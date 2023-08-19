CityLife

The Power of AI Models

Technology

Serde Ships serde_derive Macro as Precompiled Binary, Sparks Concern

ByGabriel Botha

Aug 19, 2023
Serde Ships serde_derive Macro as Precompiled Binary, Sparks Concern

Serde, a widely-used Rust (de)serialization project, has made the decision to distribute its serde_derive macro as a precompiled binary. This move has raised apprehensions among developers who are worried about potential legal and technical implications, as well as the risk of supply chain attacks if the maintainer’s account is compromised.

According to the Rust package registry, crates.io, serde has been downloaded over 196 million times, while serde_derive has over 171 million downloads, demonstrating its widespread usage.

The issue was brought up by a Fedora Packaging Committee member, Fabio Valentini, who noticed that recent versions of serde_derive now include a precompiled binary. The problem lies in the fact that Fedora Linux cannot distribute precompiled binaries, except in limited cases, such as firmware.

Serde is a popular serialization and deserialization framework for Rust, designed to efficiently and generically handle these operations. The serde_derive macro is a part of this ecosystem.

The primary maintainer of Serde, David Tolnay, provided potential workarounds to Valentini’s concerns, but not all developers are satisfied. Some argue that precompiled binaries should be optional and separate from the original serde_derive crate, while others liken this decision to the controversy surrounding the Moq .NET project.

Developers have expressed concerns about the security risks of precompiled binaries and how they may impact entities that are not allowed to redistribute them due to licensing and regulations. Supply chain risks have also been mentioned, with the possibility of compromise if the maintainer’s account is hacked.

While some see the decision to ship precompiled binaries as a step backward, others view it as a non-issue, as proc macro code or build.rs code is not typically scrutinized for every project being used. Nonetheless, it is essential to routinely inspect source code and software binaries before incorporating them into projects.

Given the strong reaction from the developer community, it remains to be seen if Serde will reconsider its decision or if further discussions will take place to address the concerns raised.

By Gabriel Botha

Related Post

Technology

Red Dead Redemption Now Playable on PC through Yuzu and Ryujinx Emulators

Aug 19, 2023 Mampho Brescia
Technology

How CAR T Cells Are Revolutionizing Cancer Treatment

Aug 19, 2023 Gabriel Botha
Technology

Skyrim: The Never-Ending Game of Mods

Aug 19, 2023 Robert Andrew

You missed

News

The Growing Importance of Global Environmental Gas Sensors in Telecommunication Networks

Aug 19, 2023 0 Comments
Technology

Red Dead Redemption Now Playable on PC through Yuzu and Ryujinx Emulators

Aug 19, 2023 Mampho Brescia 0 Comments
Satellite

Hurricane Hilary Approaching California

Aug 19, 2023 Gabriel Botha 0 Comments
News

Vinyl Turntables: The House of Marley Introduces the Stir It Up Lux Bluetooth Turntable

Aug 19, 2023 Robert Andrew 0 Comments