Le 04/25/18 à 06:47, Paul Wise a écrit : >> However, given the warning at the top of https://docs.python.org/3/library/pickle.html >> I am not sure it's useful to bother about the security of this code. >> >> And unfortunately, the many changes in Python are not merged into zodbpickle. > > I'd suggest that you work with ZODB upstream to remove zodbpickle from > their dependencies/codebase. It is technical debt, problematic for > security and there are likely faster ways to serialise data in Python. > ZODB uses the pickle format by design, because it stores the Python objects themselves, transparently for the application. Where I work, the oldest production DB was created in 2003 and records that were written at that time must still be readable. Quoting the pickle documentation: > The pickle serialization format is guaranteed to be backwards compatible across Python releases. By changing meaning of str, Python 3 broke this promise. The main purpose of zodbpickle at the time it was created, is to be able to unpickle 'str' objects as bytes (which btw only solves the problem partially). Patches were submitted at https://bugs.python.org/issue6784 for that but it was not clear whether they would be applied. We still use Python 2, not just because of our huge code base, but also because of the data. While writing this email, I learn that issue 6784 is fixed. That's great. If we manage to get back the 'noload' operation in Python 3 (it existed in Python 2), we could stop forking the stdlib modules. Julien
Attachment:
signature.asc
Description: OpenPGP digital signature