Serde, a popular Rust (de)serialization project, has decided to ship its serde_derive macro as a precompiled binary. This has generated a fair amount of concern among some developers who highlight the future legal and technical issues this may pose, along with a potential for supply chain attacks.
  • argv_minus_one@beehaw.org
    51·
    1 year ago

    The proper way to handle this is to contact the maintainer, ask why this change was made, and start a discussion arguing the drawbacks and asking to revert it.

    That has already occurred. The maintainer pretty much ignored the question, as far as I can tell.

    People usually behave that way when they have an ulterior motive. In this case, I worry that the plan is to slip some malware into that binary…

    • jhulten@infosec.pub
      21·
      1 year ago

      The maintainer took a very FOSS approach of “this is better and the tools we use don’t support better choices, so you’re welcome to fix the tools.”

      • argv_minus_one@beehaw.org
        4·
        1 year ago

        If the binary matched the source code, that argument would hold, but it doesn’t, which is sounding alarm bells in my head. Just what is in those 600 kilobytes of machine code?