So, serde seems to be downloading and running a binary on the system without informing the user and without any user consent. Does anyone have any background information on why this is, and how this is supposed to be a good idea?
dtolnay seems like a smart guy, so I assume there is a reason for this, but it doesn’t feel ok at all.
I saw some other crate doing something similar but using wasm, the idea is to sandbox the binary used as a proc macro. So that seems a bit better. Can’t see to find it any more.
EDIT: Found it https://lib.rs/crates/watt
Fun fact: the guy who wrote
wattis the same guy who wroteserde.Made by the same guy
serdeis maintained by dtolnay, he is not the original author.I thought he was a genious inventing so many useful tools. Does he maintain other projects he didn’t create?
Not sure, possibly. You still need to be pretty smart maintaining and extending all those tools.
Sandboxing the binary doesn’t protect you. It can still insert malicious code into your application.