Closed j3mdamas closed 1 year ago
miketheman
commented
1 year ago Looks like a docutils feature request: https://sourceforge.net/p/docutils/feature-requests/24/
Can you share what kind of use case specifically you see would be served by this change?
j3mdamas
commented
1 year ago Oh, I missed that feature request.
I'm trying to support a single README.rst file that renders both on a GitHub/GitLab repository and also serve has metadata readme for packaging. I'd like to support a maintainers file (e.g., maintainters.txt) that be both used as dynamic metadata for packaging and rendered in the README file, serving as single source for both cases.
miketheman
commented
1 year ago Our choice is historical in nature, with little context other than supplied in the comment. 🤞 @dstufft recalls, but I wouldn't bank on it. Looks like this thread has similar concerns.
If the upstream docutils figures out a good way of handling the security concern, like that feature request proposes, I'd be very open to revisiting!
j3mdamas
commented
1 year ago Thanks for considering it. My current idea is to create a tool that renders includes at package build time, so that the sources have the includes, but the metadata uploaded has includes already rendered. Maybe too much work to keep it DRY, but I'll give it a try.
If the reasoning being the security issues, specifically with include directive, is what is described on here, couldn't there be a work-around for ensuring the path of the files included are only from the working directory (not from anywhere in the server)?
Or would the solution be some backend tool for "package creation time" that would render the include directives only into a new .rst file that would be on the metadata?
Just trying to follow DRY