develooper Front page | perl.module-authors | Postings from November 2003

Re: [Module::Build] Re: How to indicate a dependency in my module

Thread Previous | Thread Next
Michael G Schwern
November 11, 2003 02:16
Re: [Module::Build] Re: How to indicate a dependency in my module
Message ID:
On Mon, Nov 10, 2003 at 05:42:03PM -0800, Terrence Brannon wrote:
> >Thinking more about this, I guess META.yml would need to provide a 
> >little more info to a configure module. Would something like the 
> >following work?
> It's probably too late, but I am not keen on YAML. What is wrong with 
> pure Perl configuration information? 

In a nutshell: eval()ing the Perl structure back in is a major security hole.
Part of the point of META.yml is to avoid having to run any foreign code to
figure out module meta information.

To review (maybe this should be in a FAQ somewhere).

Data::Dumper/Perl code - Insecure (you have to eval it).  Perl specific.
Storable     - Not human readable.  Format changes slightly from version to
               version.  Perl specific.
XML          - Overkill.  Ugly.  Requires translation between Perl data
               model (hashes, lists, scalars) and XML's (trees).
               Difficult to read and write by humans.

YAML was chosen because its human readable and writable, its data 
structures closely match those of Perl (ie. scalars, hashes and arrays),
it can be read without being eval'd, executable code cannot be hidden in
it and, as a bonus, its not Perl specific.

YAML's basic formatting is a structure we're already familiar with and tend
to use when writing ad-hoc data structures (ie. key: value).
Indentation as structure we're already more than comfortable with (ie. 
indented source code) so readers of YAML should have no problem. 
The less obvious features of YAML shouldn't be necessary for most META.yml

Because YAML's data model closely matches that of Perl, writers of META.yml 
simply need to construct a mirroring Perl structure and let YAML dump it
out.  Its the closest thing to "Data::Dumper evaling" available.

Michael G Schwern
I'll tell you what beats voodoo every time, a big ass knife.
	-- "Overkill" Battlebot driver

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About