[openstack-dev] [oslo.serialization] Security or convenience?
davanum at gmail.com
Thu Jul 23 11:15:47 UTC 2015
yes, oslo.serialization should "remain suitable for security-sensitive
purposes". i don't believe we use either of the features today and no
intention to add it the future.
On Thu, Jul 23, 2015 at 12:56 AM, Angus Lees <gus at inodes.org> wrote:
> I'm working on a draft spec for a new privilege separation mechanism
> (oslo.privsep) and one of the reviewers mentioned oslo.serialization. Yay.
> My question is: From a quick glance over the current objects, it looks fine
> atm - but is the intention that this library remain suitable for
> security-sensitive purposes?
> I guess I'm mostly concerned about things like PyYaml's "!!python/object"
> feature or pickle's ability to serialise arbitrary objects - super useful in
> normal use, just not in a security context.
> - Gus
>  https://review.openstack.org/#/c/204073
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
Davanum Srinivas :: https://twitter.com/dims
More information about the OpenStack-dev