Comment 4 for bug 909568

Adding John Dickinson as Swift PTL for comments.

I agree that even if there is no obvious attack vector, using eval sounds like an unnecessary weakness. We rely on plenty of dependencies already, so it sounds like depending on simplejson or json does not add a lot of overhead.

John: what's your opinion on that ?

David: since this is more a strengthening thing than an exploitable vulnerability (and most deploys are Python>2.6 so not vulnerable at all), would you agree if we open this up to the public as a regular security-oriented bug ?