serde_derive now ships a precompiled binary. This made a lot of people angry. The crate maintainer finally locked the issue.

  • RandoCalrandian@kbin.social
    link
    fedilink
    arrow-up
    5
    ·
    edit-2
    1 year ago

    That’s the problem: it is incredibly difficult to verify.

    Which is exactly why people are upset.
    They’re not accusing the maintainer of doing anything malicious, they’re saying the choice that was made makes it impossible for them to verify if anything malicious was done, or will be done in the entire future of the project.

    The reasons given are easily addressed by some of the commenters suggestions, those suggestions have been ignored.

    So now a core rust library has a big shiny hackers target on it, because if someone manages to hack or trick the builder into uploading a malicious binary, no one (maintainers included) would be any the wiser.

    This is enough to get the crate blocked on a corporate level for security reasons.

    Edit: that’s not to mention the extreme end of the problem, which looks more like suits showing on his door saying “here is our secret court order that says you can’t tell anyone about this. Now change the build to use this binary we provide you because we said so”

    No regular open source maintainer has the ability to protect themselves or others against a state sponsored attack of that level, and it would likely look just like this if it happened.