raulcd commented on issue #49241: URL: https://github.com/apache/arrow/issues/49241#issuecomment-3896642540
Personally, I think an option like this could makes sense. As per the prototype, I think it would make more sense to be directly embedded as an option on `arrow::ipc::IpcReadOptions` instead of a wrapper on top of it only on pyarrow with this it could be used by other bindings too. The only problem I foresee with this is that we are moving the responsibility from the user to the IPC Reader implementation, with the implications that this has. One of the key ones is around security. The user will trust we are validating, as we should with this new contract. If we then miss a code path for example because a new read method has been added, we could end up with unvalidated data that the user trusts as validated. That becomes a potential security issue (CVE) rather than just a bug. cc @pitrou -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
