Most Pythonic way to store (small) configuration

[Ben Finney]

marco.nawijn at colosso.nl writes:

> Why not use Python files itself as configuration files?

Because configuration data will be user-editable. (If it's not
user-editable, that is itself a poor design choice.)

If you allow executable code to be user-edited, that opens your program
to arbitrary injection of executable code. Your program becomes wide
open for security exploits, whether through malicious or accidental
bugs, and simple human error can lead to arbitrary-scope damage to the
user's system.

On another dimension, configuration files specifying the behaviour of
the system are much more useful if their format is easily parsed and
re-worked by tools the user chooses.

Your program should not be the only tool (and Python should not be the
only language) that can read and/or write the configuration data with
straightfoward data manipulation.

So a complex full-blown programming language like Python is a poor
choice for configuration data for that reason, too.

Much better to choose a tightly-defined, limited-scope configuration
data format that you can be confident any user cannot employ to run
arbitrary code.

-- 
 \     “For myself, I am an optimist — it does not seem to be much use |
  `\              being anything else.” —Winston Churchill, 1954-11-09 |
_o__)                                                                  |
Ben Finney