I think forking Hessian on Github, but not including it in Cayenne may be a good idea. We'll have a place to fix bugs without making along term commitment to Hessian. We can alter the Maven artifact ID, so that we can make releases. At the same time we'll be moving to #3.
Andrus > On Mar 15, 2016, at 11:47 PM, Aristedes Maniatis <a...@maniatis.org> wrote: > > Unfortunately the new version of Hessian in the latest milestone has at least > one significant bug. > > http://bugs.caucho.com/view.php?id=3920 > > Although I wouldn't classify Hessian as "abandoned", it is pretty close. The > Caucho people only sporadically release new versions [1] only some of those > versions randomly end up in maven. Commit messages are completely unhelpful > [2] so it is hard to know what or why something changes. There are no release > notes. We don't know if Hessian is impacted by the Java serialisation > security issues uncovered last year [3] > > I'm prepared to put in some time (or more specifically delegate one of my > team to spend some time) to come up with a resolution. We already have a > workaround for the BigDecimal issue. But the question is, what should the > Cayenne project do next? > > 1. I believe that trying to push patches upstream is futile. The developers > don't respond to bugs or mailing list questions. > > 2. We could fork the Hessian project and create a "Cayenne serialiser" > subproject. The licensing is all already APL. All we'd need to do is > repackage and rename everything to avoid their trademarks. Do we have enough > interest in our community to maintain such a thing? > > 3. Now that Dima has made ROP pluggable, work on integrating another > technology like Google's protocol-buffers [4] or even use built-in Java > serialisation. > > > I'm tending to like (3), but it could be substantial work. > > > How many developers here are using Hessian? Can we have a show of hands? > > Has anyone here experience with other serialisers like protocol-buffers or > thrift? > > I know that Andrus has experience using json in his link-rest project, but I > think that's too slow/large for ROP purposes. Still, it is very flexible. > > > Thoughts? > Ari > > > > [1] http://mvnrepository.com/artifact/com.caucho/hessian > [2] https://github.com/ebourg/hessian/commits/git-svn > [3] > https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread > [4] https://developers.google.com/protocol-buffers/docs/proto3 > > -- > --------------------------> > Aristedes Maniatis > GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
