[docs] [issue18840] Tutorial recommends pickle module without any warning of insecurity

Donald Stufft report at bugs.python.org
Mon Aug 26 17:13:49 CEST 2013

Donald Stufft added the comment:

A description of the pickle module itself does not equate to the purpose of the section. Given that this is a tutorial and previous section taught how to read and write from files I would suggest that the purpose of the section was to give them the next step to persisting data which could be pickle or it could be JSON (or it could be another format all together). 

I don't see what Zope/ZODB's awareness of the security implications has to do with anything unless you're trying to state that the developers and users of ZODB are newcomers to Python whose knowledge of pickle stems from what they read in the tutorial. However I am glad that those communities are aware of the implications if they are using that module, but the point is the reader of the tutorial is *not* likely to be aware of them and should *not* be using pickle without being aware of them especially if they are sending that data over the network.

I'm really not sure what your problem is here. What is there to lose by annotating this section of the tutorial with a similar warning as exists in the pickle documentation that they should not unpickle data from an untrusted or unauthenticated sources? I can see how someone could state that the problem with switching to JSON is that it's harder to construct a serialization for arbitrary objects. That's not something I think it all that important to teach someone brand new to Python however I can understand if switching this section to using a "safe" serialization format doesn't sit well with people which is why I suggested at least adding a warning.

So what exactly is your problem with at a minimum adding a warning?


Python tracker <report at bugs.python.org>

More information about the docs mailing list