[Python-ideas] Adding a safe alternative to pickle in the standard library
Mark Hackett
mark.hackett at metoffice.gov.uk
Thu Feb 21 18:22:47 CET 2013
On Thursday 21 Feb 2013, Devin Jeanpierre wrote:
> On Thu, Feb 21, 2013 at 10:50 AM, Dustin J. Mitchell <dustin at v.igoro.us>
wrote:
> > When you put something in the stdlib and call it "safe", even with
> > caveats, people will make even more brazen mistakes than with a
> > documented-unsafe tool like pickle.
>
> Then how do we improve on the status quo? The best situation can't
> possibly be one in which the standard serialization tool allows for
> code injection exploits out of the box, by default, and where there is
> no reasonable alternative in the stdlib without such problems.
By writing your application for its needs, not the needs of 10000 programs yet
to be written and making the wrong assumption and putting it in a stdlib.
If every problem could be solved with a stdlib call, there'd only have to be
one programmer in the world...
More information about the Python-ideas
mailing list