Ah, my most hated enemy. Java Serialization.

I know that some JDK devs will argue that it's one thing that made Java popular. And I'm sure they are right. But man oh man if it's not one of the biggest footguns in the current JDK. It also constantly gets in the way of Java language development. They had to figure out, for example, "How do I serialize a lambda"? Which should really tell you just how ridiculous this thing is.

If there's one breaking change to the JDK that I'd welcome, it's the removal of Java serialization. But that will never happen because WAY too many companies depend on it.

▲

chickenzzzzu a day ago | parent | next [-]

Nothing will ever be funnier than the quote from that Java language designer guy, "Java Serialization is a full employment act for security engineers"

▲

privatelypublic a day ago | parent | prev [-]

.Net has similar issues.

▲

WorldMaker a day ago | parent [-]

Since around .NET 5 the raw binary serializer (BinaryFormatter) throws danger warnings at compile time, generally doesn't work cross-platform, and most standard analysis configs upgrade those to compile errors. The documentation is full of similar danger warnings. It mostly remains for a backwards compatibility commitment, and most of the original use cases for BinaryFormatter have been generally all replaced with Span<T>, Memory<T>, and smarter "Unsafe" [0] Marshallers.

I'm not sure I'd call the situation similar.

[0] Unsafe in terms of doing memory access that can result in danger, but still far more safe than BinaryFormatter sledgehammers.

▲

privatelypublic a day ago | parent [-]

Nice! But, doesn't negate my intent: warning that .net isn't immune to the binary serialization issues.

I haven't had much of a chance to work with non-framework/mono unfortunately. So, good to see they made the issues explicit. Though, I chuckle at the idea of companies upgrading such to errors via config- but thats an iceberg of "the street is looking better than doing more coding."

▲

WorldMaker a day ago | parent [-]

In general a lot has changed for the better since 4.x and mono.

> Though, I chuckle at the idea of companies upgrading such to errors via config-

Depends on the company's code quality standards, of course. A lot of companies in my experience let tools like SonarQube drive towards very strict "linter" configs.

I also almost failed to mention it (but did in a quick edit), but I also think that the cross-platform compatibility issues in this case also especially drive companies to avoid BinaryFormatter "naturally". The .NET team made a series of correct decisions that while they couldn't break backward compatibility (all the way back to the OG .NET Framework 1.0) they could keep cross-machine compatibility broken (it was always broken, unlike Java's Serializable, BinaryFormatter was always primarily for FFI and local single machine use, which anyone trying to use it for distributed serialization almost always found out the hard way eventually) and even expand it to be "more obviously broken". One of the core abilities in .NET 5+ is to be able to build/test locally in Windows or macOS and then push to, say, Docker containers on a Linux server. BinaryFormatter absolutely does not work in such scenarios and makes a loud racket if you try. Additionally, there are even now subtle incompatibilities between say type of Windows machine.

Getting bit by that is easy, and will also naturally cause companies to expedite moving warnings to errors in their configs.

On the carrot side, too, System.Text.Json is now out of the box in every .NET allowing for very easy (and quick/performant) JSON serialization. Not having to install a third/second-party library for a secure, standards-based serializer is a big deal and helps remove a lot of the reasons people would accidentally rely on BinaryFormatter. (Similar to the old days when Python only provided pickling out of the box and it took maybe too long for a json library to move to first party standard library inclusion. It's great that both languages have solved that.)

	▲	privatelypublic a day ago \| parent [-]
		Yea, .Net has massively improved. I just had an awful employer who burned me out- possibly for good. I don't think I need to say more than: 98% of the code base was ASP.net backed by .Net FW 1.1, the rest was VB6.