Removal of BinaryFormatter in .NET 8.0

[MullerWasHere]

Description

Due to security issues, BinaryFormatter will be removed in .NET 8.0 and its Serialize and Deserialize methods are currently obsolete in .NET 5.0.

There is currently a single use of BinaryFormatter's Serialize and Deserialize methods:

fluentassertions/Src/FluentAssertions/ObjectAssertionsExtensions.cs

Lines 142 to 153 in 834a2db

	private static object CreateCloneUsingBinarySerializer(object subject)
	{
	using var stream = new MemoryStream();
	var binaryFormatter = new BinaryFormatter
	{
	Binder = new SimpleBinder(subject.GetType())
	};
	binaryFormatter.Serialize(stream, subject);
	stream.Position = 0;
	return binaryFormatter.Deserialize(stream);
	}

Although it's a long way off until BinaryFormatter is removed, I figured it'd be a good idea to bring some attention to it. I stumbled upon this while working on #1754.

[lg2de]

When BinaryFormatter will be removed in net8, the assertion BeBinarySerializable should be removed, too. It gets useless.
So, I would recommend to exclude these methods (in ObjectAssertionExtensions.cs) using #if NET8.
This will solve the compilation of the FA library and its tests.

It will not solve the runtime of customers while there is no net8 target with the update above.
This means, FA 6.X will stop working when users are start using net8 (incl. preview), isn't it?
But, it applies only to users which are actively using BeBinarySerializable. If they hit the issue in FA they also hit the issue in its production code. So I guess there is no additional action needed.

If you agree I can provide a PR with the #ifs even there is no net8 target yet, but it should solve one blocker for the new target.

Should we add the Obsolete attribute to the assertion?
Because it is a breaking change it should get obsolete only with v7, I guess.

[dennisdoomen]

You would still need to have FA target .NET 8 to make that work. I recommend to wait a couple of days. As soon as #2152 has been merged, we're going to release 6.12 and switch develop to become the next major release.

[jnyrup]

The BinaryFormatter type is still available with .NET 8, otherwise it would no longer implement .netstandard2.0 and cause MethodNotFoundExceptions.

When ignoring the various SYSLIB errors about BinaryFormatter I can:
Target our tests against .NET 8, consuming the current .NET 6 FA dll and tests on BeBinarySerializable fails on runtime with.

BinaryFormatter serialization and deserialization are disabled within this application. See https://aka.ms/binaryformatter for more information."

I can also target and compile FA against .NET 8.
Running .NET 8 tests consuming the .NET 8 FA gives the same outcome as above.

This is not draw any final conclusions, just to clear up what can/cannot compile and what fails at runtime.

[dennisdoomen]

This is not draw any final conclusions, just to clear up what can/cannot compile and what fails at runtime.

I'm not sure what you mean with that, but if I understand it correctly, we have two options:

1. Add a target for .NET 8 and make sure the corresponding API is not available, but keep it available for other targets
2. Rip it out completely

[jnyrup]

Correct

[dennisdoomen]

I vote for 2. Microsoft has clearly marked it as deprecated.

[lg2de]

I prepared the following:

1. Remove in net8
2. Obsolete otherwise

This helps the users to migrate. Why we should remove it from targets, where it is still supported?