[Python-ideas] Adding a safe alternative to pickle in the standard library

[Andrew Barnert]

On Feb 21, 2013, at 9:55, Steve Dower <Steve.Dower at microsoft.com> wrote:

>> From: Andrew Barnert
>> How often have you needed either cyclic references or the ability to
>> dynamically store arbitrary classes in something like a cookie or a cache file?
> 
> In a past life I used pickle regularly to snapshot long-running (evolutionary) algorithms that used user-provided classes and all sorts of highly improper circular references. And there are plenty of researchers out there using Python for much crazier things than I ever did.
> 
> There is a lot more to Python than web apps...

But you're not storing those pickles in a cookie, which is exactly my point. There are many cases where you need the power of pickle. There are also many cases where you need safe serialization. But there's not much overlap.

There are plenty of cases where you need safety, and also need a little more power than JSON--but you still don't usually need the full power of pickle for those cases, and making it easier to extend the json lib is a much cleaner way forward than making it easier to restrict pickle.

It's true that "not much overlap" != "no overlap". But you can't cover everything. If you're building, say, an online interactive python interpreter that saves and restores its state between sessions, you're going to have to think through the security implications. That doesn't mean someone who wants to just store scientific data and doesn't have untested sources, or someone building a web app who doesn't care about storing arbitrary dynamically defined types, should have the same burden.