Comment 7 for bug 1753870

No, I said that exported data (bookmarks and libraries in this case) are both considered *trusted* when importing. For bookmarks, that can be changed to making them untrusted, as I already did. For export data, it is pointless, since, as I said export data contains the entire calibre config, which in turn contains lots of executable code including plugins. Therefore, changing the conversion_options to not use pickle, does not actually achieve anything, since a malicious actor can simply modify some of the other executable code in the export instead. This has been mitigated by displaying a warning to the user informing them of that when importing exported data. There isn't anything more that can be done there, since exported data will always contain executable code, so if it is tampered with, it is game over.

As for the general argument of not using pickle, I am sympathetic, and indeed newer calibre code does not use pickle, but some legacy parts remain. None of those legacy parts operate on untrusted data, as far as I know.

And just for completeness, I just made a commit to make unpickling of conversion_options safe. But let me emphasize, once again, that this *does not* make exported data safe.