Based on my understanding, SerializableAttribute provides no compile time checks, as it’s all done at runtime. If that’s the case, then why is it required for classes to be marked as serializable?
Couldn’t the serializer just try to serialize an object and then fail? Isn’t that what it does right now? When something is marked, it tries and fails. Wouldn’t it be better if you had to mark things as unserializable rather than serializable? That way you wouldn’t have the problem of libraries not marking things as serializable?
As I understand it, the idea behind the
SerializableAttributeis to create an opt-in system for binary serialization.Keep in mind that, unlike XML serialization, which uses public properties, binary serialization grabs all the private fields by default.
Not only this could include operating system structures and private data that is not supposed to be exposed, but deserializing it could result in corrupt state that can crash an application (silly example: a handle for a file open in a different computer).