Proposal: Switch to official Protobuf v3 from Square
iainmcgin opened this issue · 1 comments
I originally used Square's protocol buffer library because it was, generally speaking, much easier to integrate its code generation into the build process, and I preferred their generated code to what protobuf v2 was generating. However, a security engineer within Google made a good point that we have to be very careful about the dependencies we choose for this library, as they will be a critical part of the operational security of the protocol.
It was suggested that I move to a Google controlled library, as it is subject to continuous scrutiny by our security engineers - the google implementations are core to virtually every product we build, and any security issues discovered would be fixed urgently as a result. The same may be true of the square libraries, but we have less confidence in this generally.
The impact of this change would be in the structure of the generated protocol buffer classes, so any code currently written that handles these protocol buffers within the SPI and above would have to change. There should be no visible change to the client API.
If there are no objections to this proposal within the next week, I'll start the migration work.