Devin Jeanpierre writes:
That does not mean that we should not write or use safer alternatives. We have written and do use safer alternatives, like the json module.
Then why do we need a "safe alternative to pickle" when json is already in the standard library?
But it means we can't expect them to be usable exactly everywhere pickle is. I would've said the question is how far in that direction we should bother to go.
OK, that is a better way to put what I have in mind. Well, we've already gone as far as json, which is pretty powerful (but still subject to attacks using "relatively secure" json to transport "insecure" data!) Why do we need an alternative *between* pickle and json? Maybe we should advocate that users think seriously about securing channels, and validating the pickles before doing anything with them, if they think they need more features than json offers?