[openstack-dev] [oslo.serialization] Security or convenience?
Davanum Srinivas
davanum at gmail.com
Thu Jul 23 11:15:47 UTC 2015
Angus,
yes, oslo.serialization should "remain suitable for security-sensitive
purposes". i don't believe we use either of the features today and no
intention to add it the future.
-- dims
On Thu, Jul 23, 2015 at 12:56 AM, Angus Lees <gus at inodes.org> wrote:
> I'm working on a draft spec[1] for a new privilege separation mechanism
> (oslo.privsep) and one of the reviewers mentioned oslo.serialization. Yay.
>
> My question is: From a quick glance over the current objects, it looks fine
> atm - but is the intention that this library remain suitable for
> security-sensitive purposes?
>
> I guess I'm mostly concerned about things like PyYaml's "!!python/object"
> feature or pickle's ability to serialise arbitrary objects - super useful in
> normal use, just not in a security context.
>
> - Gus
>
> [1] https://review.openstack.org/#/c/204073
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
--
Davanum Srinivas :: https://twitter.com/dims
More information about the OpenStack-dev
mailing list