zodbpickle embedding outdated stdlib modules (was Re: RFS: zodbpickle/0.6.0-1 [ITP])
Le 04/25/18 à 06:47, Paul Wise a écrit : >> However, given the warning at the top of >> https://docs.python.org/3/library/pickle.html >> I am not sure it's useful to bother about the security of this code. >> >> And unfortunately, the many changes in Python are not merged into zodbpickle. > > I'd suggest that you work with ZODB upstream to remove zodbpickle from > their dependencies/codebase. It is technical debt, problematic for > security and there are likely faster ways to serialise data in Python. > ZODB uses the pickle format by design, because it stores the Python objects themselves, transparently for the application. Where I work, the oldest production DB was created in 2003 and records that were written at that time must still be readable. Quoting the pickle documentation: > The pickle serialization format is guaranteed to be backwards compatible > across Python releases. By changing meaning of str, Python 3 broke this promise. The main purpose of zodbpickle at the time it was created, is to be able to unpickle 'str' objects as bytes (which btw only solves the problem partially). Patches were submitted at https://bugs.python.org/issue6784 for that but it was not clear whether they would be applied. We still use Python 2, not just because of our huge code base, but also because of the data. While writing this email, I learn that issue 6784 is fixed. That's great. If we manage to get back the 'noload' operation in Python 3 (it existed in Python 2), we could stop forking the stdlib modules. Julien signature.asc Description: OpenPGP digital signature
Re: RFS: zodbpickle/0.6.0-1 [ITP]
On Mon, 2018-04-23 at 22:17 +0200, Julien Muchembled wrote: > I suggest to update embedded-code-copies because this package forks > the 'pickle' modules of Python 2.7.6 and 3.3.2 > python2.7 > - zodbpickle (embed) > NOTE: embeds stdlib modules: pickle, cpickle > > I am surprised to see no entry for any version of Python 3. > Maybe start one with python3.6 Added both. > However, given the warning at the top of > https://docs.python.org/3/library/pickle.html > I am not sure it's useful to bother about the security of this code. > > And unfortunately, the many changes in Python are not merged into zodbpickle. I'd suggest that you work with ZODB upstream to remove zodbpickle from their dependencies/codebase. It is technical debt, problematic for security and there are likely faster ways to serialise data in Python. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Re: RFS: zodbpickle/0.6.0-1 [ITP]
Le 04/27/17 à 06:08, Paul Wise a écrit : > On Fri, 9 Dec 2016 21:24:48 +0100 Julien Muchembled wrote: > >> python-zodbpickle - Fork of pickle module, for ZODB > > If this enters Debian, please make sure that you notify the security > team to update their embedded-code-copies file, which tracks both > embedded copies and forks of projects. > > https://wiki.debian.org/EmbeddedCodeCopies > python-zodbpickle has just entered Debian and as planned, I suggest to update embedded-code-copies because this package forks the 'pickle' modules of Python 2.7.6 and 3.3.2 For Python 2: python2.7 - zodbpickle (embed) NOTE: embeds stdlib modules: pickle, cpickle I am surprised to see no entry for any version of Python 3. Maybe start one with python3.6 However, given the warning at the top of https://docs.python.org/3/library/pickle.html I am not sure it's useful to bother about the security of this code. And unfortunately, the many changes in Python are not merged into zodbpickle. Julien signature.asc Description: OpenPGP digital signature
