/njsmith/78f68204c5d969f8c8bc645ef77d4a8f"
class=""><a class="moz-txt-link-freetext" href="https://gist.github.com/njsmith/78f68204c5d969f8c8bc645ef77d4a8f">https://gist.github.com/njsmith/78f68204c5d969f8c8bc645ef77d4a8f</a></a></p>
<p dir="ltr" class="">Thanks for that, and "yikes" on the
comment handling variations in ConfigParser - you can
tell I've never even tried to use end-of-line comments
in INI files, and apparently neither has anyone I've
worked with :)</p>
<p dir="ltr" class="">For YAML, my main concern isn't
quirkiness of the syntax, or code quality in PyYAML,
it's the ease with which you can expose yourself to
security problems (even if *pip* loads the config file
safely, that doesn't mean every other tool will). Since
we don't need the extra power, the easiest way to reduce
the collective attack surface is to use a strictly less
powerful (but still sufficient) format.</p>
</blockquote>
<span style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px; background-color:
rgb(255, 255, 255); float: none; display: inline
!important;" class="">Sounds like a far-fetched
hypothetical problem. You're concerned about the custom
tags provided by PyYAML? Do you happen to know a tool that
defaults to loading files in unsafe mode?</span><br
style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px; background-color:
rgb(255, 255, 255);" class="">
</div>
</blockquote>
<br class="">
</div>
<div>Yea, pyYAML itself does (yaml.load() does it unsafely, you
have to use yaml.safe_load()).</div>
<div><br class="">
</div>
<div>I don’t think it’s that big of a deal though, we could easily
add a thing to PyPI that rejects any YAML file that can’t be
parsed in safe mode. The bigger deal to me is just that the
library to work with it is a bit of a bear to use as a
dependency.</div>
</blockquote>
Sounds like we'd need an alternate implementation of YAML then (I'd
love to see a "yaml" module in the standard library too, but PyYAML
isn't a good candidate for that, agreed).<br>
<blockquote
cite="mid:E2099A11-44AB-480B-884C-22A5C8531EFB@stufft.io"
type="cite">
<div class="">
<br class="">
-----------------<br class="">
Donald Stufft<br class="">
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F
6E3C BCE9 3372 DCFA
</div>
<br class="">
</blockquote>
<br>
</body>
</html>