[Distutils] comparison of configuration languages

Robert Collins robertc at robertcollins.net
Sat May 7 19:11:23 EDT 2016 

Actually, Nathaniel didn't test vendorability of the libraries, and pip
needs that. Pyyaml isn't in good shape there.
On 8 May 2016 11:06 AM, "Alex Grönholm" <alex.gronholm at nextday.fi> wrote:

> 07.05.2016, 17:48, Nick Coghlan kirjoitti:
>
>
> On 7 May 2016 13:00, "Nathaniel Smith" <njs at pobox.com> wrote:
> >
> > Here's that one-stop writeup/comparison of all the major configuration
> > languages that I mentioned:
> >
> > https://gist.github.com/njsmith/78f68204c5d969f8c8bc645ef77d4a8f
>
> Thanks for that, and "yikes" on the comment handling variations in
> ConfigParser - you can tell I've never even tried to use end-of-line
> comments in INI files, and apparently neither has anyone I've worked with :)
>
> For YAML, my main concern isn't quirkiness of the syntax, or code quality
> in PyYAML, it's the ease with which you can expose yourself to security
> problems (even if *pip* loads the config file safely, that doesn't mean
> every other tool will). Since we don't need the extra power, the easiest
> way to reduce the collective attack surface is to use a strictly less
> powerful (but still sufficient) format.
>
> Sounds like a far-fetched hypothetical problem. You're concerned about the
> custom tags provided by PyYAML? Do you happen to know a tool that defaults
> to loading files in unsafe mode?
>
> For ast.literal_eval, we'd still need to come up with a way to do
> sections, key:value mappings and define rules for comments.
>
> For completeness, I'll note that XML combines even more user unfriendly
> syntax than JSON with similar security risks to YAML.
>
> So with the trade-offs laid out like that (and particularly the
> inconsistent comment and Unicode handling in ConfigParser), I'm prompted to
> favour following Rust in adopting TOML.
>
> Cheers,
> Nick.
>
> P.S. I particularly like the idea of using extension sections to
> eventually consolidate other static config into a common file - that nicely
> addresses my concern with config file proliferation, since it opens the
> door to eventually subsuming other files like MANIFEST.in and setup.cfg as
> archiving and build systems are updated
>
> >
> > -n
> >
> > --
> > Nathaniel J. Smith -- https://vorpus.org
> > _______________________________________________
> > Distutils-SIG maillist  -  Distutils-SIG at python.org
> > https://mail.python.org/mailman/listinfo/distutils-sig
>
>
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.orghttps://mail.python.org/mailman/listinfo/distutils-sig
>
>
>
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20160508/8a0faa7b/attachment.html>

More information about the Distutils-SIG mailing list