[Python-ideas] PEP 426, YAML in the stdlib and implementation discovery
Vinay Sajip
vinay_sajip at yahoo.co.uk
Fri May 31 19:49:10 CEST 2013
Philipp A. <flying-sheep at ...> writes:
> Hi, reading PEP 426, I made a connection to a (IMHO) longstanding issue:
> YAML not being in the stdlib.
There have been security issues with YAML (which bit the Rails community not
so long ago) because it allows the construction of arbitrary objects. So it
may be that YAML is not the best format for scenarios where tools read YAML
from untrusted sources.
The PEP defines the metadata format as a Python dictionary - the serialising
of metadata to a specific file format seems a secondary consideration. It's
quite possible that some of the packaging tools that use the new metadata
will support different serialisation mechanisms, perhaps including YAML, but
ISTM that having YAML in the stdlib is orthogonal to the PEP.
Do you have a specific YAML implementation in mind? I thought that the
front-runner was PyYAML, but in my initial experiments with PyYAML and
packaging metadata, I found bugs in the implementation (which I have
reported on the PyYAML tracker) which made me switch to JSON.
Regards,
Vinay Sajip
More information about the Python-ideas
mailing list