Hi Davide, On Thursday, September 19, 2013 4:46:44 PM UTC+2, Davide Rizzo wrote: > > The inconvenience is breaking compatibility with all third party apps that > rely on storing extended data types (such as those supported by > DjangoJSONEncoder) with the default settings. Properly serializing datetime > (possibly tz-aware) can be hard, and changing the default puts the burden > on third party apps coders. >
In all fairness, we didn't just break third party apps, we broke our code too… We always said that security will trump inconvenience, the only inconvenience I can see here is that users have to switch to the pickle backend if they use old third party apps (although only for those which use the session at all…). They would have the option to either add two complexity layers (properly > serializing/deserializing datetime objects, and not breaking compatibility > with the previous versions of the same app), or to break compatibility with > Django default settings. > We added those two complexity layers for our code too, it was merely one extra line to ensure backwards compatibility. > I think the option of reverting the default to pickle should be also > considered. > No, this has been discussed and security will trump minor inconvenience. Florian -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
