Deprecate `.add_pyobj()` & `.get_pyobj()`?

[ntninja]

Looking at the current README, I just noticed this passage:

This module also contains some helper functions for adding strings, json, and even python objects to IPFS:

>>> lst = [1, 77, 'lol']
>>> api.add_pyobj(lst)
'QmRFqz1ABQtbMBDfjpMubTaginvpVnf58Y87gheRzGfe4i'
>>> api.get_pyobj(_)
[1, 77, 'lol']

What this doesn't mention unfortunately is that doing that .get_pyobj() on a hash from an untrusted source = remote code execution. Our documentation does mention this, but even that passage doesn't properly show the magnitude of the problem.

What definitely has to happen:

• Replace the example with an example showing JSON serialization instead

What we may also want to do:

• Deprecate the .get_pyobj() and .add_pyobj() function and remove them for good in 0.5.x

Thoughts?

[whereswaldon]

They've always seemed a little hacky to me, so I'd be happy to drop them in 0.5.x. When I was working on the code in that area, I was more naiive and the magnitude of the problem didn't jump out at me, but now it does. Have you started on replacing the bad docs already?

[ntninja]

I did not at first realize either how big the issue was, otherwise this would have been dropped during our 0.4.x transition already. 😦
Anyways, I submitted the necessary changes for deprecation! Lets get this one fixed as well! 👍