Why We Hate Java Serialization and What We're Doing About It

Explore the controversial topic of Java Serialization in this 53-minute Devoxx conference talk by Brian Goetz and Stuart Marks. Delve into the historical context of Java Serialization, its intended purposes, and why it has become one of the most criticized features of Java. Examine the fundamental design flaws that have led to numerous bugs and security vulnerabilities in Java applications, libraries, and the JDK itself. Learn about the costs and challenges associated with serialization that cannot be ignored, even in code that doesn't explicitly use it. Discover potential new mechanisms being explored to replace the current Java Serialization, focusing on better integration with the language model and explicit source code representation. Gain insights into the future direction of serialization in Java, including efforts to enhance verifiability, reasoning, and security. Follow along as the speakers analyze specific examples of JDK bugs caused by serialization design decisions and discuss the long road ahead for improving this critical aspect of the Java platform.

Intro
Everyone hates serialization
What's with all the hate?
The benefits...
and the costs
Serialization mechanics
Casualty: thread safety
Casualty: initialization mechanics
Casualty: confinement
Effective Java, Item 88
Special bonus attack: finalization
Serialization scorecard
Lessons
Why not "just" use JSON?
A language designer looks at serialization
The root problems
Banishing the magic
Deserialization is construction
Digression: pattern matching
Serialization is deconstruction
Versioning
Access control
Towards better serialization
The bad news
The long road ahead
Summary