Stop using pickle already. Seriously, stop it! — mina86.com
mina86.com

It is common knowledge that pickle is a serious security risk. And yet, vulnerabilities involving that serialisation format keep happening. In the article I shortly describe the issue and appeal to people to stop using pickle.

  • mina86@lemmy.wtfOPEnglish
    1·
    1 day ago

    Also there is strictyaml that validates against schemas. Don’t touch the builtin yaml module.

    Thanks. I’ll include that in an update.

    protobuf needs to be compiled. This introduces possibility of coder error. Just forgetting to compile and commit protobuf files after a change. This affected the electrum btc and ltc (light) wallets.

    Yes, that’s certainly a downside. It also demonstrates one should not commit such generated files. A better approach is to commit the source files (in this instance message definition) and have a compilation step included in the program’s build/install recipe.

    strictyaml