[CentralOH] YAML versus Python

Travis Risner deeptinker at gmail.com
Thu Nov 13 03:37:54 CET 2014

You may have two other considerations.
1 - Are you the only person who is ever going to modify the 
configuration?  If not, then YAML may be better because the other person 
is less likely to change something unintended (like changing a tab to 
spaces or vice-versa).

2 - Do you need rigorous validation? If so, then perhaps XML with an XSD 
or DTD is the way to go.

(Disclaimer - I have never used YAML so there may easily be capabilities 
my 30 second read missed.  :)  )

On 11/12/14, 9:09 PM, iynaix wrote:
> Some quick thoughts:
> If the data is only written and used by your own program, it doesn't
> make much of a difference whether you use Python (as Django does) or
> YAML. Obviously if it has to be used in another language or by other
> tools, Python is probably not a good option.
> You can output Python (deserialize objects) using the pickle module
> (https://docs.python.org/2/library/pickle.html), but it can execute
> arbitrary code, so do not use it from untrusted sources, which is also
> very explicitly stated in the official python docs.
> If the data might possibly be from an outside source, I would go with
> JSON. YAML is prettier and also a superset of JSON, but some of the more
> advanced features of YAML are exploitable. Ruby on Rails had a string of
> vulnerabilities last year based off YAML deserialization.
> (https://ronin-ruby.github.io/blog/2013/01/09/rails-pocs.html,
> https://ronin-ruby.github.io/blog/2013/01/28/new-rails-poc.html). Again,
> if the source is trusted, then it shouldn't be too big of an issue.
> Cheers,
> XY
> On Thu, Nov 13, 2014 at 9:19 AM, <jep200404 at columbus.rr.com
> <mailto:jep200404 at columbus.rr.com>> wrote:
>     I saw some complex data for initial values in an ugly format.
>     Someone else saw it and immediately said to use YAML.
>     I realized that if the configuration data is used only in a
>     Python program, then the configuration data could be a Python
>     module, and just be imported. So now I'm wondering about YAML
>     versus Python. When is YAML more helpful than Python and vice
>     versa?
>     If one needs to use the data in any language other
>     than Python, then Python would be inappropriate, because one
>     would need a Python parser for some other language, which
>     would be rediculous. YAML can be grokked by many languages.
>     If one needs modify the data by a program,
>     then YAML is superior because it's easy to output.
>     Importing Python is easy, but I'm not aware of a way to easily
>     output Python. print(repr(foo)) could be a part of it,
>     but it tends towards long lines which are hard to read.
>     The references in YAML are interesting.
>     It makes me wonder about recursive references in Python.
>     I had not though about recursive data structures in Python.
>     (I have not needed them yet either.)
>     Also, as clean as Python is, it has more syntax cruft to wade
>     through than YAML. YAML is easier to read.
>     Golly, I think I've talked myself into YAML.
>     What can you add about YAML versus Python for static or
>     initializing data?
>     _______________________________________________
>     CentralOH mailing list
>     CentralOH at python.org <mailto:CentralOH at python.org>
>     https://mail.python.org/mailman/listinfo/centraloh
> _______________________________________________
> CentralOH mailing list
> CentralOH at python.org
> https://mail.python.org/mailman/listinfo/centraloh

More information about the CentralOH mailing list