Rust devs push back as Serde project ships precompiled binaries

132 点作者 Icathian将近 2 年前

19 条评论

The issue has now been locked and no further conversation can take place on it. This is without a further comment.I found the discussion to be mostly very civilized and focused on finding solutions for those affected.<a href="https://github.com/serde-rs/serde/issues/2538">https://github.com/serde-rs/serde/issues/2538</a>It's all the right of the author. And he's done so before.Unfortunately, I'm afraid this could lead to a more fragmented ecosystem which is a pity.It takes a long time to build trust but it can be destroyed quickly. I'm not sure if the author cares about that though. From my reading of the comments he doesn't."If there is implementation work needed in some build tools to accommodate it, someone should feel free to do that work (as I have done for Buck and Bazel, which are tools I use and contribute significantly to) or publish your own fork of the source code under a different name."<a href="https://github.com/serde-rs/serde/issues/2538#issuecomment-1682519944">https://github.com/serde-rs/serde/issues/2538#issuecomment-1...</a>This is so sad.

评论 #37190315 未加载

评论 #37190280 未加载

评论 #37190289 未加载

__jem将近 2 年前

People have complained about the build time of proc macros for ages in the community. This might be a misguided hack, but the response to this is bordering on a witch hunt, particularly when there is a glaring security hole (build.rs) that most people likely use without second thought every single day. I simply do not believe that most people commenting on this issue are auditing the builds of all their transitive dependencies.

评论 #37190357 未加载

评论 #37190340 未加载

评论 #37190913 未加载

评论 #37190610 未加载

评论 #37190385 未加载

earthnail将近 2 年前

I dislike some of the framing of the article. In particular:> Valentini further inquired to the project maintainers, how were these new binaries "actually produced," and if it would be possible for him to recreate the binaries, as opposed to consuming precompiled versions. David Tolnay, who is the primary Serde maintainer, responded with potential workarounds at the time.The article links to the response [1] as well, which is very good. However, the response doesn't provide workarounds. It provides clear instructions:>> how is the x86_64-unknown-linux-gnu binary actually produced? Would it be possible for us to re-create the binary ourselves so we can actually ship it?> By <a href="https://github.com/serde-rs/serde/blob/v1.0.177/precompiled/build.sh">https://github.com/serde-rs/serde/blob/v1.0.177/precompiled/...</a>. Yes.When the article states that the library author only provided "potential workarounds", it sounded really shady to me, and I believe this is mischaracterizing the real response.[1] <a href="https://github.com/serde-rs/serde/issues/2538#issuecomment-1654783988">https://github.com/serde-rs/serde/issues/2538#issuecomment-1...</a>

评论 #37189987 未加载

评论 #37190224 未加载

andrewflnr将近 2 年前

On the argument of "you're not reading build.rs anyway": yes, but you can, and that's a critical difference."No one" is validating all their transitive dependencies for weird binaries, except a few people, and that's enough to get us all here talking about it. In the internet age it only takes one. But if you make it require more work to inspect a blob, you reduce the chances that you'll get even that one person who sounds the alarm. At minimum malicious code will survive longer that way.

LispSporks22将近 2 年前

Plenty of projects ship binaries without a problem. Nearly every Linux distribution, for example. What’s special about Rust in that binaries for dependencies are a problem?Also, for the “why” - is it just the very slow build times for Rust?

评论 #37190051 未加载

评论 #37189923 未加载

评论 #37190165 未加载

评论 #37190587 未加载

Icathian将近 2 年前

I'm curious whether those with more professional exposure to rust are concerned about this or think it's noisy for no reason?I'd also be curious if anyone has any good explanations as to why a choice like this would be made?

