Reasonable, future-proof serialization strategy for outbox events


Sometimes we need to serialize structured data to stuff it into database columns. We already have this problem for indexing routes, and we will likely have it again for dirty paths when we address HSEARCH-4141.

Currently we’re using Java serialization, which is not a great choice: it has security vulnerabilities (though they probably don’t affect us since we can trust the serialized data) and even the OpenJDK team has stated in the past that they wish they could deprecate it.

Maybe we should depend on Avro? Gson? Something else? The additional dependency means we would have to move the outbox automatic indexing strategy to a separate module, but I think that’s a reasonable tradeoff?

Ideally the format should be rather compact, since we anticipate lots of events. It should also be able to withstand the addition of fields (such as an “index” field for routes, or “previous value”/”new value” fields for dirty paths).






Yoann Rodière