[openstack-dev] [oslo.serialization] Security or convenience?

Angus Lees gus at inodes.org
Thu Jul 23 05:56:59 UTC 2015


I'm working on a draft spec[1] for a new privilege separation mechanism
(oslo.privsep) and one of the reviewers mentioned oslo.serialization.  Yay.

My question is: From a quick glance over the current objects, it looks fine
atm - but is the intention that this library remain suitable for
security-sensitive purposes?

I guess I'm mostly concerned about things like PyYaml's "!!python/object"
feature or pickle's ability to serialise arbitrary objects - super useful
in normal use, just not in a security context.

 - Gus

[1] https://review.openstack.org/#/c/204073
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150723/4b3d1819/attachment.html>


More information about the OpenStack-dev mailing list