Discussion:
RFS: zodbpickle/0.6.0-1 [ITP]
Julien Muchembled
2018-04-23 20:17:06 UTC
Permalink
    python-zodbpickle - Fork of pickle module, for ZODB
If this enters Debian, please make sure that you notify the security
team to update their embedded-code-copies file, which tracks both
embedded copies and forks of projects.
https://wiki.debian.org/EmbeddedCodeCopies
python-zodbpickle has just entered Debian and as planned, I suggest to update embedded-code-copies because this package forks the 'pickle' modules of Python 2.7.6 and 3.3.2

For Python 2:

python2.7
- zodbpickle <unknown> (embed)
NOTE: embeds stdlib modules: pickle, cpickle

I am surprised to see no entry for any version of Python 3. Maybe start one with python3.6

However, given the warning at the top of https://docs.python.org/3/library/pickle.html
I am not sure it's useful to bother about the security of this code.

And unfortunately, the many changes in Python are not merged into zodbpickle.

Julien
Paul Wise
2018-04-25 04:47:29 UTC
Permalink
Post by Julien Muchembled
I suggest to update embedded-code-copies because this package forks
the 'pickle' modules of Python 2.7.6 and 3.3.2
python2.7
- zodbpickle <unknown> (embed)
NOTE: embeds stdlib modules: pickle, cpickle
I am surprised to see no entry for any version of Python 3.
Maybe start one with python3.6
Added both.
Post by Julien Muchembled
However, given the warning at the top of https://docs.python.org/3/library/pickle.html
I am not sure it's useful to bother about the security of this code.
And unfortunately, the many changes in Python are not merged into zodbpickle.
I'd suggest that you work with ZODB upstream to remove zodbpickle from
their dependencies/codebase. It is technical debt, problematic for
security and there are likely faster ways to serialise data in Python.
--
bye,
pabs

https://wiki.debian.org/PaulWise
Julien Muchembled
2018-04-25 23:03:31 UTC
Permalink
Post by Paul Wise
Post by Julien Muchembled
However, given the warning at the top of https://docs.python.org/3/library/pickle.html
I am not sure it's useful to bother about the security of this code.
And unfortunately, the many changes in Python are not merged into zodbpickle.
I'd suggest that you work with ZODB upstream to remove zodbpickle from
their dependencies/codebase. It is technical debt, problematic for
security and there are likely faster ways to serialise data in Python.
ZODB uses the pickle format by design, because it stores the Python objects themselves, transparently for the application.

Where I work, the oldest production DB was created in 2003 and records that were written at that time must still be readable.
Post by Paul Wise
The pickle serialization format is guaranteed to be backwards compatible across Python releases.
By changing meaning of str, Python 3 broke this promise.

The main purpose of zodbpickle at the time it was created, is to be able to unpickle 'str' objects as bytes (which btw only solves the problem partially). Patches were submitted at https://bugs.python.org/issue6784 for that but it was not clear whether they would be applied.

We still use Python 2, not just because of our huge code base, but also because of the data.

While writing this email, I learn that issue 6784 is fixed. That's great. If we manage to get back the 'noload' operation in Python 3 (it existed in Python 2), we could stop forking the stdlib modules.

Julien

Loading...