[jira] [Commented] (LUCENENET-574) [Serializable] Classes

Fri, 01 Sep 2017 13:25:01 -0700 

    [ 
https://issues.apache.org/jira/browse/LUCENENET-574?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16151094#comment-16151094
 ] 

Shad Storhaug commented on LUCENENET-574:
-----------------------------------------

It turns out that per Microsoft, binary serialization is not meant for new 
applications, but only for helping with the transition from .NET Framework to 
.NET Core (https://github.com/dotnet/corefx/issues/23584)

{quote}
It's crucial that we state as often as possible that binary serialization is 
not intended to be used for new applications but to make porting from Desktop 
to Core easier. There are tons of security concerns that are introduced by 
binary serialization, one of it is reading from a stream that could be 
compromised (network transferred date, e.g. in remoting).{quote}

So, it looks like the best "strategy" for this will be to leave the attribute 
off of ALL of the classes (including exceptions) except for those that 
explicitly require it in order for Lucene.Net to function. All legacy tests 
that verify serialization support should be disabled/removed.

> [Serializable] Classes
> ----------------------
>
>                 Key: LUCENENET-574
>                 URL: https://issues.apache.org/jira/browse/LUCENENET-574
>             Project: Lucene.Net
>          Issue Type: Improvement
>    Affects Versions: Lucene.Net 4.8.0
>            Reporter: Shad Storhaug
>            Priority: Minor
>
> In Lucene.Net 3.0.3 several classes were marked with the [Serializable] 
> attribute. The same has been done to several of the classes in the Lucene.Net 
> (core), but most of the classes in the sub-projects are still not 
> serializable.
> Some of the legacy tests that were carried over required certain classes to 
> be serializable (LUCENENET-170 and LUCENENET-338), which is how this issue 
> was first discovered. 
> At the very least, all Queries, Filters, and Analyzers should be marked 
> [Serializable], but it is unclear what criteria version 3.0.3 used to 
> determine which other classes should be serializable. We need a clear 
> strategy for this as well as the task to be done.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to