hoooooly shit the new version of serde_derive includes a pre-built executable and has no official way to turn that off? Wtaf.
@megmac quoting from one of the comments in the github issue:
> the idea that the act of compiling software
> downloads and runs blobs feels wrong to me
I agree with that, but hasn't this been a problem with rust all along?
When I was building a Linux From Scratch (LFS) system a while ago, having all source code in place first and then building everything offline from those sources, it was rust-related things that gave me problems because rust insisted on downloading binaries.
@megmac @eliasr I misread that title at first as “Reflections on Trusting Rust” and was perplexed by the date 😆
Searching, I found Thomson’s paper - https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf - but also “Reflections on Rusting Trust”: http://manishearth.github.io/blog/2016/12/02/reflections-on-rusting-trust/
Added to my reading list 👨🏫
@eliasr sure, it's always been an issue. There's even a famous paper on it ("reflections on trusting trust" from 1984).
This is a pretty different level of the stack though, and the change to doing so was subtle and basically invisible so it kind of creates its own distrust. We know absolutely nothing about the machine the binary was compiled on. At least with rust there's some visibility into the builder infra that produced the binaries needed to bootstrap the compiler.
You *can* bootstrap rust from a C compiler btw, it just takes a lot of steps since rust has been self-hosted for quite a while.