Re: Re: [PROPOSAL] use default value for validate-serializable-objects in dunit

Thanks for the input Bruce. I'm going to close the PR for now and do some more thinking about how we test it. On Fri, Dec 21, 2018 at 3:26 PM Bruce Schuchardt wrote: > I agree with running tests with the default settings but I do not agree > with this change. > > I think we need to enable this

Fwd: Re: [PROPOSAL] use default value for validate-serializable-objects in dunit

I agree with running tests with the default settings but I do not agree with this change. I think we need to enable this serialization validation by default.  Otherwise servers and clients are exposed to serialization exploits.  We did not enable validation by default when the serialization

Re: [PROPOSAL] use default value for validate-serializable-objects in dunit

-1 I'm fearful that removing full testing of serialization validation leaves the project exposed to java-serialization bombs.  We need to ensure that our servers and clients are protected from malicious deserialization attacks. On 2018/12/21 22:42:23, Kirk Lund wrote: > > > > I filed

Re: [PROPOSAL] use default value for validate-serializable-objects in dunit

I filed GEODE-6202: DUnit should not enable VALIDATE_SERIALIZABLE_OBJECTS by default https://issues.apache.org/jira/browse/GEODE-6202 And submitted PR #3023 https://github.com/apache/geode/pull/3023 Please review and/or discuss further if needed. Thanks, Kirk On Thu, Mar 15, 2018 at 12:00 PM

Re: [PROPOSAL] use default value for validate-serializable-objects in dunit

+0.5  I think we can turn this off (back to the default) now since the AnalyzeSerializables tests for other modules have been created.  These tests ensure that serializable objects are properly white-listed or excluded and are able to be serialized/deserialized. Excluded classes are not

Re: [PROPOSAL] use default value for validate-serializable-objects in dunit

+1 agreement with Kirk and Sean. Any non default configuration should probably have it's own set of tests. I can understand some exploratory work where someone might want to run the whole precheckin with a non default value to help identify areas that they may have missed or are unexpectedly

Re: [PROPOSAL] use default value for validate-serializable-objects in dunit

I agree with this. We should have a default state that reflects an “out of the box” configuration, and if tests expects a different configuration, it should manage that within the context of the test. -Sean On Tue, Mar 13, 2018 at 10:04 AM Kirk Lund wrote: > I want to propose

[PROPOSAL] use default value for validate-serializable-objects in dunit

I want to propose using the default value for validate-serializable-object in dunit tests instead of forcing it on for all dunit tests. I'm sympathetic to the reason why this was done: ensure that all existing code and future code will function properly with this feature enabled. Unfortunately