1. Ned Batchelder
  2. coverage.py
Issue #236 resolved

Pickles are bad, and you should feel bad

Ned Batchelder
repo owner created an issue

On 2/14/2013 10:38 PM, Alex Gaynor wrote:

Hi Ned,

Basically what I want to do is have several different test runs on travis-ci.com take their coverage runs and send it to a build server, which would combine them and output the total results. (This is all for topaz by the way). I can do some basic security by adding a secret to each POST to the server (this is what I do for my nightly build uploads). The problem is, coverage data is a .pickle, and, in the event my secret is compromised I'd prefer the result be bad coverage data, and not total ownage of my server.

Alex

Comments (7)

  1. desmaj

    It looks like the coverage data file only contains dicts, lists, strings, and ints (Correct me if I'm wrong, Ned). It would probably be possible to write a small de-pickler that would only load these things. In that way you could continue to serialize as a pickle, but be safe from server ownage on deserialization. Alex, would that meet your needs?

  2. Ned Batchelder reporter

    Yup, json is the right choice these days. Its only downside is it isn't as compact as something like pickle, but the size of these files is not an issue, and if it is, we can gzip them.

  3. Ned Batchelder reporter

    Jon Chappell thanks for looking into it. I still want to do it. There doesn't have to be any backward compatibility: there's no need to read coverage 3.7.1 data files with coverage 4.0. We can keep talking here, or find me on Freenode IRC as nedbat.

  4. Log in to comment