cayenne-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aristedes Maniatis <>
Subject Hessian bugs
Date Wed, 16 Mar 2016 03:47:10 GMT
Unfortunately the new version of Hessian in the latest milestone has at least one significant

Although I wouldn't classify Hessian as "abandoned", it is pretty close. The Caucho people
only sporadically release new versions [1] only some of those versions randomly end up in
maven. Commit messages are completely unhelpful [2] so it is hard to know what or why something
changes. There are no release notes. We don't know if Hessian is impacted by the Java serialisation
security issues uncovered last year [3] 

I'm prepared to put in some time (or more specifically delegate one of my team to spend some
time) to come up with a resolution. We already have a workaround for the BigDecimal issue.
But the question is, what should the Cayenne project do next?

1. I believe that trying to push patches upstream is futile. The developers don't respond
to bugs or mailing list questions.

2. We could fork the Hessian project and create a "Cayenne serialiser" subproject. The licensing
is all already APL. All we'd need to do is repackage and rename everything to avoid their
trademarks. Do we have enough interest in our community to maintain such a thing?

3. Now that Dima has made ROP pluggable, work on integrating another technology like Google's
protocol-buffers [4] or even use built-in Java serialisation.

I'm tending to like (3), but it could be substantial work.

How many developers here are using Hessian? Can we have a show of hands?

Has anyone here experience with other serialisers like protocol-buffers or thrift?

I know that Andrus has experience using json in his link-rest project, but I think that's
too slow/large for ROP purposes. Still, it is very flexible.



Aristedes Maniatis
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A

View raw message