Towards better serialization
brian.goetz at oracle.com
Thu Jun 13 13:37:34 UTC 2019
Having read through all of what you’ve written in this thread, let me summarize it more succinctly:
“There are users of serialization who have never used serialization in more than the most trivial manner, who have never been on the wrong side of a serialization vulnerability, and who really like the illusion of magic serialization dust that it provides. Please don’t take that away from us.”
And, I get it; this is the siren song that led us to the serialization framework we have, with all its complexity and security pain. But I think we should learn from history. You’re arguing “serialization is good enough”, or that small add-ons would solve the problem. Having been on the wrong side of too many serialization security issues, I disagree.
As a public service announcement, let me point out how a rhetorical trick might be tripping you up: you use the word “simply” everywhere, as in:
> Why don't we simply make it easier
(and others.) But there’s nothing simple about it; adding “simply” serves only to make it sound simpler than it is — and therein lies the danger.
More information about the amber-dev