[Python-ideas] Adding a safe alternative to pickle in the standard library
Stephen J. Turnbull
stephen at xemacs.org
Fri Feb 22 13:29:38 CET 2013
Devin Jeanpierre writes:
> That does not mean that we should not write or use safer alternatives.
> We have written and do use safer alternatives, like the json module.
Then why do we need a "safe alternative to pickle" when json is
already in the standard library?
> But it means we can't expect them to be usable exactly everywhere
> pickle is. I would've said the question is how far in that direction
> we should bother to go.
OK, that is a better way to put what I have in mind.
Well, we've already gone as far as json, which is pretty powerful (but
still subject to attacks using "relatively secure" json to transport
"insecure" data!) Why do we need an alternative *between* pickle and
json? Maybe we should advocate that users think seriously about
securing channels, and validating the pickles before doing anything
with them, if they think they need more features than json offers?
More information about the Python-ideas
mailing list