[securedrop-proxy] Drop PyYAML dependency somehow

[legoktm]

PyYAML has a history of security issues, and is written in C/Cython, which comes with its own issues. It also adds extra maintenance work since it's two compiled dependencies that need to be rebuilt for newer Python versions.

Given that we only use it to parse the config file generated by us (in securedrop-workstation), I think we should consider TOML (in the standard library as of 3.11) or JSON.

@eaon also tells me that the long-term goal is to use QubesDB for this kind of configuration, which would also let us get rid of PyYAML.

[rocodes]

For a "get it done this week" change, TOML; for a "get it done this quarter" change (guesstimate based on our other competing priorities, it's not that it's a ton of work), the key-value/qubesdb changes are definitely of interest to the rest of the project and it would be a great chance to use them here.

I'll take cues from you on how urgently you think this change should be made (and also curious if you think it warrants a bigger cross-project issue/epic since we use pyyaml lots of places).

[legoktm]

Not urgent, we've lived with PyYAML for long enough that continuing to live with it is fine (in theory we've done all the work we need for bookworm support pending the other PR review, so it's not going to add work unless we need to bump versions). Getting rid of it via the QubesDB way sounds good to me. Definitely before we switch to bookworm, whenever that is.

(and also curious if you think it warrants a bigger cross-project issue/epic since we use pyyaml lots of places)

This is the only SDW component that uses it AFAICT, but in other places I think we're stuck with it because of stuff like ansible and salt, which use it. If there are places that are only using it for data/config controlled by us, then yeah, I would also like to clean that up :)