[Pkg-puppet-devel] Wheezy update of puppet?
Apollon Oikonomopoulos
apoikos at debian.org
Wed May 24 10:44:49 UTC 2017
Hi pabs,
On 18:30 Wed 24 May , Paul Wise wrote:
> On Wed, May 24, 2017 at 6:24 PM, Paul Wise wrote:
>
> > In Python/Perl YAML libraries there are ways to safely load YAML
> > files, does Ruby not have the same possibilities?
>
> After a bit of searching, I wonder if copying the ruby-safe-yaml
> package from wheezy-backports to wheezy and then patching puppet to
> use that might be a good solution.
Just a couple of notes here:
- Wheezy's Puppet is running under Ruby 1.8, which uses the old Syck
YAML library. Ruby 1.9.3 and onwards uses Psych, which indeed
provides a safe_load method. In short, YAML engine is something to be
aware of.
- YAML safe loading depends on deserializing only known-safe types. We
need to make sure that this will not break the application. In theory
it shouldn't, as the facts in 2.x are plain strings.
Cheers,
Apollon
More information about the Pkg-puppet-devel
mailing list