Serde, a popular Rust (de)serialization project, has decided to ship its serde_derive macro as a precompiled binary. This has generated a fair amount of concern among some developers who highlight the future legal and technical issues this may pose, along with a potential for supply chain attacks.
The maintainer took a very FOSS approach of “this is better and the tools we use don’t support better choices, so you’re welcome to fix the tools.”
If the binary matched the source code, that argument would hold, but it doesn’t, which is sounding alarm bells in my head. Just what is in those 600 kilobytes of machine code?