> On 19 Sep 2019, at 18:32, Joe Darcy <joe.da...@oracle.com> wrote:
>
> Hello,
>
> Ahead of augmenting javac's serial lint checks under JDK-8160675, it would be
> helpful to mark fields in security libs classes where the class is
> serializable, but a non-transient instance field does *not* have a
> serialiable type. Such classes may have difficulties being serialized at
> runtime:
>
> JDK-8231262 : Suppress warnings on non-serializable instance fields in
> security libs serializable classes
> http://cr.openjdk.java.net/~darcy/8231262.0/
The changes look good to me.
The fields in PrivateCredentialPermission and SecureRandom, could be made final
and assigned null, ensuring non-Serializable types will never leak into them.
But equally, this could be left to a follow on change for someone working in
the security area.
-Chris.
