I
Irmen de Jong
Hi,
I've made "serpent", a serializer based around ast.literal_eval().
You can find it on Pypi: http://pypi.python.org/pypi/serpent
Serpent takes a Python object tree and turns it into a serialized form that can be
safely read back by ast.literal_eval(). This avoids security issues that other
serialization protocols such as pickle have. It also has a few other nice properties
such as the readability of the serialized data.
I also wrote a Java and a .NET implementation so that you can easily exchange data
between the different ecosystemens. The library works with Python 2.6+ (including 3.x),
IronPython 2.7, Jython 2.7, Java 1.6, .NET 3.5, or newer versions.
A little bit of documentation can be found on serpent's Pypi page, including a little
demo program and its output. The full source and the Java/.NET versions are not
available from Pypi obviously, but a download link for them is provided in the description.
'FAQ':
- Why not use XML? Answer: because XML.
- Why not use JSON? Answer: because JSON is quite limited in the number of datatypes it
supports, and you can't use comments in a JSON file.
- Why not use pickle? Answer: because pickle has security problems.
- Why not use repr()/ast.literal_eval()? See above; serpent is a superset of this and
provides more convenience. Serpent provides automatic serialization mappings for some
types other than the builtin primitive types. repr() can't serialize these to literals
that ast.literal_eval() understands.
- Why not a binary format? Answer: because binary isn't readable.
- But I don't care about readability. Answer: too bad, ast.literal_eval() wants a
literal string.
- But I want better performance. Answer: ok, maybe you shouldn't use serpent in this
case. Find an efficient binary protocol (protobuf?)
- Why only Python, Java and .NET, but no bindings for insert-favorite-language-here?
Answer: I don't speak that language. Maybe you could port serpent yourself?
Serpent on Pypi: http://pypi.python.org/pypi/serpent
Cheers
Irmen de Jong
I've made "serpent", a serializer based around ast.literal_eval().
You can find it on Pypi: http://pypi.python.org/pypi/serpent
Serpent takes a Python object tree and turns it into a serialized form that can be
safely read back by ast.literal_eval(). This avoids security issues that other
serialization protocols such as pickle have. It also has a few other nice properties
such as the readability of the serialized data.
I also wrote a Java and a .NET implementation so that you can easily exchange data
between the different ecosystemens. The library works with Python 2.6+ (including 3.x),
IronPython 2.7, Jython 2.7, Java 1.6, .NET 3.5, or newer versions.
A little bit of documentation can be found on serpent's Pypi page, including a little
demo program and its output. The full source and the Java/.NET versions are not
available from Pypi obviously, but a download link for them is provided in the description.
'FAQ':
- Why not use XML? Answer: because XML.
- Why not use JSON? Answer: because JSON is quite limited in the number of datatypes it
supports, and you can't use comments in a JSON file.
- Why not use pickle? Answer: because pickle has security problems.
- Why not use repr()/ast.literal_eval()? See above; serpent is a superset of this and
provides more convenience. Serpent provides automatic serialization mappings for some
types other than the builtin primitive types. repr() can't serialize these to literals
that ast.literal_eval() understands.
- Why not a binary format? Answer: because binary isn't readable.
- But I don't care about readability. Answer: too bad, ast.literal_eval() wants a
literal string.
- But I want better performance. Answer: ok, maybe you shouldn't use serpent in this
case. Find an efficient binary protocol (protobuf?)
- Why only Python, Java and .NET, but no bindings for insert-favorite-language-here?
Answer: I don't speak that language. Maybe you could port serpent yourself?
Serpent on Pypi: http://pypi.python.org/pypi/serpent
Cheers
Irmen de Jong