So, serde seems to be downloading and running a binary on the system without informing the user and without any user consent. Does anyone have any background information on why this is, and how this is supposed to be a good idea?

dtolnay seems like a smart guy, so I assume there is a reason for this, but it doesn’t feel ok at all.

  • BatmanAoD@programming.dev
    link
    fedilink
    arrow-up
    8
    ·
    1 year ago

    If the executable were easily reproducible from the source code, then yes, downloading a precompiled binary would be akin to executing code in build.rs or a proc macro. The fact that it’s not makes these very different, because it makes your suggestion of “vet[ting] their packages themselves” impossible.

    • TehPers@beehaw.org
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      1 year ago

      Maybe I’m missing something, but I’m not seeing where in serde we’re downloading a precompiled binary. I see a script we can execute ourselves in the repository and an alternative serde_derive that uses that executable (after we compile it), but not where the actual published package has the executable.

      It’s possible I’m missing something here though.

      • BB_C@programming.dev
        link
        fedilink
        arrow-up
        5
        ·
        edit-2
        1 year ago
        bsdtar tfv ᐸ(curl -sL https://static.crates.io/crates/serde_derive/serde_derive-1.0.183.crate)
        

        Edit: Ogh, using which is a replacement character because Lemmy escapes the real one. This is annoying.

        There, you will see that this file exists:

        -rwxr-xr-x  0 0      0      690320 Jul 24  2006 serde_derive-1.0.183/serde_derive-x86_64-unknown-linux-gnu
        

        Yes, that’s a pre-built binary in the crate source release. It’s that bad.

        • TehPers@beehaw.org
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Looks like I missed that, I was checking locally but I must have been checking an outdated version of the package. I’d feel better about it if it compiled on the user’s machine, which is the impression I was getting.