The future of Serialization
peter.firmstone at zeus.net.au
Sat Aug 9 05:56:16 UTC 2014
I've noticed there's not much interest in improving Serialization on these lists. This makes me wonder if java Serialization has lost relevance in recent years with the rise of protocol buffers apache thrift and other means of data transfer over byte streams.
The burden of implementing Serializable can significantly hamper developers efforts when refactoring, it's quite common for some projects to make no guarantee regarding Serialization compatibility between releases. Also implementation of
Serializable can double project development hours, hamper future development and increase software maintenance costs.
Serialization also presents opportunities for attackers and has been responsible for a number of zero day exploits.
I don't know if isolates will be included with JDK 9 for Jigsaw, or whether ClassLoaders alone will provide isolation for modules.
The ability to limit visibility and provide isolation of implementation classes as well as providing limits on memory and threads for isolated modules would also improve platform security.
Serialization may provide a means to hot upgrade modules, but more flexible options that doesn't cause serial data lock in need to be developed.
Should Serializable eventually be deprecated?
Should Serialization be disabled by default?
Should a new mechanism be developed?
If a new mechanism is developed, what about circular object relationships?
More information about the core-libs-dev