So, serde seems to be downloading and running a binary on the system without informing the user and without any user consent. Does anyone have any background information on why this is, and how this is supposed to be a good idea?
dtolnay seems like a smart guy, so I assume there is a reason for this, but it doesn’t feel ok at all.
If the executable were easily reproducible from the source code, then yes, downloading a precompiled binary would be akin to executing code in
build.rs
or a proc macro. The fact that it’s not makes these very different, because it makes your suggestion of “vet[ting] their packages themselves” impossible.Maybe I’m missing something, but I’m not seeing where in serde we’re downloading a precompiled binary. I see a script we can execute ourselves in the repository and an alternative serde_derive that uses that executable (after we compile it), but not where the actual published package has the executable.
It’s possible I’m missing something here though.
There, you will see that this file exists:
Yes, that’s a pre-built binary in the crate source release. It’s that bad.
Looks like I missed that, I was checking locally but I must have been checking an outdated version of the package. I’d feel better about it if it compiled on the user’s machine, which is the impression I was getting.