this post was submitted on 10 Feb 2026

26 points (88.2% liked)

Python

7790 readers

22 users here now

Welcome to the Python community on the programming.dev Lemmy instance!

📅 Events

Past

November 2023

PyCon Ireland 2023, 11-12th
PyData Tel Aviv 2023 14th

October 2023

PyConES Canarias 2023, 6-8th
DjangoCon US 2023, 16-20th (!django 💬)

July 2023

PyDelhi Meetup, 2nd
PyCon Israel, 4-5th
DFW Pythoneers, 6th
Django Girls Abraka, 6-7th
SciPy 2023 10-16th, Austin
IndyPy, 11th
Leipzig Python User Group, 11th
Austin Python, 12th
EuroPython 2023, 17-23rd
Austin Python: Evening of Coding, 18th
PyHEP.dev 2023 - "Python in HEP" Developer's Workshop, 25th

August 2023

PyLadies Dublin, 15th
EuroSciPy 2023, 14-18th

September 2023

PyData Amsterdam, 14-16th
PyCon UK, 22nd - 25th

🐍 Python project:

💓 Python Community:

#python IRC for general questions
#python-dev IRC for CPython developers
PySlackers Slack channel
Python Discord server
Python Weekly newsletters
Mailing lists
Forum

✨ Python Ecosystem:

🌌 Fediverse

Communities

#python on Mastodon
c/django on programming.dev
c/pythorhead on lemmy.dbzer0.com

Projects

Pythörhead: a Python library for interacting with Lemmy
Plemmy: a Python package for accessing the Lemmy API
pylemmy pylemmy enables simple access to Lemmy's API with Python
mastodon.py, a Python wrapper for the Mastodon API

Feeds

founded 2 years ago

MODERATORS

jnovinger@programming.dev

erlingur@programming.dev

norambna@programming.dev

26

Stop using pickle already. Seriously, stop it! (mina86.com)

submitted 3 weeks ago by mina86@lemmy.wtf to c/python@programming.dev

12 comments fedilink hide all child comments

It is common knowledge that pickle is a serious security risk. And yet, vulnerabilities involving that serialisation format keep happening. In the article I shortly describe the issue and appeal to people to stop using pickle.

you are viewing a single comment's thread
view the rest of the comments

[–] logging_strict@programming.dev 1 points 1 week ago

project cost = sigma(1...n)(risk likelihood of occurring * risk cost), but we aren't discussing every possible risk. Only the one risk.

The risk of having to:

for the app to work, requires compiled components
having to be familiar with setup.py. This is referred to as the sewer, which is what is targeted by hackers e.g. xv
maintainers who come later being familiar and can maintain packages that incorporate other languages e.g. C or rust
possibly neglecting to perform the compile (but lets ignore this)
compiler runs a binary written and maintained by the spy agency Google

or

Just not doing that

The only justification for going with protoc, over other methods, could only come down to data serialization speed. But in that case, wouldn't a rust solution be: not only as fast, but also much safer.