[openstack-dev] [oslo.serialization] Security or convenience?

Davanum Srinivas davanum at gmail.com
Thu Jul 23 11:15:47 UTC 2015


yes, oslo.serialization should "remain suitable for security-sensitive
purposes". i don't believe we use either of the features today and no
intention to add it the future.

-- dims

On Thu, Jul 23, 2015 at 12:56 AM, Angus Lees <gus at inodes.org> wrote:
> I'm working on a draft spec[1] for a new privilege separation mechanism
> (oslo.privsep) and one of the reviewers mentioned oslo.serialization.  Yay.
> My question is: From a quick glance over the current objects, it looks fine
> atm - but is the intention that this library remain suitable for
> security-sensitive purposes?
> I guess I'm mostly concerned about things like PyYaml's "!!python/object"
> feature or pickle's ability to serialise arbitrary objects - super useful in
> normal use, just not in a security context.
>  - Gus
> [1] https://review.openstack.org/#/c/204073
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Davanum Srinivas :: https://twitter.com/dims

More information about the OpenStack-dev mailing list