Why is it a bad idea to write configuration data in code?

Question

Real-life case (from caff) to exemplify the short question subject:

$CONFIG{'owner'} = q{Peter Palfrader};
$CONFIG{'email'} = q{[email protected]};
$CONFIG{'keyid'} = [ qw{DE7AAF6E94C09C7F 62AF4031C82E0039} ];
$CONFIG{'keyserver'} = 'wwwkeys.de.pgp.net';
$CONFIG{'mailer-send'} = [ 'testfile' ];

Then in the code: eval `cat $config`, access %CONFIG

---

Provide answers that lay out the general problems, not only specific to the example.

Answer 1

There are many reasons to avoid configuration in code, and I go through some of them in the configuration chapter in Mastering Perl.

• No configuration change should carry the risk of breaking the program. It certainly shouldn't carry the risk of breaking the compilation stage.
• People shouldn't have to edit the source to get a different configuration.
• People should be able to share the same application without using a common group of settings, instead re-installing the application just to change the configuration.
• People should be allowed to create several different configurations and run them in batches without having to edit the source.
• You should be able to test your application under different settings without changing the code.
• People shouldn't have to learn how to program to be able to use your tool.
• You should only loosely tie your configuration data structures to the source of the information to make later architectural changes easier.
• You really want an interface instead of direct access at the application level.

I sum this up in my Mastering Perl class by telling people that the first rule of programming is to create a situation where you do less work and people leave you alone. When you put configuration in code, you spend more time dealing with installation issues and responding to breakages. Unless you like that sort of thing, give people a way to change the settings without causing you more work.

Answer 2

$CONFIG{'unhappy_employee'} = `rm -rf /` 

Answer 3

One major issue with this approach is that your config is not very portable. If a functionally identical tool were built in Java, loading configuration would have to be redone. If both the Perl and the Java variation used a simple key=value layout such as:

owner = "Peter Palfrader"
email = "peter@[email protected]"
...

they could share the config.

Also, calling eval on the config file seems to open this system up to attack. What could a malicious person add to this config file if they wanted to wreak some havoc? Do you realize that ANY arbitrary code in your config file will be executed?

Another issue is that it's highly counter-intuitive (at least to me). I would expect a config file to be read by some config loader, not executed as a runnable piece of code. This isn't so serious but could confuse new developers who aren't used to it.

Finally, while it's highly unlikely that the implementation of constructs like p{...} will ever change, if they did change, this might fail to continue to function.

Answer 4

It's a bad idea to put configuration data in compiled code, because it can't be easily changed by the user. For scripts, just make sure it's separated entirely from the rest and document it nicely.

Answer 5

A reason I'm surprised no one mentioned yet is testing. When config is in the code you have to write crazy, contorted tests to be able to test safely. You can end up writing tests that duplicate the code they test which makes the tests nearly useless; mostly just testing themselves, likely to drift, and difficult to maintain.

Hand in hand with testing is deployment which was mentioned. When something is easy to test, it is going to be easy (well, easier) to deploy.

Answer 6

The main issue here is reusability in an environment where multiple languages are possible. If your config file is in language A, then you want to share this configuration with language B, you will have to do some rewriting.

This is even more complicated if you have more complex configurations (example the apache config files) and are trying to figure out how to handle potential differences in data structures. If you use something like JSON, YAML, etc., parsers in the language will be aware of how to map things with regards to the data structures of the language.

The one major drawback of not having them in a language, is that you lose the potential of utilizing setting config values to dynamic data.

Answer 7

I agree with Tim Anderson. Somebody here confuses configuration in code as configuration not being configurable. This is corrected for compiled code.

Both a perl or ruby file is read and interpreted, as is a yml file or xml file with configuration data. I choose yml because it is easier on the eye than in code, as grouping by test environment, development, staging and production, which in code would involve more .. code.

As a side note, XML contradicts the "easy on the eye" completely. I find it interesting that XML config is extensively used with compiled languages.