[dotnet-sdk-9.0.100-preview.6.24325.8] paintdotnet get System.NotSupportedException: BinaryFormatter serialization and deserialization have been removed about winforms HOT 8 CLOSED

@rickbrew @elachlan maybe I am misunderstanding. If my app only uses the WinForms form designer and the Resx files it creates when I upgrade to .Net 9.0 will something happen to those files that will remove the need to use BF and avoid this security black hole. The little I have played with .Net 9 for my applications seems to require I add below to project file.

<EnableUnsafeBinaryFormatterSerialization>True</EnableUnsafeBinaryFormatterSerialization>

from winforms.

Verify this issue for the workaround with the public System.Runtime.Serialization.Formatters Nuget package. It works. Hence closing this issue.

from winforms.

If people have to instal the NuGet package to get basic WinForms existing apps to work why is it being removed? And if the NuGet package is safe why isn’t it in the product? Will this requirement, break existing deployed applications? For many of us, this entire issue is very confusing. The only use of binary formatter in any application I work in is to decode stuff in form.designer that was written by WinForm designer. Wouldn’t it be better to do a 1 time upgrade of designer file and for the vast majority of applications not use problematic format? If this isn’t place to address this issue please let me know where is.

from winforms.

@rickbrew just a heads up. I imagine you are probably very much aware.

from winforms.

@paul1956 see #6267

from winforms.

@elachlan Yup I’ve been paying close attention to this. PDN uses BF for various things, and I’ll be dealing with it soon-ish, possibly deferring the upgrade to .NET 9/10 for a bit while I’m working on it.

from winforms.

If people have to instal the NuGet package to get basic WinForms existing apps to work why is it being removed?

Because BF is a security black hole. It’s not safe.

Also, Paint.NET is not a basic WinForms app, and uses BF in situations where it isn’t usually used. It isn’t representative of the larger ecosystem in other words.

And if the NuGet package is safe why isn’t it in the product?

It’s not safe. It’s a compromise. To use BF going forward you essentially have to “sign the consent form” declaring that you understand the risks of using BF and are taking responsibility for it going forward.

Will this requirement, break existing deployed applications?

This will only be an issue when migrating to .NET 9+. Existing app deployments shouldn’t be affected.

from winforms.

@paul1956 You'll want to refer to the other issues etc. that discuss this, e.g. #6267 (comment) . IIUC it's something @JeremyKuhne et. al. are actively working on.

... at worst, you'll have to reference a new NuGet package to get this to work. We're working on making sure embedded resources just work (as they're considered trusted). I'm not sure what the BinaryFormatter workflow is for data sets, but we'll look to make sure we're fully clear how it might be impacted.

from winforms.