lucenenet-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shad Storhaug (JIRA)" <>
Subject [jira] [Commented] (LUCENENET-574) [Serializable] Classes
Date Fri, 01 Sep 2017 20:24:00 GMT


Shad Storhaug commented on LUCENENET-574:

It turns out that per Microsoft, binary serialization is not meant for new applications, but
only for helping with the transition from .NET Framework to .NET Core (

It's crucial that we state as often as possible that binary serialization is not intended
to be used for new applications but to make porting from Desktop to Core easier. There are
tons of security concerns that are introduced by binary serialization, one of it is reading
from a stream that could be compromised (network transferred date, e.g. in remoting).{quote}

So, it looks like the best "strategy" for this will be to leave the attribute off of ALL of
the classes (including exceptions) except for those that explicitly require it in order for
Lucene.Net to function. All legacy tests that verify serialization support should be disabled/removed.

> [Serializable] Classes
> ----------------------
>                 Key: LUCENENET-574
>                 URL:
>             Project: Lucene.Net
>          Issue Type: Improvement
>    Affects Versions: Lucene.Net 4.8.0
>            Reporter: Shad Storhaug
>            Priority: Minor
> In Lucene.Net 3.0.3 several classes were marked with the [Serializable] attribute. The
same has been done to several of the classes in the Lucene.Net (core), but most of the classes
in the sub-projects are still not serializable.
> Some of the legacy tests that were carried over required certain classes to be serializable
(LUCENENET-170 and LUCENENET-338), which is how this issue was first discovered. 
> At the very least, all Queries, Filters, and Analyzers should be marked [Serializable],
but it is unclear what criteria version 3.0.3 used to determine which other classes should
be serializable. We need a clear strategy for this as well as the task to be done.

This message was sent by Atlassian JIRA

View raw message