Clearify the relation with pyyaml

[cknoll]

The README.md or some other docs should make it more obvious whether this is a fork of https://pyyaml.org/wiki/PyYAML (repo) and in which aspects it differs from it. This seems relevant due to

• security https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
• functionality Feature request: User specifiable dictionaries yaml/pyyaml#252 which indicates that ordering is preserved in current pyyaml

[wimglenn]

This is not a fork of PyYAML, it's a monkeypatch. It does not address any security vulnerabilities - if you're deserializing untrusted input, you should use the SafeLoader in oyaml just the same as you should in PyYAML.

Previous versions of PyYAML didn't preserve ordering on load, oyaml would patch that. If the version of PyYAML installed preserves ordering then using oyaml is unnecessary to patch loaders. In this case, the only aspect that differs would be the behavior for dumping. PyYAML sorts keys. collections.OrderedDict instances are dumped differently, oyaml will just represent them as normal maps, whereas yaml will either represent them as python objects (yaml.dump) or refuse to serialise them at all (yaml.safe_dump), raising a RepresenterError.

Note that even the most current PyYAML release (5.3.x) will sort keys by default:

>>> yaml.dump({"b":1, "a": 2})
'a: 2\nb: 1\n'

Since PyYAML 5.1 (2019), the sorting can be disabled by passing sort_keys=False, but older versions of PyYAML don't support that option. So, some users may still want to choose oyaml as a dependency if their code should be cross-compatible regardless of the underlying PyYAML installation.