Bug 60289 suggested to move away from pickle for security reasons. We tried doing that and it uncovered several design flaws with the ReportNode structure. Here are a few:
- A cohort instance was serialized to the queue for absolutely no reason.
- The ReportNode tree is created before serialization, then serialized to the queue. When we moved to jsonpickle, this failed due to WTForms fields not deserializing properly. Changing RunReport to create the tree in an overloaded run method is easy, but changing the tests that depend on parse_requests is hard.
- The ValidateCohort report node needs to be changed if we change where the tree is created, since it needs access to the request context to validate CSRF.
For these reasons, we want to make changing to json serialization a lower priority issue. We can fix Bug 60289 by deploying the puppet module on the production instance of wikimetrics, because that module doesn't run the queue as root. Once that's done, we can turn off C_FORCE_ROOT. At a later date, we should deal with this serialization issue though, and the underlying design flaws.
Version: unspecified
Severity: normal