Hi All, Considering the long history of problematic Serializable implementations throughout the Java ecosystem, not just in Commons, I propose that no BeanUtils types implement Serializable in the upcoming new major version 2.0.
Instead, we would document that if you want to serialize objects, you should implement a serialization proxy as suggested in Effective Java by Joshua Bloch. The alternative would be to write a large amounts of tests to insure no security issues occur on top of fixing all read/write security bugs like BEANUTILS-556 [1]. WDYT? [1] https://issues.apache.org/jira/browse/BEANUTILS-556 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
