interesting ..
Suddenly java gets passed by reference instead of value?
things like: (sounds dark magic to me ;) )
@Serializer
public pattern Range(int lo, int hi) {
lo = this.lo;
hi = this.hi;
}
On Wed, 12 Jun 2019 at 12:47, Martin Grigorov <mgrigo...@apache.org> wrote:
> Current state:
> http://cr.openjdk.java.net/~briangoetz/amber/serialization.html
>
> On Sat, May 26, 2018 at 1:39 PM Martijn Dashorst <
> martijn.dasho...@gmail.com>
> wrote:
>
> >
> >
> >
> https://www.infoworld.com/article/3275924/java/oracle-plans-to-dump-risky-java-serialization.amp.html?__twitter_impression=true
> >
> > Oracle plans to dump risky Java serialization
> > A “horrible mistake” from 1997, the Java object serialization capability
> > for encoding objects has serious security issues
> >
> > Paul Krill
> >
> > Getty Images
> > Oracle plans to drop from Java its serialization feature that has been a
> > thorn in the side when it comes to security. Also known as Java object
> > serialization, the feature is used for encoding objects into streams of
> > bytes. Used for lightweight persistence and communication via sockets or
> > Java RMI, serialization also supports the reconstruction of an object
> graph
> > from a stream.
> >
> > Removing serialization is a long-term goal and is part of Project Amber,
> > which is focused on productivity-oriented Java language features, says
> Mark
> > Reinhold, chief architect of the Java platform group at Oracle.
> >
> > To replace the current serialization technology, a small serialization
> > framework would be placed in the platform once records, the Java version
> of
> > data classes, are supported. The framework could support a graph of
> > records, and developers could plug in a serialization engine of their
> > choice, supporting formats such as JSON or XML, enabling serialization of
> > records in a safe way. But Reinhold cannot yet say which release of Java
> > will have the records capability.
> >
> > Serialization was a “horrible mistake” made in 1997, Reinhold says. He
> > estimates that at least a third—maybe even half—of Java vulnerabilities
> > have involved serialization. Serialization overall is brittle but holds
> the
> > appeal of being easy to use in simple use cases, Reinhold says.
> >
> > Recently, a filtering capability was added to Java so if serialization is
> > being used on a network and untrusted serialization data streams must be
> > accepted, there is a way to filter which classes can be mentioned, to
> > provide a defense mechanism against serialization’s security weaknesses.
> > Reinhold says Oracle has received many reports are received about
> > application servers running on the network with unprotected ports taking
> > serialization streams, which is why the filtering capability was
> developed.
> >
> >
>
