On Thursday 21 Feb 2013, Devin Jeanpierre wrote:
On Thu, Feb 21, 2013 at 10:50 AM, Dustin J. Mitchell <dustin@v.igoro.us> wrote:
When you put something in the stdlib and call it "safe", even with caveats, people will make even more brazen mistakes than with a documented-unsafe tool like pickle.
Then how do we improve on the status quo? The best situation can't possibly be one in which the standard serialization tool allows for code injection exploits out of the box, by default, and where there is no reasonable alternative in the stdlib without such problems.
By writing your application for its needs, not the needs of 10000 programs yet to be written and making the wrong assumption and putting it in a stdlib. If every problem could be solved with a stdlib call, there'd only have to be one programmer in the world...