Not until you linked me. :) They look like good steps but not quite what I need, for different reasons. I'll have to check when I get back to the office next week.
Mu. Unask the question. Serializing a function is itself the security hole, because who knows what that function does? A function is just as possibly malicious code as whatever else you think you're using it for.
The GP's point is if you're doing code deserialization, the definition of security is different. The data format having RCE bugs won't be as much of a concern, while trusting the data source will be much more of a concern.
If someone is able to modify my local files and wants to change the code I'm running, what is it about pickle that makes me vulnerable? They'd already be in a position where they could change my actual code.
Why do you think the attacker has the ability to change your local files? That's not the attack surface. The attack surface is when it's used in a wire format for network communication. The attack surface is the attacker convincing you to download a file in a format that you don't realize is executable and every file format that includes pickled objects is vulnerable. The attack surface is that you've confused data and code; There's a reason why OpenBSD now enforces W^X, and that is that there's very different domains of trust. I'd trust my neighbor down the street to send me a spreadsheet, I'd not trust him to send me a program (which is precisely why Office Macro viruses were such a problem, because speadsheets could contain programs.)
No, pickling and unpickling files in your user's data-dir isn't a big deal, until it is because your users wanted to share their data online. They'll sync their data-folder with Dropbox, and then their account gets compromised, and the next time they launch your program they've got a virus. They'll download a 'completed savegame' from a sketchy site, and now they've got a virus. They'll get a phishing e-mail, but it's not one of those zips or exes or whatever, it's a file-format they know is your program, and surely that's safe, right?
Don't make your file formats insecure. Don't pickle.
My rather poorly made point is that whether it's a security problem or not depends on what you're using pickle for. My typical use case is simply as a local cache for some slow computation in ad-hoc scripts. Being able to simply dump objects and load them back again without needing to write serialisation code is a great timesaver, and the only ways I can see that causing a security problem rely on an attacker already having significantly more access to begin with.
I don't like people making such strong statements about what others should and should not do, based on issues in some situations.
From what I hear, it is. It's a lifestyle choice; I'm surprised that the tone of your response seems to imply it is a necessity. It's not surprising that for this group of people who loved their work so much (see Einstein's relationship with his wife, Feynman's divorce, both detailed by another comment) that they had little interest in much else.
My tone is not intended imply necessity -- more that several of those figures ARE in fact parents. Darwin and Dickens both had 10 (10!!!) kids. I'm not interested in a discussion of good vs bad vs absent parents, I was trying to point out the kids and parenting are a significant time chunk.
I'm sure that we could go through the list of "creatives" here and enumerate the progeny for each one. In the way that the viz breaks down various other categories around "creative work", I jokingly suggested that a parenting vector is also warranted (though obviously impossible to produce) given that many of these figures had kids and in significant numbers.
The Python engine is IPython underneath the hood. Any code or visualizations that work in IPython notebooks should work in Sense.
There is a difference though. In our experience, we've found that the notebook style development, with code inline, is awkward when doing serious analytics. It's harder to use version control, editors, etc. We have opted for the dual pane experience common in R and Matlab. The output however can be rich and interactive just like an IPython notebook and is always saved.
