Replaced usages of yaml.load with yaml.full_load (!16) · Merge requests · portmod / Portmod

Benjamin Winger requested to merge bmwinger/portmod:yaml_load into master Apr 29, 2019

yaml.load has been deprecated, and Gentoo has disabled it, so to both ensure that this neither comes up again due to the deprecation, and actually make Portmod work again on my Gentoo machines, I've replaced calls to yaml.load with yaml.full_load, noting that yaml.safe_load (last I checked) doesn't support objects such as the person! and group! objects we define in the metadata files. This should be fine as we aren't loading yaml from untrusted sources anyway, and yaml.full_load just disables arbitrary code execution.

See https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation

Note that this does update the Pyyaml requirement to version 5.1 or greater. According to repology this hasn't been super widely adopted yet (currently 15/34), but it probably will be soon.

Edited Apr 29, 2019 by Benjamin Winger

Replaced usages of yaml.load with yaml.full_load

Merge request reports