Why shouldn't you put config options in py files

[HT]

A colleague of mine is arguing that since it is easy to write config like:

FOO = {'bar': ('a': 'b'), 'abc': ('z': 'x')}

in config.py and just import it to get FOO, but difficult to achieve the
same using an ini file and ConfigParser, and since Python files are just
text, we should just write the config options in the Python file and
import it.

I can think of lots of arguments why this is a bad idea, but I don't
seem to be able to think of a really convincing one.

Anyone?

 

[Chris Rebert]

A colleague of mine is arguing that since it is easy to write config like:

FOO = {'bar': ('a': 'b'), 'abc': ('z': 'x')}

I'll assume you meant ('a', 'b') as colons in parens don't make sense.

in config.py and just import it to get FOO, but difficult to achieve the
same using an ini file and ConfigParser, and since Python files are just
text, we should just write the config options in the Python file and
import it.

I can think of lots of arguments why this is a bad idea, but I don't
seem to be able to think of a really convincing one.

Anyone?

Well, it is pretty weird to be allowed to put arbitrary code in a mere
config file.
Have you considered using JSON for the config file format instead? It
shares Python's syntax for literals, so you could do:

$ cat config.json
{
"FOO": { "bar": ["a", "b"],
"abc": ["z", "x"] }
}

Note that the whitespace doesn't matter.
Also, you can use Python's built-on `json` module to parse the file.

Cheers,
Chris
[/QUOTE]

 

[malkarouri]

A colleague of mine is arguing that since it is easy to write config like:

FOO = {'bar': ('a': 'b'), 'abc': ('z': 'x')}

in config.py and just import it to get FOO, but difficult to achieve the
same using an ini file and ConfigParser, and since Python files are just
text, we should just write the config options in the Python file and
import it.

I can think of lots of arguments why this is a bad idea, but I don't
seem to be able to think of a really convincing one.

Anyone?

Some people actually do that. IIRC, ipython is now configured using a
python module.
The idea, however, is dangerous from a security viewpoint. Because
anybody can edit his configuration .py file, you are in effect
injecting arbitrary code into your program. Think that your program
starts with raw_input() and then goes on the execute whatever you get.
Same problems with SQL injection for example.
So people prefer to have a much more controlled environment for
configuration. In particular, the idea of using json as Chris said
should become a best practice now we have the json module.

Regards,

Muhammad Alkarouri

 

[HT]

I'll assume you meant ('a', 'b') as colons in parens don't make sense.

Yes, sorry.

Well, it is pretty weird to be allowed to put arbitrary code in a mere
config file.

The end result is that we want to have that dictionary in that variable
(most of the config values would just be simple values or lists and this
dict is among the most complex), but it doesn't mean that the config
file would need to have arbitrary code. I can think of many ways to
achieve that (haven't actually tried writing the code to read these yet):

[my_foos]

bar = a, b
abc = z, x

or maybe

foo.bar= a, b
foo.abc= z, x

or something like that. You'd read the values with ConfigParser, then
process them to get the dictionary.

Have you considered using JSON for the config file format instead? It
shares Python's syntax for literals, so you could do:

No, hadn't thought of that. Might be doable, need to think about that
some more. Thanks.

 

[rdmurray]

I can think of lots of arguments why this is a bad idea, but I don't
seem to be able to think of a really convincing one.

I think it depends on the problem domain. As someone else said, there
are issues with being able to inject arbitrary code via the config file.
In some applications, this would be a feature, in others it would be a
security hole.

Another angle to look at is the audience for the config file. If they
are all going to be python programmers or python-familiar, great.
If not...think about the user reaction to the tracebacks resulting from
typos. If you use a purpose-designed config file (whether it is based on
ConfigParser or not), you can more easily generate helpful error messages.

--RDM

 

[Bruno Desthuilliers]

HT a écrit :

A colleague of mine is arguing that since it is easy to write config like:

FOO = {'bar': ('a': 'b'), 'abc': ('z': 'x')}

in config.py and just import it to get FOO, but difficult to achieve the
same using an ini file and ConfigParser, and since Python files are just
text, we should just write the config options in the Python file and
import it.

I can think of lots of arguments why this is a bad idea, but I don't
seem to be able to think of a really convincing one.

Anyone?

Well... Depends on who is writing these config files and how they are
used. But at least one major Python software (namely Django) uses .py
setting files, and a Python developper I'm grateful they do - this
greatly simplifies my job.