Towards better serialization

Brian Goetz brian.goetz at
Thu Jun 13 13:37:34 UTC 2019

Having read through all of what you’ve written in this thread, let me summarize it more succinctly:

“There are users of serialization who have never used serialization in more than the most trivial manner, who have never been on the wrong side of a serialization vulnerability, and who really like the illusion of magic serialization dust that it provides.  Please don’t take that away from us.”  

And, I get it; this is the siren song that led us to the serialization framework we have, with all its complexity and security pain.  But I think we should learn from history.  You’re arguing “serialization is good enough”, or that small add-ons would solve the problem.  Having been on the wrong side of too many serialization security issues, I disagree.  

As a public service announcement, let me point out how a rhetorical trick might be tripping you up: you use the word “simply” everywhere, as in:

> Why don't we simply make it easier

(and others.)  But there’s nothing simple about it; adding “simply” serves only to make it sound simpler than it is — and therein lies the danger.  

More information about the amber-dev mailing list