Thanks for the input Bruce. I'm going to close the PR for now and do some
more thinking about how we test it.
On Fri, Dec 21, 2018 at 3:26 PM Bruce Schuchardt
wrote:
> I agree with running tests with the default settings but I do not agree
> with this change.
>
> I think we need to enable this s
I agree with running tests with the default settings but I do not agree
with this change.
I think we need to enable this serialization validation by default.
Otherwise servers and clients are exposed to serialization exploits. We
did not enable validation by default when the serialization fi
-1
I'm fearful that removing full testing of serialization validation
leaves the project exposed to java-serialization bombs. We need to
ensure that our servers and clients are protected from malicious
deserialization attacks.
On 2018/12/21 22:42:23, Kirk Lund wrote:
> >
>
> I filed GEODE
I filed GEODE-6202: DUnit should not enable VALIDATE_SERIALIZABLE_OBJECTS
by default
https://issues.apache.org/jira/browse/GEODE-6202
And submitted PR #3023
https://github.com/apache/geode/pull/3023
Please review and/or discuss further if needed.
Thanks,
Kirk
On Thu, Mar 15, 2018 at 12:00 PM
+0.5 I think we can turn this off (back to the default) now since the
AnalyzeSerializables tests for other modules have been created. These
tests ensure that serializable objects are properly white-listed or
excluded and are able to be serialized/deserialized.
Excluded classes are not tested
+1 agreement with Kirk and Sean.
Any non default configuration should probably have it's own set of tests.
I can understand some exploratory work where someone might want to run the
whole precheckin with a non default value to help identify areas that they
may have missed or are unexpectedly affec
I agree with this. We should have a default state that reflects an “out of
the box” configuration, and if tests expects a different configuration, it
should manage that within the context of the test.
-Sean
On Tue, Mar 13, 2018 at 10:04 AM Kirk Lund wrote:
> I want to propose using the default
I want to propose using the default value for validate-serializable-object
in dunit tests instead of forcing it on for all dunit tests. I'm
sympathetic to the reason why this was done: ensure that all existing code
and future code will function properly with this feature enabled.
Unfortunately runn
