+1 from me. On Tue, Sep 3, 2024 at 12:51 PM Gary D. Gregory <ggreg...@apache.org> wrote:
> Hi All, > > Considering the long history of problematic Serializable implementations > throughout the Java ecosystem, not just in Commons, I propose that no > BeanUtils types implement Serializable in the upcoming new major version > 2.0. > > Instead, we would document that if you want to serialize objects, you > should implement a serialization proxy as suggested in Effective Java by > Joshua Bloch. > > The alternative would be to write a large amounts of tests to insure no > security issues occur on top of fixing all read/write security bugs like > BEANUTILS-556 [1]. > > WDYT? > > [1] https://issues.apache.org/jira/browse/BEANUTILS-556 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > -- ============================== Melloware melloware...@gmail.com http://melloware.com ==============================
