On Mon, 2018-04-23 at 22:17 +0200, Julien Muchembled wrote: > I suggest to update embedded-code-copies because this package forks > the 'pickle' modules of Python 2.7.6 and 3.3.2 > python2.7 > - zodbpickle <unknown> (embed) > NOTE: embeds stdlib modules: pickle, cpickle > > I am surprised to see no entry for any version of Python 3. > Maybe start one with python3.6 Added both. > However, given the warning at the top of https://docs.python.org/3/library/pickle.html > I am not sure it's useful to bother about the security of this code. > > And unfortunately, the many changes in Python are not merged into zodbpickle. I'd suggest that you work with ZODB upstream to remove zodbpickle from their dependencies/codebase. It is technical debt, problematic for security and there are likely faster ways to serialise data in Python. -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part