[Python-ideas] PEP 426, YAML in the stdlib and implementation discovery
Vinay Sajip
vinay_sajip at yahoo.co.uk
Fri May 31 23:40:33 CEST 2013
Philipp A. <flying-sheep at ...> writes:
> please read my post again: i specifically mention that issue and a
> possible solution. i’m just a little annoyed that you skipped that
> paragraph and attack a strawman now. but not too annoyed :)
I did read it, perhaps I should have been more clear. I didn't say the
security issue was a show-stopper, just tagged it as a possible problem
area. There are already yaml libraries out in the wild whose load() is the
unsafe version, and a user may not necessarily be able to control (or even
know) which yaml library is installed (e.g. distro package managers are
conservative about adopting recent versions of libs).
> i didn’t think of any, but i don’t think any available one would meet the
> proposed goals of a secure API (like i said in the paragraph you skipped)
It's chicken and egg. IMO it doesn't make sense to even think about YAML in
the stdlib until there is a version outside the stdlib which has a
reasonable level of adoption and battle-tested status. This is how JSON
support came into the stdlib, for example.
At the moment PyYAML seems to be the most mature, but from what I can see on
its Trac, the most recent version (3.10 AFAIK) is still not ready.
Regards,
Vinay Sajip
More information about the Python-ideas
mailing list