Add warning, as and copied from BSON.jl.

[PallHaraldsson]

No description provided.

[PallHaraldsson]

It seems good to let people know there (as soon as possible), but note at target:

https://github.com/JonasIsensee/JLD2DebugTools.jl is archived, so further changes may be needed to the docs, though I think it still works. Could be done in different (or same PR, if people want to suggest adding to it here soon).

[PallHaraldsson]

I'm curious is the a non-default option to load safely, or could or should there be (i.e. by default)?

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.09%. Comparing base (fce896f) to head (d0d60e5).

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #613      +/-   ##
==========================================
+ Coverage   85.08%   85.09%   +0.01%     
==========================================
  Files          37       37              
  Lines        4250     4247       -3     
==========================================
- Hits         3616     3614       -2     
+ Misses        634      633       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[JonasIsensee]

Hi!

Thank you for this suggestion.

Aside from people providing .jld2 files to me for debugging purposes I have not seen JLD2 files being distributed on the internet. That is part of the reason that there is no large warning at the top of the readme.
The other part is that this is a much more generic problem that exists for the serialization stdlib as well. (and any package installation...)

I suppose this also addresses your question on the default: The default is the "non-safe" version because otherwise (I would guess) 99% of users / use cases would need to explicitly add plain=false to their load calls.

Notes on the debug stuff should be removed. You are right.
The relevant features from JLD2DebugTools.jl were more or less added to base jld2 in #568
but since this provides a lot of experimental API, I have not really advertised it, yet.

[PallHaraldsson]

The other part is that this is a much more generic problem that exists for the serialization stdlib as well. (and any package installation...)

Well that's interesting, I didn't know of this for stdlib Serialization; nor for Pkg installation, and is the latter a problem? It means you can run arbitrary code on installing a package (that shouldn't be needed), so is it a security bug? Since you likely plan to, and will end up using the package, then the same applies, so it's probably not considered a security issue.

Maybe the stdlib docs should warn if not already, but as for here if it isn't the default, as I thought, then can be closed here.