Le 08/09/2016 à 17:23, Jacopo Cappellato a écrit :
On Thu, Sep 8, 2016 at 5:01 PM, Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:
But the topic is still there, hackers have all their time, and they will
bite again...
Well, the above is too generic statement and I would prefer you to describe
about specific attacks and weak points in OFBiz that need to be secured by
notsoserial; and provide other examples of Java frameworks at the ASF and
how they have dealt with them.
Jacopo
As I said in my snipped message, I have no examples of "Java frameworks at the ASF" which are currently endangered and in the wiki page I created
about that I think I already clearly explained the situation about OFBiz.
https://cwiki.apache.org/confluence/display/OFBIZ/The+infamous+Java+serialization+vulnerability
What can do notsoserial, if you use it rightly, is a bit like an antivirus, it protects you by advance. The principal difference is it knows exactly
what to protect you against and it does it surely. Developers should always be on their guards about this hazard, why not using notsoserial?
Jacques
