Hi guys,
as you may be aware the security community is currently discussing the merits of serialization, e.g.:
http://de.slideshare.net/frohoff1/appseccali-2015-marshalling-picklesTL;DR: ctors can be evil, too, especially when invoked through deserialization.
Now
I have no clue if that actually applies to the ceylon serialization,
but from a quick glimpse it seems like "it doesn't care". Granted,
ceylon may have limited exposure due to the modules approach, but I
suggest to check for this now that you're (probably) working on a bugfix
release, if you haven't already done so.
There is a "danger"
that you'll say that the actual deserialization library has to take care
of that. Well, that is somehow right but IMO fosters negligence. It would be far better it the deserialization context would enforce, or help enforce, stricter boundaries.
By stricter I mean stricter than "whitelisted by some annotation" because the very problem at the root of all this it the amount of trust you can have towards all of your library authors. Normally that's just above zero, but unconstrained deserialization actually requires a fair amount of trust.
Unfortunately
I don't have the time to work on it, but I thought I'd at least put
it up for you to decide whether or how to act on it.
Thanks,
Simon