this post was submitted on 18 Aug 2023
91 points (98.9% liked)
Rust
5960 readers
2 users here now
Welcome to the Rust community! This is a place to discuss about the Rust programming language.
Wormhole
Credits
- The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
If the executable were easily reproducible from the source code, then yes, downloading a precompiled binary would be akin to executing code in
build.rs
or a proc macro. The fact that it's not makes these very different, because it makes your suggestion of "vet[ting] their packages themselves" impossible.Maybe I'm missing something, but I'm not seeing where in serde we're downloading a precompiled binary. I see a script we can execute ourselves in the repository and an alternative serde_derive that uses that executable (after we compile it), but not where the actual published package has the executable.
It's possible I'm missing something here though.
Edit: Ogh, using
ᐸ
which is a replacement character because Lemmy escapes the real one. This is annoying.There, you will see that this file exists:
Yes, that's a pre-built binary in the crate source release. It's that bad.
Looks like I missed that, I was checking locally but I must have been checking an outdated version of the package. I'd feel better about it if it compiled on the user's machine, which is the impression I was getting.