snaggenAug 18, 2023

What is going on with serde?

https://programming.dev/post/1851005

What is going on with serde? - programming.dev

So, serde seems to be downloading and running a binary on the system without informing the user and without any user consent. Does anyone have any background information on why this is, and how this is supposed to be a good idea? dtolnay seems like a smart guy, so I assume there is a reason for this, but it doesn’t feel ok at all.

Show threadTehPersAug 18, 2023
I’m a bit confused, proc macros could always execute arbitrary code on developer machines. As long as the source for the precompiled binary is available (which seems to be the case here), how is this any different than what any other proc macro is doing?
Show threadmanpacketAug 18, 2023

You can read a build.rs script.

Then there's this: http://cm.bell-labs.co/who/ken/trust.html

Show threadlolcatnip
You can read the source of build.rs and and proc macros executed during a build, but do you? Does anyone do that every time they add a new dependency?
Aug 19, 2023 at 5:17pmWeb
Show threadchrysnAug 19, 2023
Some do and document their findings, eg. using #crev; others use tooling to read their reports. But equally as important is that it is on record for when something does go terribly wrong.
Show threadmanpacketAug 19, 2023
When adding a new dependency I almost always go over the source code to see what kind of performance to expect. If build.rs is there - checking it takes a single click so yes to that too. Derive macro - less frequently, but you have to do it when documentation is non existent.