kodos uses pickle to load and save .kds files

[teythoon]

kodos uses pickle to load and save .kds files despite the fact that http://docs.python.org/library/pickle.html clearly states:

Warning The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

While exchanging .kds files isn't something many people would do (or so I imagine) ignoring this warning clearly has security implications. Even besides this fact using the pickle module is problematic (e.g. .kds files saved using python3 won't be compatible with kodos running on top of python2 due to a new pickle protocol being introduced).

I propose to switch to a different serialization format such as json which is supported by the python standard library and should suit our needs just fine.

[luksan]

Yes, moving away from Pickle is probably a good idea. The JSON module was only introduced in Python 2.6 however. I think we should at least aim for compatibility with Python 2.4. The ConfigParser module might be a good fit.

[teythoon]

Maintaining compatibility with older python versions comes with a significant cost. Personally I don't have python < 2.7 around, so I can't even test whether I accidentally broke something.

On the other hand explicitly requiring a newer version has some advantage. Being compatible with py3k gets easier if the code won't have to run on older python releases. Ftr, I have a branch of kodos that runs on both python 2.7 and python 3.2 without any hacks or version specific code.

Fwiw, I believe that PyQt4 does not even work with python 2.4, not sure though.