Python, pickling, events, and security

Ivan R. Judson judson at mcs.anl.gov
Sun Aug 3 15:06:34 CDT 2003



I have only two comments, both in agreement:

1) our source are trusted, GSI TCP Sockets, so we currently fulfill the 
negative of the condition, ie, our sources are trusted and 
authenticated.

2) I'd like us to move to a jabber-like message format for the event 
channel, which would seamlessly support the integration of text and 
other "sub-channels" in the single connection. I'd like us to all have 
a look at the jabber protocol which can be found at jabber.org.

--Ivan

On Friday, August 1, 2003, at 12:25 PM, Robert Olson wrote:

> The following is in PEP 307:
>
>     We firmly believe that, on the Internet, it is better to know that
>     you are using an insecure protocol than to trust a protocol to be
>     secure whose implementation hasn't been thoroughly checked.  Even
>     high quality implementations of widely used protocols are
>     routinely found flawed; Python's pickle implementation simply
>     cannot make such guarantees without a much larger time investment.
>     Therefore, as of Python 2.3, all safety checks on unpickling are
>     officially removed, and replaced with this warning:
>
>       *** Do not unpickle data received from an untrusted or
>           unauthenticated source ***
>
>     The same warning applies to previous Python versions, despite the
>     presence of safety checks there.
>
> The current event services uses pickled python objects as the wire 
> protocol. The above warning makes me believe that we should look 
> seriously at replacing that, perhaps in the just-post-2.1 timeframe.
>
> --bob
>




More information about the ag-dev mailing list