Magento2: Backport Serialize Library to Magento 2.1

2.1.x is not using JSON for serialization AFAIK. Should an unsafe implementation of this interface using serialize be introduced then?

it is not compatible with Magento 2.1 anymore and I have to create a separate branch for this version

There is nothing wrong with it, this can happen due to hundreds of other reasons.

Since the serialize library is a security feature, it should be backported to all supported versions.

Not true until there is no known attack vector for the old serialization implementation.

Unserialization of PHP objects is a known attack vector, at least potentially. In 2.2, old PHP serialized values were converted to JSON (http://devdocs.magento.com/guides/v2.2/ext-best-practices/tutorials/serialized-to-json-data-upgrade.html)

Why shouldn't this be possible in a 2.1.x security update?

"at least potentially" is not an attack vector :)

In 2.2, old PHP serialized values were converted to JSON

Yeah, and converting data is backward-incompatible thus it is not a good idea for patch release.

When did Magento ever follow the "patch release" semantics for the product version? ;)

I meet such kind of response regularly in pull requests here :)

There were a bunch of "bug" reports related to third party code broken due to 2.2 upgrade (when it was not updated from serialization perspective). Introducing such kind of change in 2.1.x would product even bigger wave of reports.

Let's wait for the response of officials and/or other opinions.

HI @schmengler , thank you for your report.
We've acknowledged the issue and added to our backlog.

Hi @engcom-backlog-tomash. Thank you for working on this issue.
Looks like this issue is already verified and confirmed. But if your want to validate it one more time, please, go though the following instruction:

• [ ] 1. Add/Edit Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• [ ] 2. Verify that the issue is reproducible on 2.3-develop branch

  Details

  - Add the comment @magento-engcom-team give me 2.3-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.3-develop branch, please, add the label Reproduced on 2.3.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and _stop verification process here_!
  

• [ ] 3. Verify that the issue is reproducible on 2.2-develop branch.

  Details

  - Add the comment @magento-engcom-team give me 2.2-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.2-develop branch, please add the label Reproduced on 2.2.x

• [ ] 4. If the issue is not relevant or is not reproducible any more, feel free to close it.

Only security issues will be backported on 2.1.x

@engcom-backlog-tomash using SerializerInterface is now a requirement for all Magento Marketplace submissions. Are you guys forcing developers to drop support for Magento 2.1?