[Distutils] comparison of configuration languages
Nick Coghlan
ncoghlan at gmail.com
Sat May 7 10:48:57 EDT 2016
On 7 May 2016 13:00, "Nathaniel Smith" <njs at pobox.com> wrote:
>
> Here's that one-stop writeup/comparison of all the major configuration
> languages that I mentioned:
>
> https://gist.github.com/njsmith/78f68204c5d969f8c8bc645ef77d4a8f
Thanks for that, and "yikes" on the comment handling variations in
ConfigParser - you can tell I've never even tried to use end-of-line
comments in INI files, and apparently neither has anyone I've worked with :)
For YAML, my main concern isn't quirkiness of the syntax, or code quality
in PyYAML, it's the ease with which you can expose yourself to security
problems (even if *pip* loads the config file safely, that doesn't mean
every other tool will). Since we don't need the extra power, the easiest
way to reduce the collective attack surface is to use a strictly less
powerful (but still sufficient) format.
For ast.literal_eval, we'd still need to come up with a way to do sections,
key:value mappings and define rules for comments.
For completeness, I'll note that XML combines even more user unfriendly
syntax than JSON with similar security risks to YAML.
So with the trade-offs laid out like that (and particularly the
inconsistent comment and Unicode handling in ConfigParser), I'm prompted to
favour following Rust in adopting TOML.
Cheers,
Nick.
P.S. I particularly like the idea of using extension sections to eventually
consolidate other static config into a common file - that nicely addresses
my concern with config file proliferation, since it opens the door to
eventually subsuming other files like MANIFEST.in and setup.cfg as
archiving and build systems are updated
>
> -n
>
> --
> Nathaniel J. Smith -- https://vorpus.org
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20160508/4d774a9a/attachment.html>
More information about the Distutils-SIG
mailing list