Moving away from BinaryFormatter #6826
Comments
|
Hi @highlyunavailable, thanks for reporting. There is a workaround for now: <PropertyGroup>
<TargetFramework>netcoreapp5.0</TargetFramework>
<!-- Warning: setting the below switch is *NOT* recommended in web apps -->
<!-- See: https://aka.ms/binaryformatter -->
<!-- See: https://github.com/dotnet/orleans/issues/6805 -->
<EnableUnsafeBinaryFormatterSerialization>true</EnableUnsafeBinaryFormatterSerialization>
</PropertyGroup>BinaryFormatter is used only as a fallback in Orleans (which still means it has that lack of security attributes, of course), mostly for serializing exceptions. We're looking into other alternatives for exception serialization. Cross-referencing another issue on this: #6805 |
|
Thank you! |
|
We merged #6922 to completely remove BinaryFormatter. Thanks again, @highlyunavailable |
|
@ReubenBond is there a release we can expect that will contain this fix? |
|
We could potentially remove it for net5.0 targets. The issue is with breaking compatibility. Traditionally, major version revisions are the only time where that would be at all acceptable. So if we did exclude it for net5.0, we would also need a way to bring it back via an optional package or potentially a switch. There's a workaround mentioned above |
|
@ReubenBond Thanks, we are using the workaround,. Unfortunately we have web apps, so its not recommended to use it. |
ghost
locked as resolved and limited conversation to collaborators
I'm testing upgrading my Orleans app to dotnet 5.0 and I was getting errors about using BinaryFormatter. I can of course switch the formatter and am doing so but this may be something to keep in mind for near-future:
https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide
The text was updated successfully, but these errors were encountered: