jib
jib copied to clipboard
Switch to GSON from Jackson
See go/json-madness
It's not clear at the moment if switching to GSON is a good idea.
Why do you say that? See also https://engdoc.corp.google.com/eng/doc/devguide/java/primer/index.md?cl=head#data-interchange-formats-serialization
Sorry, let me clarify and document why.
JSON processing is a critical part of Jib, and my main concern is the comment I left in the linked doc:
From my experience with GSON for a few years, I also feel GSON is not maintained. As an example, the last GSON release was in 2019, and that was the only single release in 2019. From the OSS-point of view and especially considering the core nature of the library, I can only interpret this as an unmaintained project. IMO, this cannot be a secure library.
https://search.maven.org/artifact/com.google.code.gson/gson
On the other hand, Jackson had 24 releases in 2020 alone so far:
https://search.maven.org/artifact/com.fasterxml.jackson.core/jackson-databind
This may be my perspective only, but I don't really feel comfortable switching to GSON. Jib does heavy JSON processing, and having good support and fast feedback from a library is important. I don't know the internal GSON is well maintained, but I'm concerned with the current state of the OSS. I'm fine having this issue open indefinitely, but we'd like to be really careful about making a switch.
See go/json-madness
Is there any public version of this document or reference which someone not working at Google could read?
No, there is not.
I've managed to get GSON back to a state where it is now possible to fix bugs and release new versions if needed. GSON 2.8.7 was released yesterday.
Last I heard, Jackson is still faster than GSON.
This change is required per security team advice.
I am closing this issue because:
- there was no clear agreement reached a year ago, and no new information came to light
- JIb is a standalone tool, not a library, so various diamond dependency concerns do not apply.
- OSS stack will always be different from internal stack by definition.
- All XML parsing libraries are susceptible to various vulnerabilities. Both Gson and Jackson patch theirs promptly.