The future of Serialization
Alan Bateman
Alan.Bateman at oracle.com
Mon Aug 11 11:21:01 UTC 2014
On 09/08/2014 06:56, Peter Firmstone wrote:
>
> I've noticed there's not much interest in improving Serialization on
> these lists. This makes me wonder if java Serialization has lost
> relevance in recent years with the rise of protocol buffers apache
> thrift and other means of data transfer over byte streams.
>
Just to add to Brian's comments, I think part of it is that many people
are busy with other things, preparing for JDK 9 for example. So I think
there is a lot of support for investigation and proposals that would
improve things, it's just that some people are too busy to respond.
>
> I don't know if isolates will be included with JDK 9 for Jigsaw, or
> whether ClassLoaders alone will provide isolation for modules.
>
> The ability to limit visibility and provide isolation of
> implementation classes as well as providing limits on memory and
> threads for isolated modules would also improve platform security.
>
If by "isolates" you mean JSR 121 then I think that would be well beyond
the scope, as would resource management. This isn't really the thread to
discuss how module boundaries will work but just to say that class
loaders and visibility can be weak when it comes to module boundaries.
There are other options available, particularly when the ability to
extend the access control rules are on the table. So I would suggest not
making any assumptions here for now.
-Alan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20140811/d71ecc9e/attachment.htm>
More information about the security-dev
mailing list