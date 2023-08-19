Serde, a widely-used Rust (de)serialization project, has made the decision to distribute its serde_derive macro as a precompiled binary. This move has raised apprehensions among developers who are worried about potential legal and technical implications, as well as the risk of supply chain attacks if the maintainer’s account is compromised.

According to the Rust package registry, crates.io, serde has been downloaded over 196 million times, while serde_derive has over 171 million downloads, demonstrating its widespread usage.

The issue was brought up by a Fedora Packaging Committee member, Fabio Valentini, who noticed that recent versions of serde_derive now include a precompiled binary. The problem lies in the fact that Fedora Linux cannot distribute precompiled binaries, except in limited cases, such as firmware.

Serde is a popular serialization and deserialization framework for Rust, designed to efficiently and generically handle these operations. The serde_derive macro is a part of this ecosystem.

The primary maintainer of Serde, David Tolnay, provided potential workarounds to Valentini’s concerns, but not all developers are satisfied. Some argue that precompiled binaries should be optional and separate from the original serde_derive crate, while others liken this decision to the controversy surrounding the Moq .NET project.

Developers have expressed concerns about the security risks of precompiled binaries and how they may impact entities that are not allowed to redistribute them due to licensing and regulations. Supply chain risks have also been mentioned, with the possibility of compromise if the maintainer’s account is hacked.

While some see the decision to ship precompiled binaries as a step backward, others view it as a non-issue, as proc macro code or build.rs code is not typically scrutinized for every project being used. Nonetheless, it is essential to routinely inspect source code and software binaries before incorporating them into projects.

Given the strong reaction from the developer community, it remains to be seen if Serde will reconsider its decision or if further discussions will take place to address the concerns raised.