[
https://issues.apache.org/jira/browse/LOG4J2-3228?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17477411#comment-17477411
]
Matt Sicker commented on LOG4J2-3228:
-------------------------------------
Some potential breaking changes this would introduce in log4j-api by removing
serializable:
* AbstractLogger and subclasses
* ThreadContext.ContextStack, sub-interfaces, and implementing classes
* DefaultFlowMessageFactory
* Message, sub-interfaces, and implementing classes
* StructuredDataId
* StatusData
* Level (and presumably generated level classes)
* Marker and implementing classes
While I agree with the concept, if we can't remove serializability from these
API classes, then we'll have to make sure they use strict serialization with
serialization proxies for everything to minimize the size of a deserialization
allowlist.
In general, it would be better to standardize on JSON for serializing and
deserializing data in a more controlled fashion.
> Nothing should implement Serializable in Log4j 3
> ------------------------------------------------
>
> Key: LOG4J2-3228
> URL: https://issues.apache.org/jira/browse/LOG4J2-3228
> Project: Log4j 2
> Issue Type: Story
> Reporter: Gary D. Gregory
> Priority: Major
> Fix For: 3.0.0
>
>
> Like Effective Java #85.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
