Andrew Dalke adalke at
Sun Sep 19 17:26:56 CEST 2004

Chris S. wrote:
> I agree completely, although I've been surprised by the general lack of 
> interest around here. You'd think a more secure, portable, and readable 
> serialization format would be welcomed with open arms, yet most of the 
> comments I've read past and present have been almost hostile.

YAML and pickles address two different but related domains.
Pickle attempts to serialize and deserialize arbitrary
Python data structures.  YAML serializes a subset of the
data structures that can be made portable, with it seems
some hooks for new datatypes.

Here's a test.  Can you do the following in YAML and do
so securely?  (Untested code.)

class DeleteFile:
   def __init__(self, filename, yes_really = False):
     self.filename = filename
     self.yes_really = yes_really
   def __eq__(self, other):
     return (self.filename == other.filename and
             self.yes_really == other.yes_really)
   def __del__(self, remove = os.remove):
     if self.yes_really:
         except IOError:

   # this works for pickle.  Does it work for YAML?
x = DeleteFile("/path/to/important/file")
   ... store 'x' to YAML file ...
y = ... read from YAML file
assert x == y

   # This is insecure in pickle.  Would YAML be secure?
z = ... read artibtrary YAML file which may have a
         DeleteFile where 'yes_really' is True ...
del z

Or what about support for multiple inheritance?

import datetime

class Base1:
   def __init__(self, a, b):
     self.a = a
     self.b = b
   def speak(self):
     print "The", self.a, "says", self.b

class Base2:
   def __init__(self, x):
     self.x = x
   def spell(self):
     print self.x, "is spelled", "-".join(list(self.x))

class Child(Base1, Base2):
   def __init___(self, a, b):
     Base1.__init__(self, a, b)
     Base2.__init__(self, a)
     self.z =

kid = Child("goat", "baaaaa")
   ... save 'kid' to YAML ...
animal = ... read that YAML file ...

In either case, how in the world is it portable?

				dalke at

More information about the Python-list mailing list