Rust Users Push Back as Popular ‘Serde’ Project Ships Precompiled Binaries – Slashdot

Rust Users Push Back as Popular ‘Serde’ Project Ships Precompiled Binaries – Slashdot


Programming

Security







Posted
by

EditorDavid

from the thinking-binary dept.

“Serde, a popular Rust (de)serialization project, has decided to ship its serde_derive macro as a precompiled binary,” reports Bleeping Computer.

“The move has generated a fair amount of push back among developers who worry about its future legal and technical implications, along with a potential for supply chain attacks, should the maintainer account publishing these binaries be compromised.”

According to the Rust package registry, crates.io, serde has been downloaded over 196 million times over its lifetime, whereas the serde_derive macro has scored more than 171 million downloads, attesting to the project’s widespread circulation… The Serde ecosystem consists of data structures that know how to serialize and deserialize themselves along with data formats that know how to serialize and deserialize other things,” states the project’s website. Whereas, “derive” is one of its macros…

Some Rust developers request that precompiled binaries be kept optional and separate from the original “serde_derive” crate, while others have likened the move to the controversial code change to the Moq .NET project that sparked backlash. “Please consider moving the precompiled serde_derive version to a different crate and default serde_derive to building from source so that users that want the benefit of precompiled binary can opt-in to use it,” requested one user. “Or vice-versa. Or any other solution that allows building from source without having to patch serde_derive… Having a binary shipped as part of the crate, while I understand the build time speed benefits, is for security reasons not a viable solution for some library users.”

Users pointed out how the change could impact entities that are “legally not allowed to redistribute pre-compiled binaries, by their own licenses,” specifically mentioning government-regulated environments.


The official response from Serde’s maintainer: “The precompiled implementation is the only supported way to use the macros that are published in serde_derive. If there is implementation work needed in some build tools to accommodate it, someone should feel free to do that work (as I have done for Buck and Bazel, which are tools I use and contribute significantly to) or publish your own fork of the source code under a different name.

“Separately, regarding the commentary above about security, the best path forward would be for one of the people who cares about this to invest in a Cargo or crates.io RFC around first-class precompiled macros so that there is an approach that would suit your preferences; serde_derive would adopt that when available.”

Don’t get suckered in by the comments — they can be terribly misleading.
Debug only code.
— Dave Storer


Working…

Leave a Reply

Your email address will not be published. Required fields are marked *