YAML parser should be part of the repository
suetanvil opened this issue · 1 comments
suetanvil commented
Currently, the build process retrieves the YAML parser from https://pyyaml.org at compile time. This means that a) a network connection is required when compiling, b) the user is vulnerable to attack if someone compromises pyyaml.org and c) this package will cease to work if pyyaml ever goes offline or reorganizes the website.
I suggest importing the unmodified YAML parser into the repository and building from that instead. I have submitted a pull request for this.
(I submitted the PR a couple of weeks ago without realizing that it's customary to first file an issue.)