this post was submitted on 18 Aug 2023
83 points (100.0% liked)

Rust

5949 readers
1 users here now

Welcome to the Rust community! This is a place to discuss about the Rust programming language.

Wormhole

!performance@programming.dev

Credits

  • The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)

founded 1 year ago
MODERATORS
 

So, serde seems to be downloading and running a binary on the system without informing the user and without any user consent. Does anyone have any background information on why this is, and how this is supposed to be a good idea?

dtolnay seems like a smart guy, so I assume there is a reason for this, but it doesn't feel ok at all.

you are viewing a single comment's thread
view the rest of the comments
[–] manpacket@lemmyrs.org 7 points 1 year ago (2 children)
[–] TehPers@beehaw.org 1 points 1 year ago (1 children)

I'm not sure I follow what that link has to do with this, though. serde is open source, anyone can go compile it themselves. In fact, from what I can tell, to get the precompiled version of serde_derive, you need to compile it yourself anyway. Compiling these proc-macros to binaries before executing the code isn't new, this is what Cargo does with all proc macros.

Also, I might be misreading the source here, but it looks like the executable needs to be manually compiled by the user on their own (by running the precompiled/build.sh script), and they need to manually add the precompiled variant of serde_derive as a dependency instead of using the version that's on crates.io. Am I missing something here? Is this automatically used by the published version of serde somewhere?

[–] manpacket@lemmyrs.org 6 points 1 year ago

No, serde_derive contains the binary and if you are on linux it will try to run it without asking the user. In fact there's no way to make it so it won't run.

[–] lolcatnip@reddthat.com -2 points 1 year ago (1 children)

You can read the source of build.rs and and proc macros executed during a build, but do you? Does anyone do that every time they add a new dependency?

[–] manpacket@lemmyrs.org 5 points 1 year ago

When adding a new dependency I almost always go over the source code to see what kind of performance to expect. If build.rs is there - checking it takes a single click so yes to that too. Derive macro - less frequently, but you have to do it when documentation is non existent.