19
Stop using pickle already. Seriously, stop it! (mina86.com)
submitted 14 hours ago by mina86@lemmy.wtf to c/python@programming.dev
3 comments fedilink hide all child comments

It is common knowledge that pickle is a serious security risk. And yet, vulnerabilities involving that serialisation format keep happening. In the article I shortly describe the issue and appeal to people to stop using pickle.

you are viewing a single comment's thread
view the rest of the comments
[-] danielquinn@lemmy.ca 13 points 13 hours ago

The thing is, none of the suggested alternatives can do what pickle does, and the article focuses on a narrow (albeit ubiquitous) use case: serialisation of untrusted data.

There are still legitimate use cases for pickle, especially when storing, caching, or comparing objects that can't easily be serialised with say, JSON or TOML. It's a question of using the right thing for the right job is all, and pretending like JSON is a computable alternative to pickle doesn't help anyone.

[-] mina86@lemmy.wtf 1 points 2 hours ago* (last edited 2 hours ago)

If you’re serialising trusted data, you can define schema for it and use Protocol Buffers which will not only by safer but also faster. Pretending that you need to be able to serialise arbitrary data hurts everyone.

[-] ALERT@sh.itjust.works 2 points 3 hours ago

I second this.

this post was submitted on 10 Feb 2026
19 points (88.0% liked)

Python

7750 readers
36 users here now

Welcome to the Python community on the programming.dev Lemmy instance!

📅 Events

PastNovember 2023

October 2023

July 2023

August 2023

September 2023

🐍 Python project:
💓 Python Community:
✨ Python Ecosystem:
🌌 Fediverse
Communities
Projects
Feeds

founded 2 years ago
MODERATORS
erlingur@programming.dev
jnovinger@programming.dev
norambna@programming.dev