Towards better serialization
brian.goetz at oracle.com
Wed Jun 12 13:57:09 UTC 2019
> there is something i think is dangerous, the keyword "open" offers a false promise
The `open` mechanism has nothing whatsoever to do with serialization; it
has to do with access control, and who can invoke it. Any concern you
have about open methods, you also have about public methods.
> Once an instance is serialized (by whatever serializers), it becomes public knowledge because you can always forge it. Trying to hide that is IMO an error.
Once a class is serializable (whether you've ever serialized an instance
or not), you've given the world an effectively-public mechanism to
instantiate new instances. In the old world, that mechanism bypasses
user-written constructors (bad!), but with the new mechanism, we can
defend that public API the same way we can defend any other API --
through validation, normalization, copying, etc.
More information about the amber-dev