is there a safe marshaler?

[Paul Rubin]

Irmen de Jong <irmen.NOSPAM at xs4all.nl> writes:
> > There's another issue with marshal that makes it unsuitable for Pyro,
> > which is that its data format is (for legitimate reasons) not
> > guaranteed to be the same across different Python releases.  That
> > means that if the two ends of the Pyro application aren't using the
> > same Python version, they might not be able to interoperate.
> 
> Paul, the default serialization protocol that Pyro uses is pickle
> (with the highest available protocol number). So there is a risk
> already that it doesn't interoperate with older Python versions,
> unless you configure the max pickle protocol or switch to using
> one of the supported XML serializations.

Yes, however, you can at least set the protocol level.  Marshal doesn't
give you that option.

What do you do about the security issue if you're using pickle?  Do
you have to trust the other end to not send you malicious pickles?