1. 20

  2. 3

    We firmly believe that, on the Internet, it is better to know that you are using an insecure protocol than to trust a protocol to be secure whose implementation hasn’t been thoroughly checked.

    Seeing the pickle docs have a massive red warning explaining that it’s insecure is much nicer than…

    …watching people who should know better insisting that having their app server unserialize input from unauthenticated strangers as a core part of its design was totally fine, that the obvious resulting RCE is totally the fault of some random class in Apache Commons and nothing to do with the fact that they opened up hundreds of kLoCs of unaudited code to all and sundry.