评论 #37190869 未加载

评论 #37190106 未加载

评论 #37190586 未加载

评论 #37192236 未加载

评论 #37189930 未加载

SnowProblem将近 2 年前

I don't understand why this is so complex? Just make it a feature you put in Cargo.toml:serde = { version = "1.0", features = ["serde_derive", "fast_compile"] }Either opt-in or opt-out is fine. It's surely useful during development but it shouldn't be on for production builds. Any transitivity issues should be considered problems with the dependency.

评论 #37191965 未加载

frankjr将近 2 年前

Update: Removed in v1.0.184 (<a href="https://github.com/serde-rs/serde/releases/tag/v1.0.184">https://github.com/serde-rs/serde/releases/tag/v1.0.184</a>)

photonbeam将近 2 年前

Regardless of the circumstances, non-optional binary dependencies doesn’t pass the smell test

评论 #37190477 未加载

pshc将近 2 年前

Could be neat if serde (and other libraries with proc macros) were able to ship WebAssembly blobs. Wasm blobs are portable and run with restricted capabilities. Rustc could expose an embedded API to allow the wasm to generate code and expand macros without hitting the network.

tamimio将近 2 年前

The sketchy part is it was changed and shipped silently and in a sneaky way, and if it wasn’t for some developer to notice it, he wouldn’t have mentioned it.. However, no need to pushback or anything, consider the maintainer got hit by a bus, fork it, and take it from there.Also, the “security” guy claiming no one is going to read it, do you read linux kernel every update? No, not you, but other developers do, or whenever someone is interested/auditing they can, that kind of arguments are stupid.

评论 #37191013 未加载

lamontcg将近 2 年前

Rubygems have been doing this for about a decade now to provide precompiled binaries for Windows systems in particular (generally while compiling native extensions on Linux at install time, although sometimes shipping precompiled binaries for most every target for speed + decoupling the build environment).

jmull将近 2 年前

What problem does using precompiled binaries solve for serde?

评论 #37190281 未加载

评论 #37190334 未加载

评论 #37191147 未加载

38将近 2 年前

serde is bloated anyway. see for yourself:146 kB: <a href="https://crates.io/crates/serde_json" rel="nofollow noreferrer">https://crates.io/crates/serde_json</a>43 kB: <a href="https://crates.io/crates/sj" rel="nofollow noreferrer">https://crates.io/crates/sj</a>29 kB: <a href="https://crates.io/crates/humphrey_json" rel="nofollow noreferrer">https://crates.io/crates/humphrey_json</a>7 kB: <a href="https://crates.io/crates/rust_json" rel="nofollow noreferrer">https://crates.io/crates/rust_json</a>

评论 #37190309 未加载

评论 #37190577 未加载

评论 #37190142 未加载

评论 #37190500 未加载

0xDEF将近 2 年前

Will this be considered a breaking change according to the SemVer conventions?

评论 #37190378 未加载

评论 #37190358 未加载

leoh将近 2 年前

Java ships everything with JARs, though? Binary.

评论 #37197109 未加载

评论 #37198510 未加载

mmastrac将近 2 年前

dupe of <a href="https://news.ycombinator.com/item?id=37183361">https://news.ycombinator.com/item?id=37183361</a>

mistrial9将近 2 年前

chrome-on-linux visit to that bleepingcomputer site, prompted for an xdg-open of an external app?

lucasyvas将近 2 年前

As far as I'm concerned pre-compiled binaries should only be offered as potential default in scripting language ecosystems - there is an expectation that things should "just work".I don't mind it for when I work in Node - honestly I prefer it. But in Rust? The entire toolchain is designed to compile from source. It may be a bit slow for certain crates still, but that's much weaker justification to make pre-compiled the default.Crates should compile from source by default as long as source actually exists (ex. has not been lost somehow, or wide distribution of the crate is unlikely). I don't buy any of the malicious theories since the author is well appreciated and respected. It's likely just a misguided choice in this case.People have rightly mentioned build.rs flexibility - I think there is nuance here and maybe it's good to discuss what default behavior should be expected by users, since sometimes build.rs does wild and useful things.