[DOC] Add a new section on official website to standardize and restrict serialization frameworks #7592
Description
Check Ahead
-
I have searched the issues of this repository and believe that this is not a duplicate.
-
I am willing to try to implement this feature myself.
Why you need it?
Background
Currently, Seata allows to extend and use various serialization frameworks. However, the community has discovered that indiscriminate introduction of third-party serialization frameworks can bring significant security risks (e.g., remote code execution vulnerabilities like JNDI injection, deserialization exploits). To enhance the security and stability of the Seata ecosystem, we need to formally regulate the supported serialization frameworks on the official website.
Goal
- Converge Serialization Frameworks: Clearly list the officically supported and recommended serialization frameworks (e.g., Kryo, FST, Protostuff, Hessian).
- Highlight Security Risks: Warn users about the potential dangers of using untested or known-vulnerable serialization frameworks (e.g., Fastjson1, JDK native serialization in certain versions).
- Provide Guidance: Offer best practices and recommendations for users choosing a serialization framework for their production environment.
- Establish Specification: Define a long-term mechanism for introducing new serialization frameworks in the future, which must undergo strict security review by the community.
How it could be?
No response
Other related information
No response