Logged In: YES 
user_id=31392

I don't think we should be doing anything about marshal.  
Maybe we should name in pyclib or something <0.9 wink>.  It 
works fine for .pyc files, but I don't see a reason for it 
to do anymore than is necessary for that purpose.

I think the notion of an unpickler that only handles 
builtin datatypes is the most attractive option you offer, 
but Paul has a good point about eval for strings.  (It 
currently has some hacks that address specific exploits, 
but I doubt they are sufficient.)  I also wonder how hard 
it is to handle builtin types and avoid subclasses of 
builtin types.

If there are any changes to pickle, I think we need to be 
careful about how it is described.  If we claim that an 
unpickler is safe for untrusted pickles, we've made a 
fairly strong claim.  I still think such a design change 
requires a PEP that includes some requirements and use 
cases and a thorough analysis of potential exploits.