Serde, a popular Rust (de)serialization project, has decided to ship its serde_derive macro as a precompiled binary. This has generated a fair amount of concern among some developers who highlight the future legal and technical issues this may pose, along with a potential for supply chain attacks.
I’ve been pinning my projects with the code in https://github.com/rust-lang/miri/pull/3032
In particular, the important part is:
Which both avoids the conflicts an
=versionpin would produce and ensures all your dependencies with ranged serde versions will use a version without the binary if possible .The developer has agreed to remove the precomputed binary in v1.0.184:
https://github.com/serde-rs/serde/releases/tag/v1.0.184
Awesome!
Gotta figure a way to avoid the specific versions but I’m glad they relented .
“<” should be a less-than sign, but it gets delimited into HTML magic character codes for some reason but only inside a code block? >.<
Yeah, I’ve noticed this happening elsewhere on Lemmy instances, too.