As with all things, there is a tradeoff between security and
convenience when using [xml_pickle].  [xml_pickle] is meant to be
"secure by default".  This means, however, that the user familiar
with the standard pickle module won't always get the expected
behavior.  The following text explains the [xml_pickle] security
model.

(For the impatient, the following code will give decent security
with the "expected" pickle behavior:

    from gnosis.xml.pickle.util import setParanoia
    setParanoia(0)

The following priority list is used during unpickling when
[xml_pickle] needs to create a class:

    1. Get class from CLASS_STORE, or create on-the-fly.
    2. Get class from a module the caller has imported
    3. Get class from a module we can find in sys.path.

These map in a straightforward way to PARANOIA levels:

  PARANOIA = 2: "extreme paranoia"

    XML_Pickler may only instantiate classes that have been
    explicity placed in the [xml_pickle] CLASS_STORE.

  PARANOIA = 1: "airtight"

    In addition to the above, XML_Pickler may create classes
    on-the-fly if they aren't in the [xml_pickle] namespace.  (This
    is safe, because the classes can only contain data.)

  PARANOIA = 0: "good enough"

    In addition to the above, XML_Pickler may also instantiate
    classes that the caller has imported.

  PARANOIA = -1: "free-for-all"

    All of the above, plus XML_Pickler is allowed to import modules
    itself.

See "test_paranoia.py" for numerous examples.

