Front page | perl.module-authors |
Postings from November 2003
On Mon, Nov 10, 2003 at 05:42:03PM -0800, Terrence Brannon wrote:
> >Thinking more about this, I guess META.yml would need to provide a
> >little more info to a configure module. Would something like the
> >following work?
>
> It's probably too late, but I am not keen on YAML. What is wrong with
> pure Perl configuration information?
In a nutshell: eval()ing the Perl structure back in is a major security hole.
Part of the point of META.yml is to avoid having to run any foreign code to
figure out module meta information.
To review (maybe this should be in a FAQ somewhere).
Data::Dumper/Perl code - Insecure (you have to eval it). Perl specific.
Storable - Not human readable. Format changes slightly from version to
version. Perl specific.
XML - Overkill. Ugly. Requires translation between Perl data
model (hashes, lists, scalars) and XML's (trees).
Difficult to read and write by humans.
YAML was chosen because its human readable and writable, its data
structures closely match those of Perl (ie. scalars, hashes and arrays),
it can be read without being eval'd, executable code cannot be hidden in
it and, as a bonus, its not Perl specific.
YAML's basic formatting is a structure we're already familiar with and tend
to use when writing ad-hoc data structures (ie. key: value).
Indentation as structure we're already more than comfortable with (ie.
indented source code) so readers of YAML should have no problem.
The less obvious features of YAML shouldn't be necessary for most META.yml
files.
Because YAML's data model closely matches that of Perl, writers of META.yml
simply need to construct a mirroring Perl structure and let YAML dump it
out. Its the closest thing to "Data::Dumper evaling" available.
--
Michael G Schwern schwern@pobox.com http://www.pobox.com/~schwern/
I'll tell you what beats voodoo every time, a big ass knife.
-- "Overkill" Battlebot driver
Thread Previous
|
Thread Next