This issue was migrated from Pagure Issue #3038.Originally filed by mharmsen on 2018-06-22
'Removing serialization is a long-term goal and is part of Project Amber, which is focused on productivity-oriented Java language features, says Mark Reinhold, chief architect of the Java platform group at Oracle.
Serialization was a “horrible mistake” made in 1997, Reinhold says. He estimates that at least a third—maybe even half—of Java vulnerabilities have involved serialization. Serialization overall is brittle but holds the appeal of being easy to use in simple use cases, Reinhold says.'
This technology is superceded by XML/JSON marshalling parsers like Jackson, Kryo, XStream as well as binary protocol mechanisms like Google Protocol Buffers.
This issue was migrated from Pagure Issue #3038.Originally filed by mharmsen on 2018-06-22
'Removing serialization is a long-term goal and is part of Project Amber, which is focused on productivity-oriented Java language features, says Mark Reinhold, chief architect of the Java platform group at Oracle.
Serialization was a “horrible mistake” made in 1997, Reinhold says. He estimates that at least a third—maybe even half—of Java vulnerabilities have involved serialization. Serialization overall is brittle but holds the appeal of being easy to use in simple use cases, Reinhold says.'
Source: https://www.infoworld.com/article/3275924/java/oracle-plans-to-dump-risky-java-serialization.html
This technology is superceded by XML/JSON marshalling parsers like Jackson, Kryo, XStream as well as binary protocol mechanisms like Google Protocol Buffers.