[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-12-05 Thread Antoine Pitrou
Antoine Pitrou added the comment: Ok, I've committed it. Thanks! -- resolution: -> fixed stage: patch review -> committed/rejected status: open -> closed versions: +Python 2.7 ___ Python tracker __

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-12-05 Thread Roundup Robot
Roundup Robot added the comment: New changeset 481b30bfe496 by Antoine Pitrou in branch '2.7': Issue #18840: Introduce the json module in the tutorial, and deemphasize the pickle module. http://hg.python.org/cpython/rev/481b30bfe496 -- ___ Python tra

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-12-05 Thread Roundup Robot
Roundup Robot added the comment: New changeset 90cf299dcf9b by Antoine Pitrou in branch '3.3': Issue #18840: Introduce the json module in the tutorial, and deemphasize the pickle module. http://hg.python.org/cpython/rev/90cf299dcf9b New changeset 1009b77f59fd by Antoine Pitrou in branch 'defaul

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-12-05 Thread Antoine Pitrou
Changes by Antoine Pitrou : -- versions: +Python 3.3, Python 3.4 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-12-05 Thread Gregory P. Smith
Gregory P. Smith added the comment: I like Antoine's tutjson.patch. commit it. Thanks for noticing this Donald! -- nosy: +gregory.p.smith ___ Python tracker ___ ___

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-12-05 Thread Nick Coghlan
Nick Coghlan added the comment: Antoine's latest draft looks good to me. -- ___ Python tracker ___ ___ Python-bugs-list mailing list U

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-12-05 Thread Antoine Pitrou
Antoine Pitrou added the comment: Here is a modified patch. The changes are: - pickle is deemphasized a lot more (it's moved into a "seealso") - I replaced the terms "encoding" and "decoding" with "serializing" and "deserializing" (the former may be confusing for people who are already struggli

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-12-04 Thread Antoine Pitrou
Antoine Pitrou added the comment: Correction: you can't pickle executable code, you can pickle references to well-known objects (by name): >>> def f(): pass ... >>> pickle.dumps(f) b'\x80\x03c__main__\nf\nq\x00.' >>> pickle.dumps(f.__code__) Traceback (most recent call last): File "", line 1

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-12-04 Thread Westley Martínez
Westley Martínez added the comment: Sounds good to me. -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-12-04 Thread Nick Coghlan
Nick Coghlan added the comment: Since this particular tutorial section was written long before the json module was part of the standard library, I think it makes sense to switch now we have the option. pickle is definitely a useful tool, but now that JSON is available by default, it's now one

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-12-04 Thread Ezio Melotti
Changes by Ezio Melotti : -- nosy: +ezio.melotti stage: needs patch -> patch review type: -> enhancement ___ Python tracker ___ ___ P

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-11-05 Thread Chris Cooper
Chris Cooper added the comment: Here's a patch that focuses on the json module, with a smaller pickle section including the warning from the pickle docs. -- nosy: +ChrisCooper Added file: http://bugs.python.org/file32513/issue18840 ___ Python tracker

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-08-30 Thread Antoine Pitrou
Antoine Pitrou added the comment: The very fact that we would add a warning makes pickle unfit for the tutorial, IMHO. The tutorial should stick to simple enough stuff that doesn't need any warnings. -- ___ Python tracker

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-08-30 Thread Westley Martínez
Westley Martínez added the comment: Here's a patch that adds the warning, if we so choose to keep pickle in the tutorial. It's taken verbatim from the pickle module's documentation. -- keywords: +patch Added file: http://bugs.python.org/file31524/pickle-add-warning_18840.diff

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-08-30 Thread Westley Martínez
Westley Martínez added the comment: I won't question the usefulness of JSON. I'm not a web programmer and have never used it. From my interpretation of the tutorial, it seems that the section's purpose is for storing python objects. If pickle is going to stay in the tutorial, I think a warn

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-08-30 Thread Terry J. Reedy
Terry J. Reedy added the comment: > How about we simply add the warning from > http://docs.python.org/3/library/pickle.html#module-pickle to the beginning > (or end) of the section? That is one possibility. > The Official Python Tutorial has always assumed a certain programmer's > competence

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-08-30 Thread Westley Martínez
Westley Martínez added the comment: How about we simply add the warning from http://docs.python.org/3/library/pickle.html#module-pickle to the beginning (or end) of the section? The Official Python Tutorial has always assumed a certain programmer's competence. It's up to them if they want to

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-08-30 Thread Terry J. Reedy
Terry J. Reedy added the comment: For the tutorial, I agree with presenting json rather than pickle for all the reasons given, with pickle mentioned in a paragraph at the end (more powerful, more dangerous, see warning in manual before using). -- nosy: +terry.reedy stage: -> needs pat

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-08-26 Thread Fred L. Drake, Jr.
Changes by Fred L. Drake, Jr. : -- nosy: -fdrake ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.p

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-08-26 Thread Antoine Pitrou
Antoine Pitrou added the comment: By the way, there is one difference between json and pickle in this context: json will output a text serialization, pickle a binary one. If serializing to a binary file, users must do the (utf-8, most likely) encoding themselves. -- __

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-08-26 Thread Antoine Pitrou
Antoine Pitrou added the comment: I would be ok with changing that part of the tutorial to use json. Since json is much better known outside of the Python programming circles, and since its output is human-readable, it's probably a better fit for the tutorial. pickle can be mentioned as a more

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-08-26 Thread Donald Stufft
Donald Stufft added the comment: A description of the pickle module itself does not equate to the purpose of the section. Given that this is a tutorial and previous section taught how to read and write from files I would suggest that the purpose of the section was to give them the next step to

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-08-26 Thread Fred L. Drake, Jr.
Fred L. Drake, Jr. added the comment: When I read "... that can take almost any Python object ...", I don't think the recommendation is about just a few types. The Zope and ZODB communities certainly use pickle extensively, we're aware of the security implications, and we send pickled data ov

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-08-26 Thread Donald Stufft
Donald Stufft added the comment: Further more the tutorial claims it's the standard way of persisting data which in my experience it's far from that due to the security concerns. I've seen very little actual use of pickle in the wild (and when it was used it was often used by people who didn't

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-08-26 Thread Donald Stufft
Donald Stufft added the comment: The section to me just seems to be about how to handle more than just strings, it mentions numbers, lists, dictionaries, and class instances. Of those it mentions, only the class instances are not able to handled out of the box by JSON. However like I said eve

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-08-26 Thread Fred L. Drake, Jr.
Fred L. Drake, Jr. added the comment: Advising the reader to be aware of the security warnings in the API documentation seems sufficient. JSON isn't intended to support arbitrary data, and that's what this section is discussing. Another section about data interchange with other applications

[issue18840] Tutorial recommends pickle module without any warning of insecurity

2013-08-26 Thread Donald Stufft
New submission from Donald Stufft: The Python tutorial tells, and even recommends, new users that they can use the pickle module to serialize arbitrary objects. However it does not provide any warning about the insecurity of unpickling arbtirary data. The text even goes so far as to mention se