Why shouldn't you put config options in py files

2008-12-04 Thread HT
A colleague of mine is arguing that since it is easy to write config like:

FOO = {'bar': ('a': 'b'), 'abc': ('z': 'x')}

in config.py and just import it to get FOO, but difficult to achieve the
same using an ini file and ConfigParser, and since Python files are just
text, we should just write the config options in the Python file and
import it.

I can think of lots of arguments why this is a bad idea, but I don't
seem to be able to think of a really convincing one.

Anyone?
--
http://mail.python.org/mailman/listinfo/python-list


Re: Why shouldn't you put config options in py files

2008-12-04 Thread Chris Rebert
On Thu, Dec 4, 2008 at 11:35 AM, HT [EMAIL PROTECTED] wrote:
 A colleague of mine is arguing that since it is easy to write config like:

 FOO = {'bar': ('a': 'b'), 'abc': ('z': 'x')}

I'll assume you meant ('a', 'b') as colons in parens don't make sense.


 in config.py and just import it to get FOO, but difficult to achieve the
 same using an ini file and ConfigParser, and since Python files are just
 text, we should just write the config options in the Python file and
 import it.

 I can think of lots of arguments why this is a bad idea, but I don't
 seem to be able to think of a really convincing one.

 Anyone?

Well, it is pretty weird to be allowed to put arbitrary code in a mere
config file.
Have you considered using JSON for the config file format instead? It
shares Python's syntax for literals, so you could do:

$ cat config.json
{
FOO: { bar: [a, b],
 abc: [z, x] }
}

Note that the whitespace doesn't matter.
Also, you can use Python's built-on `json` module to parse the file.

Cheers,
Chris

-- 
Follow the path of the Iguana...
http://rebertia.com

 --
 http://mail.python.org/mailman/listinfo/python-list

--
http://mail.python.org/mailman/listinfo/python-list


Re: Why shouldn't you put config options in py files

2008-12-04 Thread malkarouri
On 4 Dec, 19:35, HT [EMAIL PROTECTED] wrote:
 A colleague of mine is arguing that since it is easy to write config like:

 FOO = {'bar': ('a': 'b'), 'abc': ('z': 'x')}

 in config.py and just import it to get FOO, but difficult to achieve the
 same using an ini file and ConfigParser, and since Python files are just
 text, we should just write the config options in the Python file and
 import it.

 I can think of lots of arguments why this is a bad idea, but I don't
 seem to be able to think of a really convincing one.

 Anyone?

Some people actually do that. IIRC, ipython is now configured using a
python module.
The idea, however, is dangerous from a security viewpoint. Because
anybody can edit his configuration .py file, you are in effect
injecting arbitrary code into your program. Think that your program
starts with raw_input() and then goes on the execute whatever you get.
Same problems with SQL injection for example.
So people prefer to have a much more controlled environment for
configuration. In particular, the idea of using json as Chris said
should become a best practice now we have the json module.

Regards,

Muhammad Alkarouri
--
http://mail.python.org/mailman/listinfo/python-list


Re: Why shouldn't you put config options in py files

2008-12-04 Thread HT
Chris Rebert wrote:
 On Thu, Dec 4, 2008 at 11:35 AM, HT [EMAIL PROTECTED] wrote:
 FOO = {'bar': ('a': 'b'), 'abc': ('z': 'x')}
 
 I'll assume you meant ('a', 'b') as colons in parens don't make sense.

Yes, sorry.

 Well, it is pretty weird to be allowed to put arbitrary code in a mere
 config file.

The end result is that we want to have that dictionary in that variable
(most of the config values would just be simple values or lists and this
dict is among the most complex), but it doesn't mean that the config
file would need to have arbitrary code. I can think of many ways to
achieve that (haven't actually tried writing the code to read these yet):

[my_foos]

bar = a, b
abc = z, x

or maybe

foo.bar= a, b
foo.abc= z, x

or something like that. You'd read the values with ConfigParser, then
process them to get the dictionary.

 Have you considered using JSON for the config file format instead? It
 shares Python's syntax for literals, so you could do:

No, hadn't thought of that. Might be doable, need to think about that
some more. Thanks.
--
http://mail.python.org/mailman/listinfo/python-list


Re: Why shouldn't you put config options in py files

2008-12-04 Thread rdmurray

On Thu, 4 Dec 2008 at 11:35, HT wrote:

I can think of lots of arguments why this is a bad idea, but I don't
seem to be able to think of a really convincing one.


I think it depends on the problem domain.  As someone else said, there
are issues with being able to inject arbitrary code via the config file.
In some applications, this would be a feature, in others it would be a
security hole.

Another angle to look at is the audience for the config file.  If they
are all going to be python programmers or python-familiar, great.
If not...think about the user reaction to the tracebacks resulting from
typos.  If you use a purpose-designed config file (whether it is based on
ConfigParser or not), you can more easily generate helpful error messages.

--RDM
--
http://mail.python.org/mailman/listinfo/python-list


Re: Why shouldn't you put config options in py files

2008-12-04 Thread Bruno Desthuilliers

HT a écrit :

A colleague of mine is arguing that since it is easy to write config like:

FOO = {'bar': ('a': 'b'), 'abc': ('z': 'x')}

in config.py and just import it to get FOO, but difficult to achieve the
same using an ini file and ConfigParser, and since Python files are just
text, we should just write the config options in the Python file and
import it.

I can think of lots of arguments why this is a bad idea, but I don't
seem to be able to think of a really convincing one.

Anyone?


Well... Depends on who is writing these config files and how they are 
used. But at least one major Python software (namely Django) uses .py 
setting files, and a Python developper I'm grateful they do - this 
greatly simplifies my job.

--
http://mail.python.org/mailman/listinfo/python-list


Re: Why shouldn't you put config options in py files

2008-12-04 Thread James Matthews
I am going to have to agree with your colleague. I use Django a lot and you
are editing config.py and urls.py which are all python code.

On Thu, Dec 4, 2008 at 10:30 PM, Bruno Desthuilliers 
[EMAIL PROTECTED] wrote:

 HT a écrit :

 A colleague of mine is arguing that since it is easy to write config like:

 FOO = {'bar': ('a': 'b'), 'abc': ('z': 'x')}

 in config.py and just import it to get FOO, but difficult to achieve the
 same using an ini file and ConfigParser, and since Python files are just
 text, we should just write the config options in the Python file and
 import it.

 I can think of lots of arguments why this is a bad idea, but I don't
 seem to be able to think of a really convincing one.

 Anyone?


 Well... Depends on who is writing these config files and how they are used.
 But at least one major Python software (namely Django) uses .py setting
 files, and a Python developper I'm grateful they do - this greatly
 simplifies my job.

 --
 http://mail.python.org/mailman/listinfo/python-list




-- 
http://www.astorandblack.com/

http://www.thewatcherys.com/
--
http://mail.python.org/mailman/listinfo/python-list