[ZODB-Dev] Support for graceful ZODB Class renaming

[Guido van Rossum]

> > I don't think untrusted data should be unpickled, ever.
> 
> I often use a subclass of the python unpickler class that only unpickles 
> primitive types - strings, tuples, floats etc - and raises an exception when 
> it encounters a 'pickle bytecode' that is potentially dangerous. I believe 
> this to be safe, and useful.

Sure, but it's hardly the general case for which pickling was
created -- you might as well create your own format.  And you can't
use cPickle.  This use case won't be broken, but doesn't really affect
my recommendation.

> > ZEO actually doesn't need pickles for its RPC; marshal would be just
> > as good (except bad marshal data can blow up too -- this is easy to
> > fix though).
> 
> The other problem with marshal is the documented risk that the
> format may have incompatible changes acrosss python versions. That
> might not be a big problem for ZEO.

In practice, the incompatibilities are restricted to code objects
(which tend to grow new attributes with each language refinement).

--Guido van Rossum (home page: http://www.python.org/~guido/)