So, serde seems to be downloading and running a binary on the system without informing the user and without any user consent. Does anyone have any background information on why this is, and how this is supposed to be a good idea?
dtolnay seems like a smart guy, so I assume there is a reason for this, but it doesn’t feel ok at all.
I’m not sure I follow what that link has to do with this, though. serde
is open source, anyone can go compile it themselves. In fact, from what I can tell, to get the precompiled version of serde_derive
, you need to compile it yourself anyway. Compiling these proc-macros to binaries before executing the code isn’t new, this is what Cargo does with all proc macros.
Also, I might be misreading the source here, but it looks like the executable needs to be manually compiled by the user on their own (by running the precompiled/build.sh
script), and they need to manually add the precompiled variant of serde_derive
as a dependency instead of using the version that’s on crates.io. Am I missing something here? Is this automatically used by the published version of serde
somewhere?