[Distutils] comparison of configuration languages

Alex Grönholm alex.gronholm at nextday.fi
Sat May 7 19:05:54 EDT 2016 

07.05.2016, 17:48, Nick Coghlan kirjoitti:
>
>
> On 7 May 2016 13:00, "Nathaniel Smith" <njs at pobox.com 
> <mailto:njs at pobox.com>> wrote:
> >
> > Here's that one-stop writeup/comparison of all the major configuration
> > languages that I mentioned:
> >
> > https://gist.github.com/njsmith/78f68204c5d969f8c8bc645ef77d4a8f
>
> Thanks for that, and "yikes" on the comment handling variations in 
> ConfigParser - you can tell I've never even tried to use end-of-line 
> comments in INI files, and apparently neither has anyone I've worked 
> with :)
>
> For YAML, my main concern isn't quirkiness of the syntax, or code 
> quality in PyYAML, it's the ease with which you can expose yourself to 
> security problems (even if *pip* loads the config file safely, that 
> doesn't mean every other tool will). Since we don't need the extra 
> power, the easiest way to reduce the collective attack surface is to 
> use a strictly less powerful (but still sufficient) format.
>
Sounds like a far-fetched hypothetical problem. You're concerned about 
the custom tags provided by PyYAML? Do you happen to know a tool that 
defaults to loading files in unsafe mode?
>
> For ast.literal_eval, we'd still need to come up with a way to do 
> sections, key:value mappings and define rules for comments.
>
> For completeness, I'll note that XML combines even more user 
> unfriendly syntax than JSON with similar security risks to YAML.
>
> So with the trade-offs laid out like that (and particularly the 
> inconsistent comment and Unicode handling in ConfigParser), I'm 
> prompted to favour following Rust in adopting TOML.
>
> Cheers,
> Nick.
>
> P.S. I particularly like the idea of using extension sections to 
> eventually consolidate other static config into a common file - that 
> nicely addresses my concern with config file proliferation, since it 
> opens the door to eventually subsuming other files like MANIFEST.in 
> and setup.cfg as archiving and build systems are updated
>
> >
> > -n
> >
> > --
> > Nathaniel J. Smith -- https://vorpus.org
> > _______________________________________________
> > Distutils-SIG maillist  - Distutils-SIG at python.org 
> <mailto:Distutils-SIG at python.org>
> > https://mail.python.org/mailman/listinfo/distutils-sig
>
>
>
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20160508/2970a00e/attachment-0001.html>

More information about the Distutils-SIG mailing list