torch dependency

[stevemarin]

Hello and thank you very much for all your hard work! We use fickling as a dependency of polyfile. Version 0.1.0 added a significant build time for us due to the inclusion of torch as a requirement.

We can continue working with 0.0.8 for now, so we have no complaints. But we were wondering if the torch requirement could be made optional in the future?

Thank you again!

[suhacker1]

Thanks for raising this issue! We're looking into this for the next release.

[drdavella]

Hi! I just want to second this issue. I think this is a really cool project and I would love to recommend fickling to our users as a way to harden pickle usage when handling potentially untrusted data.

However I'm not sure how many users would be okay with adding torch as a transient dependency so I agree it would be great if it were optional.

[drdavella]

Thanks for the quick turnaround and response! I'll keep an eye out for the release.

Just in case you're curious: our framework automatically introduces fickling to code that is using pickle and helps harden against cases where untrusted pickles may be loaded: pixee/codemodder-python#332