this post was submitted on 18 Aug 2023
91 points (98.9% liked)

Rust

6035 readers
1 users here now

Welcome to the Rust community! This is a place to discuss about the Rust programming language.

Wormhole

[email protected]

Credits

  • The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)

founded 1 year ago
MODERATORS
91
What is going on with serde? (social.treehouse.systems)
submitted 1 year ago by snaggen to c/rust
 

So, serde seems to be downloading and running a binary on the system without informing the user and without any user consent. Does anyone have any background information on why this is, and how this is supposed to be a good idea?

dtolnay seems like a smart guy, so I assume there is a reason for this, but it doesn't feel ok at all.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 14 points 1 year ago* (last edited 1 year ago) (3 children)

I saw some other crate doing something similar but using wasm, the idea is to sandbox the binary used as a proc macro. So that seems a bit better. Can't see to find it any more.

EDIT: Found it https://lib.rs/crates/watt

[–] [email protected] 9 points 1 year ago

Fun fact: the guy who wrote watt is the same guy who wrote serde.

[–] [email protected] 8 points 1 year ago (1 children)
[–] [email protected] 7 points 1 year ago (1 children)

serde is maintained by dtolnay, he is not the original author.

[–] [email protected] 5 points 1 year ago (1 children)

I thought he was a genious inventing so many useful tools. Does he maintain other projects he didn't create?

[–] [email protected] 9 points 1 year ago

Not sure, possibly. You still need to be pretty smart maintaining and extending all those tools.

[–] [email protected] 2 points 1 year ago

Sandboxing the binary doesn't protect you. It can still insert malicious code into your application.