Hi Joe,
It's a little odd to suppress the warnings in the X509CertImpl class
since it is a subclass of java.security.cert.Certificate which
implements the writeReplace method so these fields are not serialized.
Also for other classes like X509Key which are internal it is a little
odd to suppress the warnings for fields like bitStringKey that are not
Serializable and are never serialized. It is probably better to mark
them as transient, but I'm not really sure it is worth making those
changes for otherwise stable code. I guess when I look at some of the
warnings, I might think there is an issue when there really isn't.
I suppose these are not things you can easily detect at compile time,
but I am wondering what you think.
--Sean
On 9/19/19 1:32 PM, Joe Darcy wrote:
Hello,
Ahead of augmenting javac's serial lint checks under JDK-8160675, it
would be helpful to mark fields in security libs classes where the class
is serializable, but a non-transient instance field does *not* have a
serialiable type. Such classes may have difficulties being serialized at
runtime:
JDK-8231262 : Suppress warnings on non-serializable instance fields
in security libs serializable classes
http://cr.openjdk.java.net/~darcy/8231262.0/
The review thread of the of the analogous core libs change, JDK-8231202:
"Suppress warnings on non-serializable non-transient instance fields in
serializable classes", is out on core-libs:
http://mail.openjdk.java.net/pipermail/core-libs-dev/2019-September/062456.html
Thanks,
-Joe
