+1 Please include an example (or pseudocode) for people of a serialization proxy, since not all readers may be familiar with Bloch or his book.
On Tue, Sep 3, 2024 at 11:54 AM Melloware Inc <melloware...@gmail.com> wrote: > +1 from me. > > On Tue, Sep 3, 2024 at 12:51 PM Gary D. Gregory <ggreg...@apache.org> > wrote: > > > Hi All, > > > > Considering the long history of problematic Serializable implementations > > throughout the Java ecosystem, not just in Commons, I propose that no > > BeanUtils types implement Serializable in the upcoming new major version > > 2.0. > > > > Instead, we would document that if you want to serialize objects, you > > should implement a serialization proxy as suggested in Effective Java by > > Joshua Bloch. > > > > The alternative would be to write a large amounts of tests to insure no > > security issues occur on top of fixing all read/write security bugs like > > BEANUTILS-556 [1]. > > > > WDYT? > > > > [1] https://issues.apache.org/jira/browse/BEANUTILS-556 > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > -- > ============================== > Melloware > melloware...@gmail.com > http://melloware.com > ============================== >
