You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cayenne.apache.org by Aristedes Maniatis <ar...@maniatis.org> on 2016/03/16 04:47:10 UTC
Hessian bugs
Unfortunately the new version of Hessian in the latest milestone has at least one significant bug.
http://bugs.caucho.com/view.php?id=3920
Although I wouldn't classify Hessian as "abandoned", it is pretty close. The Caucho people only sporadically release new versions [1] only some of those versions randomly end up in maven. Commit messages are completely unhelpful [2] so it is hard to know what or why something changes. There are no release notes. We don't know if Hessian is impacted by the Java serialisation security issues uncovered last year [3]
I'm prepared to put in some time (or more specifically delegate one of my team to spend some time) to come up with a resolution. We already have a workaround for the BigDecimal issue. But the question is, what should the Cayenne project do next?
1. I believe that trying to push patches upstream is futile. The developers don't respond to bugs or mailing list questions.
2. We could fork the Hessian project and create a "Cayenne serialiser" subproject. The licensing is all already APL. All we'd need to do is repackage and rename everything to avoid their trademarks. Do we have enough interest in our community to maintain such a thing?
3. Now that Dima has made ROP pluggable, work on integrating another technology like Google's protocol-buffers [4] or even use built-in Java serialisation.
I'm tending to like (3), but it could be substantial work.
How many developers here are using Hessian? Can we have a show of hands?
Has anyone here experience with other serialisers like protocol-buffers or thrift?
I know that Andrus has experience using json in his link-rest project, but I think that's too slow/large for ROP purposes. Still, it is very flexible.
Thoughts?
Ari
[1] http://mvnrepository.com/artifact/com.caucho/hessian
[2] https://github.com/ebourg/hessian/commits/git-svn
[3] https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
[4] https://developers.google.com/protocol-buffers/docs/proto3
--
-------------------------->
Aristedes Maniatis
GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
Re: Hessian bugs
Posted by Aristedes Maniatis <ar...@maniatis.org>.
On 18/03/2016 12:41am, Andrus Adamchik wrote:
> I think forking Hessian on Github, but not including it in Cayenne may be a good idea. We'll have a place to fix bugs without making along term commitment to Hessian. We can alter the Maven artifact ID, so that we can make releases. At the same time we'll be moving to #3.
I'm not sure what the difference is between hosting it at Apache or on github. In both cases we'd need to:
1. Change the name of the project from Hessian
2. Publish it with new co-ordinates to maven central
3. Consume it within the Cayenne project
4. Support it for as long as we want the ROP part of Cayenne to keep working
Not sure the long term commitment part is very much except for some work each time a new Java comes out to do some validation. As it is, its continued for many years without any maintenance at all.
Ari
--
-------------------------->
Aristedes Maniatis
GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
Re: Hessian bugs
Posted by Andrus Adamchik <an...@objectstyle.org>.
I think forking Hessian on Github, but not including it in Cayenne may be a good idea. We'll have a place to fix bugs without making along term commitment to Hessian. We can alter the Maven artifact ID, so that we can make releases. At the same time we'll be moving to #3.
Andrus
> On Mar 15, 2016, at 11:47 PM, Aristedes Maniatis <ar...@maniatis.org> wrote:
>
> Unfortunately the new version of Hessian in the latest milestone has at least one significant bug.
>
> http://bugs.caucho.com/view.php?id=3920
>
> Although I wouldn't classify Hessian as "abandoned", it is pretty close. The Caucho people only sporadically release new versions [1] only some of those versions randomly end up in maven. Commit messages are completely unhelpful [2] so it is hard to know what or why something changes. There are no release notes. We don't know if Hessian is impacted by the Java serialisation security issues uncovered last year [3]
>
> I'm prepared to put in some time (or more specifically delegate one of my team to spend some time) to come up with a resolution. We already have a workaround for the BigDecimal issue. But the question is, what should the Cayenne project do next?
>
> 1. I believe that trying to push patches upstream is futile. The developers don't respond to bugs or mailing list questions.
>
> 2. We could fork the Hessian project and create a "Cayenne serialiser" subproject. The licensing is all already APL. All we'd need to do is repackage and rename everything to avoid their trademarks. Do we have enough interest in our community to maintain such a thing?
>
> 3. Now that Dima has made ROP pluggable, work on integrating another technology like Google's protocol-buffers [4] or even use built-in Java serialisation.
>
>
> I'm tending to like (3), but it could be substantial work.
>
>
> How many developers here are using Hessian? Can we have a show of hands?
>
> Has anyone here experience with other serialisers like protocol-buffers or thrift?
>
> I know that Andrus has experience using json in his link-rest project, but I think that's too slow/large for ROP purposes. Still, it is very flexible.
>
>
> Thoughts?
> Ari
>
>
>
> [1] http://mvnrepository.com/artifact/com.caucho/hessian
> [2] https://github.com/ebourg/hessian/commits/git-svn
> [3] https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
> [4] https://developers.google.com/protocol-buffers/docs/proto3
>
> --
> -------------------------->
> Aristedes Maniatis
> GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A