Occassionally people will ask Twisted developers why we have a custom serialization format for our remote object protocol, instead of using Python's standard pickle format. Besides interoperability with other languages (e.g. Java), the main reason is security. Unpickling strings from untrusted sources is totally and utterly insecure.
For example, a pickle JP Calderone provided, which runs "touch blah" when unpickled:
>>> import pickle >>> pickle.loads('c__builtin__\neval\np0\n(S"__import__(\'os\').system(\'touch blah\')"\np1\ntp2\nRp3\n.') 0 >>> itamar@sheriffpony:~$ ls -l blah -rw-r--r-- 1 itamar itamar 0 2004-04-09 14:02 blah