Why We Hate Java Serialization and What We're Doing About It

Explore the controversial topic of Java Serialization in this 53-minute Devoxx conference talk by Brian Goetz and Stuart Marks. Delve into the historical context of Java Serialization, its intended purposes, and why it has become one of the most criticized features of Java. Examine the fundamental design flaws that have led to numerous bugs and security vulnerabilities in Java applications, libraries, and the JDK itself. Learn about the costs and challenges associated with serialization that cannot be ignored, even in code that doesn't explicitly use it. Discover potential new mechanisms being explored to replace the current Java Serialization, focusing on better integration with the language model and explicit source code representation. Gain insights into the future direction of serialization in Java, including efforts to enhance verifiability, reasoning, and security. Follow along as the speakers analyze specific examples of JDK bugs caused by serialization design decisions and discuss the long road ahead for improving this critical aspect of the Java platform.