I've posted a document at:
http://cr.openjdk.java.net/~briangoetz/amber/serialization.html
<http://cr.openjdk.java.net/~briangoetz/amber/serialization.html>
on an exploration we've been doing to address some of the shortcomings
of Java serialization, building on other tools that have been (or will
be) added to the platform. Rather than attempt to add band-aids on
existing serialization, it addresses the risks of serialization at their
root. It is somewhat of a shift -- it cannot represent all object
graphs, and it makes some additional work for the author -- but it
brings object serialization into the light, where it needs to be in
order to be safer. Comments welcome!
