On Thu, Sep 8, 2016 at 12:04 PM, Jacques Le Roux < jacques.le.r...@les7arts.com> wrote:
> ... > If we remove the jar and all the rest, I fear the notsoserial effort will > be definitely thrown away, exposing our "naive" users at the risk of using > RMI or a vulnerable external classes. > Configuring OFBiz for production requires some steps to secure it; "naive" users are not exposed to the risk because RMI is disabled by default; if a more expert user will enable RMI then it would also take care of protecting from deserializazion driven attacks, if warned about them. > BTW, when you say "We could always bundle it in another release soon" do > you expect to freeze and release R16 very soon? I am sorry but I don't get your question. Jacopo