To pickle or not to pickle
Chris Angelico
rosuav at gmail.com
Fri May 8 08:53:33 EDT 2015
On Fri, May 8, 2015 at 9:55 PM, Cecil Westerhof <Cecil at decebal.nl> wrote:
> Op Friday 8 May 2015 12:54 CEST schreef Steven D'Aprano:
>
>> If your code is only going to be used by yourself, I'd just use
>> pickle. If you are creating an application for others to use, I
>> would spend the extra effort to build in support for at least
>> pickle, JSON and plists, and let the user decide what they prefer.
>
> Well, I put it on GitHub, so I hope it is going to be used by others
> also. ;-) There are other things that are more urgent at the moment,
> but in the future I will implement JSON and plists then.
But will the pickle files be shared? If not, they're still nice and
private, and fairly safe. The problem comes when, for instance, you
have a client Python program that pickles data and sends it over a
network to a server Python program to be unpickled, because then
someone could craft a malicious pickle and send it to you to eat. If
they're only ever saved locally and re-read, there shouldn't be any
security risk (anyone who could reach in and edit the pickle file
could probably reach in and change the code anyway).
That said, if your needs are sufficiently simple, it may be worth
using something plain text just for the debuggability.
ChrisA
More information about the Python-list
mailing list