Serialization: A New Hope by Viktor Klang, Brian Goetz

Java serialization added in 1997 has fundamental design flaws - it bypasses language features for maintaining object integrity, making it difficult to use correctly and secure

Main problems with current serialization:

• Extra-linguistic (doesn’t use normal Java language features)
• Monolithic design combining multiple concerns
• Hard to maintain and review
• Security vulnerabilities from maliciously constructed streams
• Difficult to reason about object state
• Complex versioning and compatibility issues

Proposed new approach using “marshalling”:

• Separates concerns into structure extraction, wire format, and reconstruction
• Uses standard language features like constructors and patterns
• Class authors control external representation
• Wire format agnostic - supports JSON, XML etc.
• Built on parameter lists and schemas rather than direct field access
• Validates object state through constructors

Records provide a good model for serialization:

• Components go through constructor validation
• Clear external contract through deconstruction patterns
• Safe reconstruction through constructor

Migration strategy:

• Gradual transition supporting both old and new formats
• Eventually deprecate current serialization
• Clear separation between marshalling and wire format concerns
• Leverages existing Java features rather than inventing new mechanisms

Focus on simplicity and correctness:

• Small API surface area
• Hard to use incorrectly
• Clear responsibilities and separation of concerns
• Built on familiar language constructs
• Better security through constructor validation