•

What is going on with serde?

Meg (@megmac@treehouse.systems)

https://social.treehouse.systems/@megmac/110908709590698689

hoooooly shit the new version of serde_derive includes a pre-built executable and has no official way to turn that off? Wtaf. https://github.com/serde-rs/serde/issues/2538 #rustlang

So, serde seems to be downloading and running a binary on the system without informing the user and without any user consent. Does anyone have any background information on why this is, and how this is supposed to be a good idea?

dtolnay seems like a smart guy, so I assume there is a reason for this, but it doesn't feel ok at all.

28 comments

See all comments

Vorpal

•

I saw some other crate doing something similar but using wasm, the idea is to sandbox the binary used as a proc macro. So that seems a bit better. Can't see to find it any more.

EDIT: Found it https://lib.rs/crates/watt

Anders429

•

Fun fact: the guy who wrote watt is the same guy who wrote serde.

Mubelotix

•

Made by the same guy

manpacket

•

serde is maintained by dtolnay, he is not the original author.

Mubelotix

•

I thought he was a genious inventing so many useful tools. Does he maintain other projects he didn't create?

manpacket

•

Not sure, possibly. You still need to be pretty smart maintaining and extending all those tools.

argv_minus_one

•

Sandboxing the binary doesn't protect you. It can still insert malicious code into your application.