To pickle or not to pickle
Steven D'Aprano
steve+comp.lang.python at pearwood.info
Fri May 8 06:54:22 EDT 2015
On Fri, 8 May 2015 07:58 pm, Cecil Westerhof wrote:
> I first used marshal in my filebasedMessages module. Then I read that
> you should not use it, because it changes per Python version and it
> was better to use pickle. So I did that and now I find:
> https://wiki.python.org/moin/Pickle
>
> Is it really that bad and should I change again?
marshal is really only for Python's internal use. I think that if Python was
created today, marshal would probably be an undocumented and internal-only
module.
pickle is quite safe provided you trust the environment you are running in
and the source of the pickle files. If you don't trust them, then you
should avoid pickle and use a format which doesn't execute code.
You could use JSON, plists, ini-files, or XML, all of which are text-based
and handled by the standard library. There is also YAML, but you have to
use a third-party library for that.
You might also look at the "serpent" serialisation format used by Pyro:
https://pypi.python.org/pypi/serpent
If your code is only going to be used by yourself, I'd just use pickle. If
you are creating an application for others to use, I would spend the extra
effort to build in support for at least pickle, JSON and plists, and let
the user decide what they prefer.
--
Steven
More information about the Python-list
mailing list