Serde, a popular Rust (de)serialization project, has decided to ship its serde_derive macro as a precompiled binary. This has generated a fair amount of concern among some developers who highlight the future legal and technical issues this may pose, along with a potential for supply chain attacks.
  • mo_ztt ✅@lemmy.worldEnglish
    211·
    1 year ago

    The dev’s explanation, in full, is:

    The precompiled implementation is the only supported way to use the macros that are published in serde_derive.

    If there is implementation work needed in some build tools to accommodate it, someone should feel free to do that work (as I have done for Buck and Bazel, which are tools I use and contribute significantly to) or publish your own fork of the source code under a different name.

    Separately, regarding the commentary above about security, the best path forward would be for one of the people who cares about this to invest in a Cargo or crates.io RFC around first-class precompiled macros so that there is an approach that would suit your preferences; serde_derive would adopt that when available.

    Not “Here’s why I’m doing this, it might seem weird but there’s a good reason” or anything. Just, go fuck yourself, run my binary.

    I smell a similar resolution to the xfree86 -> xorg transition, where the community unanimously abandons serde in favor of the fork.