I've been working on ABI compliance for log4cxx lately(LOGCXX-516), and I'm running across a few classes that have to do with sending log messages as Java serialized messages. Since we've removed the ability to receive these messages through Chainsaw, and due to Java's known security issues with object deserialization, is there any reason in keeping this feature around?
Note: I'm currently imagining that this would be for the next major release of log4cxx, which I wouldn't expect for at least another year. Whenever that release is, I expect that the release would break a lot of code, so removing the serialization at that time makes the most sense to me. -Robert Middleton
