from Hacker News

JSON extra uses orjson instead of ujson (2019)

by arvindh-manian on 6/5/24, 11:02 PM with 16 comments

  • by arvindh-manian on 6/5/24, 11:02 PM

    Ran into this PR today. Thought Samuel Colvin's response to the migration request was prescient, especially considering what we later saw with the XZ Utils backdoor.

    I've no clue if there actually were/are any problems with orjson, but I admire this kind of dedication to security, especially years ago.

  • by jay-barronville on 6/6/24, 7:05 AM

    I’d be willing to bet that Samuel was perceived as a jerk by some for even implying that this contributor was a bit suspicious, yet it was the most honorable position to take as a maintainer so many folks are relying on and trusting, both directly and indirectly. Job well done.

  • by noitpmeder on 6/6/24, 3:46 AM

    Hard to argue with his logic, especially re the fact that pydantic is used very widely by large organizations. Some degree of dependency visibility (i.e. non binary releases, >1 contributor, publicly attributable maintainer) is a good thing.

  • by 3r7j6qzi9jvnve on 6/6/24, 1:13 AM

    I'm really surprised ijl got angry that his mail was quoted, it looks innocent enough to me.

    For reference it's been edited out here: https://github.com/pydantic/pydantic/issues/589

    But github shows edits, so the edit is meaningless for privacy. Here's the original mail (yes, I'm blatantly ignoring his request to not publish this, I'm just this evil.)

        I've looked into replacing ujson in pydantic with orjson
    (https://github.com/ijl/orjson). In this implementation, the same JSON
    library is used for everything, and JSON outputs bytes without
    whitespace (as it's faster and JSON is a serialization format). If
    orjson is installed, it won't affect pydantic's benchmark for
    validation, but can be expected to improve whole-program performance.

    It's a large change with breaking changes to JSON methods, however, so
    rather than opening a pull request now, could you take a look and see if
    that's consistent and acceptable to the project?

    https://github.com/ijl/pydantic/commit/7c08f41edd340614d7c58888f025665dbc71d0e3

    That passes tests, but that's all. I'll clean it up or modify if the
    idea's acceptable.

    Thanks.

  • by omh1280 on 6/6/24, 12:46 AM

    I’ve also been wary of orjson considering ijl is anonymous and the only one authoring commits. Any ideas on if security folks are checking repository artifacts and verifying builds for projects like this?

  • by meowface on 6/6/24, 2:38 AM

    Has anyone done an analysis of it? I've used orjson in all my Python projects for years.

  • by cqqxo4zV46cp on 6/6/24, 12:19 AM

    I definitely appreciate this degree of rigour.

  • by comex on 6/6/24, 12:11 AM

    (2019)

  • by ranger_danger on 6/6/24, 4:45 PM

    Can someone ELI5 why this is news? I'm just not following...