Bug#880368: YAML::XS::Load expects utf8 octets, not perl's encoding; use slurp_raw
Andrej Shadura
andrew.shadura at collabora.co.uk
Thu Dec 19 09:06:28 GMT 2019
On 15/12/2019 19:30, Dominique Dumont wrote:
> On Fri, 13 Dec 2019 14:23:46 +0100 Andrej Shadura
> <andrew.shadura at collabora.co.uk> wrote:
>> As a temporary workaround, I patched the locally used version to use
>> YAML::XS, but as I see you won?t accept this patch upstream. Is there a
>> solution that would satisfy both conditions of how having security
>> issues and supporting proper YAML?
>
> YAML::XS security issues has been fixed upstream. Now
> Config::Model::Backend::Yaml uses YAML:XS
>
> That said, YAML input and output is used in several places in libconfig-model-
> dpkg-perl. I fail to see your use case which involves debian/copyright in YAML
> format.
>
> Could you provide more details on your use case?
In Apertis, we use scan-copyrights to verify the licenses for updates
coming from Debian are under licenses we know we want, and that there
are no new files with unclear terms. For that, we ship a YAML file under
debian/apertis/ in the format of fill-copyright-blanks and a
gitignore-formatted whitelist file. We also tell scan-copyrights to scan
all files, not just whitelisted extensions. For this to work, we read
our own config files, the config files in the normal scan-copyrights
location, and parse debian/copyright to determine the license of
debian/, and then merge them so that scan-copyrights uses the merged
configuration.
However, I was unable to make pyyaml to generate the YAML format
YAML::Tiny is always able to read, and apparently ruamel (judging by the
code) has the same issue.
--
Cheers,
Andrej
More information about the pkg-perl-maintainers
mailing list