Return-Path: 
 <dev-return-155004-apmail-commons-dev-archive=commons.apache.org@commons.apache.org>
X-Original-To: apmail-commons-dev-archive@www.apache.org
Delivered-To: apmail-commons-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id C739C172A8
	for <apmail-commons-dev-archive@www.apache.org>;
 Thu, 19 Nov 2015 14:47:48 +0000 (UTC)
Received: (qmail 46526 invoked by uid 500); 19 Nov 2015 14:47:48 -0000
Delivered-To: apmail-commons-dev-archive@commons.apache.org
Received: (qmail 46378 invoked by uid 500); 19 Nov 2015 14:47:48 -0000
Mailing-List: contact dev-help@commons.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@commons.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@commons.apache.org>
List-Post: <mailto:dev@commons.apache.org>
List-Id: <dev.commons.apache.org>
Reply-To: "Commons Developers List" <dev@commons.apache.org>
Delivered-To: mailing list dev@commons.apache.org
Received: (qmail 46366 invoked by uid 99); 19 Nov 2015 14:47:48 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org)
 (140.211.11.15)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Nov 2015 14:47:48 +0000
Received: from mail-wm0-f43.google.com (mail-wm0-f43.google.com
 [74.125.82.43])
	by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with
 ESMTPSA id C90A11A0338
	for <dev@commons.apache.org>; Thu, 19 Nov 2015 14:47:47 +0000 (UTC)
Received: by wmww144 with SMTP id w144so119679551wmw.0
        for <dev@commons.apache.org>; Thu, 19 Nov 2015 06:47:46 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.194.178.70 with SMTP id cw6mr8708194wjc.73.1447944466625;
 Thu, 19 Nov 2015 06:47:46 -0800 (PST)
Received: by 10.28.72.86 with HTTP; Thu, 19 Nov 2015 06:47:46 -0800 (PST)
In-Reply-To: 
 <CAF8HOZKRyXiMSiYP=GLFqYSRscEyAY3NXs6O7S+i_cZkd+F9Cw@mail.gmail.com>
References: 
 <CAEWfVJm1PDT=ec3qjvSEE1zVk07HNyW=m2jMyfgNT9QKoSW6nQ@mail.gmail.com>
	<CAF8HOZKRyXiMSiYP=GLFqYSRscEyAY3NXs6O7S+i_cZkd+F9Cw@mail.gmail.com>
Date: Thu, 19 Nov 2015 09:47:46 -0500
X-Gmail-Original-Message-ID: 
 <CAEWfVJ=hN98t-rsApOMFSEr8n9TirbgUhVxitiOL9bTrwTFCtw@mail.gmail.com>
Message-ID: 
 <CAEWfVJ=hN98t-rsApOMFSEr8n9TirbgUhVxitiOL9bTrwTFCtw@mail.gmail.com>
Subject: 
 =?UTF-8?Q?Re=3A_Eirik_Bj=C3=B8rsn=C3=B8s=27_notsoserial_deserialization_pr?=
	=?UTF-8?Q?otection_agent=2C_for_Commons=3F?=
From: Bertrand Delacretaz <bdelacretaz@apache.org>
To: Commons Developers List <dev@commons.apache.org>
Cc: =?UTF-8?B?RWlyaWsgQmrDuHJzbsO4cw==?= <eirbjo@gmail.com>
Content-Type: text/plain; charset=UTF-8

On Thu, Nov 19, 2015 at 9:40 AM, Jochen Wiedmann
<jochen.wiedmann@gmail.com> wrote:
> ...but the solution from IO-487 looks to me to be much
> easier to use, in particular, because it shifts the burden on the
> container, or application vendor (where it belongs, IMO), and not on
> the end user running the container, or application....

Absolutely, I think both solutions are useful.

IO-487 is the clean solution when you can modify your source code and
specify what you want to deserialize or not.

Erik's notsoserial agent is a useful (and clever) fix for code that
you can't modify, or as a first step until you can modify and release
your code.

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org