serde_derive now ships a precompiled binary. This made a lot of people angry. The crate maintainer finally locked the issue.

  • rust
    link
    fedilink
    English
    arrow-up
    31
    ·
    1 year ago

    To me, the fact that the issue was just outright dismissed by the maintainer without really answering any of the legitimate concerns raised (disregarding the unnecessary personal attacks in a few comments) is pretty concerning. And now the issue has been locked without a really good response.

  • Sibbo@sopuli.xyzOP
    link
    fedilink
    English
    arrow-up
    16
    ·
    1 year ago

    Can someone explain why one would want to precompile procedural macros? Don’t they get compiled only once anyways, when compiling a dependent crate for the first time? So compile time should be not that relevant?

    • isosphere@beehaw.org
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      I’ve read the thread; Rust-folk I recognize seem to accept that this was done to reduce compile time without suspecting bad-faith, but I can’t independently verify that.

      There’s a post in there where sometime tries to manually compile the same binary to verify that it matches the shipped binary and they were not able to do it, but there could be a good reason for that. Reproducible builds are hard.

      • RandoCalrandian@kbin.social
        link
        fedilink
        arrow-up
        5
        ·
        edit-2
        1 year ago

        That’s the problem: it is incredibly difficult to verify.

        Which is exactly why people are upset.
        They’re not accusing the maintainer of doing anything malicious, they’re saying the choice that was made makes it impossible for them to verify if anything malicious was done, or will be done in the entire future of the project.

        The reasons given are easily addressed by some of the commenters suggestions, those suggestions have been ignored.

        So now a core rust library has a big shiny hackers target on it, because if someone manages to hack or trick the builder into uploading a malicious binary, no one (maintainers included) would be any the wiser.

        This is enough to get the crate blocked on a corporate level for security reasons.

        Edit: that’s not to mention the extreme end of the problem, which looks more like suits showing on his door saying “here is our secret court order that says you can’t tell anyone about this. Now change the build to use this binary we provide you because we said so”

        No regular open source maintainer has the ability to protect themselves or others against a state sponsored attack of that level, and it would likely look just like this if it happened.

    • RandoCalrandian@kbin.social
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      One of the main reasons would be to try and hide what’s in it

      If, for example, you wanted to add tracking code into the generated code, and knew people would stop using your product if they found out

      • huntrss@feddit.de
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Is there anything confirmed yet? Like what is inside this precompiled binary?

        • Anders429@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          As far as I know, no one has yet been able to reproduce the binary with the source code, so I don’t think the contents of it are confirmed at all.

  • bet@lemm.ee
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    Thanks, I hadn’t seen this elsewhere, glad to know about it.