docs: centralize pickle security caveat, link from codec/context docs

The pickle-on-untrusted-input warning was written out three times: in
the `PythonLogicalCodec::with_python_udf_inlining` rustdoc, in the
matching Python `SessionContext.with_python_udf_inlining` docstring,
and in two places inside `distributing_work.rst` (a free-floating
paragraph at the end of the inlining section plus the dedicated
Security warning block). Three copies of the same load-bearing text
would inevitably drift.

Pick `distributing_work.rst` Security section as canonical:

* Keep the Security warning block intact — it is the single source of
  truth.
* Trim the redundant "Note that pickle.loads itself remains unsafe..."
  paragraph above it to a one-line summary + Sphinx cross-reference
  (`Security`_) so the section header still anchors the link.
* Replace the Python docstring's 5-line warning paragraph with a
  one-sentence summary + `:doc:` link to `distributing_work`.
* Replace the rustdoc warning with a one-sentence summary, a relative
  pointer to `docs/source/user-guide/io/distributing_work.rst`, and a
  link to the upstream Python pickle module security warning so the
  rustdoc remains self-contained for someone reading just the crate.

Behavior unchanged; the strict-toggle test continues to assert on the
substring "inlining is disabled", which lives in `refuse_inline_payload`
(separate from these docs).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: timsaucer

crates/core/src/codec.rs

@@ -212,17 +212,17 @@ impl PythonLogicalCodec {
     /// cross-language wire bytes, or reject `cloudpickle.loads` on
     /// untrusted `from_bytes` input.
     ///
-    /// Security scope: strict mode (`false`) protects only the codec
+    /// Security scope: strict mode (`false`) narrows only the codec
     /// layer — it stops `Expr::from_bytes` from invoking
     /// `cloudpickle.loads` on the inline `DFPY*` payload. It does
-    /// **not** make `pickle.loads(untrusted_bytes)` safe. Python's
-    /// pickle protocol permits arbitrary code execution via
-    /// `__reduce__` (and `Expr.__reduce__` returns
-    /// `Expr._reconstruct(bytes)` — an honest reducer here, but the
-    /// outer pickle stream can contain any reducer). Treat every
+    /// **not** make `pickle.loads(untrusted_bytes)` safe; treat every
     /// `pickle.loads` on untrusted input as unsafe regardless of this
-    /// setting; the toggle only narrows the surface inside
-    /// `from_bytes`.
+    /// setting. See `docs/source/user-guide/io/distributing_work.rst`
+    /// (Security section) for the full threat model, and Python's
+    /// [pickle module security warning][1] for why `pickle.loads` is
+    /// unsafe in general.
+    ///
+    /// [1]: https://docs.python.org/3/library/pickle.html#module-pickle
     pub fn with_python_udf_inlining(mut self, enabled: bool) -> Self {
         self.python_udf_inlining = enabled;
         self

docs/source/user-guide/io/distributing_work.rst

@@ -308,14 +308,10 @@ side also refuses inline payloads. Explicit
 honor the supplied ``ctx`` directly and ignore the sender / worker
 contexts.
 
-Note that :py:func:`pickle.loads` itself remains unsafe on untrusted
-input regardless of this setting — an attacker producing the outer
-pickle envelope can execute arbitrary code before the codec ever
-sees the bytes (see the
-`pickle module security warning
-<https://docs.python.org/3/library/pickle.html#module-pickle>`_ in
-the Python standard library docs). The toggle only protects the
-:py:meth:`Expr.from_bytes` API surface.
+The toggle only narrows the :py:meth:`Expr.from_bytes` surface;
+:py:func:`pickle.loads` on untrusted bytes remains unsafe regardless
+of this setting. See the `Security`_ section below for the full
+threat model.
 
 Security
 ~~~~~~~~

python/datafusion/context.py

@@ -1802,11 +1802,11 @@ def with_python_udf_inlining(self, *, enabled: bool) -> SessionContext:
         :func:`datafusion.ipc.set_worker_ctx` for the corresponding
         :func:`pickle.loads`.
 
-        ``pickle.loads`` on untrusted bytes remains unsafe regardless of
-        this setting (see the `pickle module security warning
-        <https://docs.python.org/3/library/pickle.html#module-pickle>`_
-        in the Python standard library docs). Only the
-        ``to_bytes`` / ``from_bytes`` API is affected.
+        For the full security model, see
+        :doc:`/user-guide/io/distributing_work` (Security section). In
+        short: this toggle narrows only the :meth:`Expr.from_bytes`
+        surface; :func:`pickle.loads` on untrusted bytes remains
+        unsafe regardless of the toggle.
         """
         new_internal = self.ctx.with_python_udf_inlining(enabled)
         new = SessionContext.__new__(SessionContext)