On Fri, 8 May 2015 07:58 pm, Cecil Westerhof wrote: > I first used marshal in my filebasedMessages module. Then I read that > you should not use it, because it changes per Python version and it > was better to use pickle. So I did that and now I find: > https://wiki.python.org/moin/Pickle > > Is it really that bad and should I change again?
marshal is really only for Python's internal use. I think that if Python was created today, marshal would probably be an undocumented and internal-only module. pickle is quite safe provided you trust the environment you are running in and the source of the pickle files. If you don't trust them, then you should avoid pickle and use a format which doesn't execute code. You could use JSON, plists, ini-files, or XML, all of which are text-based and handled by the standard library. There is also YAML, but you have to use a third-party library for that. You might also look at the "serpent" serialisation format used by Pyro: https://pypi.python.org/pypi/serpent If your code is only going to be used by yourself, I'd just use pickle. If you are creating an application for others to use, I would spend the extra effort to build in support for at least pickle, JSON and plists, and let the user decide what they prefer. -- Steven -- https://mail.python.org/mailman/listinfo/python-list
