Was the entire #serde fiasco for just making a point? I had a feeling that Dtolnay's reactions were.. odd. https://internals.rust-lang.org/t/pre-rfc-sandboxed-deterministic-reproducible-efficient-wasm-compilation-of-proc-macros/19359

What would Homer have said to all of this?

"MMM...Binary blob".😋

#Serde #Rust #RustLang #Satire #Humour #TheSimpsons

What would Homer have said to all of this?

"MMM...Binary blob".😋

#Serde #Rust #RustLang #Satire #Humour

There was no drama, there is no healing, #serde developers listened to the community and reverted. Why all the fuss people?

Now that the #Serde issue is resolved by removing the binary, I want to thank @decathorpe again, not only for reporting the issue, but also for all his efforts in the #Rust and #Fedora communities ❤

For others: Please don't call things like this "drama" again. This is pushing back against mistakes that would affect the whole community. I love how much the community cares and that such problems are not ignored 🥰

We are not here to only get things done, we are building a future ❤

#RustLang

Regarding the recent #serde controversy, there's one argument I've heard a lot that still don't understand:

What is the threat model where sandboxing only build.rs provides any additional security in case of a compromised dependency? Most likely you don't just want to compile something but also run it, in which case the compromised dependency can still run code on your system.

And except for build-only systems that create prebuilt packages, you would always compile *and* run your code.

#rust

So, looking at the pre-rfc, it doesn't feel like something made on a whim. Was this whole serde thing just a political stunt to prove that proc macros need to run in a sandbox?

Either way, both build.rs and proc macros has always been a bit iffy, so happy if at least one of them can be solved.

#Rust #Serde #ProcMacro

#fefe amüsiert sich, dass #Rust kein Bootstrap from Sources hat und OCaml das ja schon seit jeher vormacht.

Das in der #serde Diskussion.

1. Das eine hat mMn mit dem anderen überhaupt nichts zu tun.

2. rustc ist in #Rust geschrieben und erfordert also einen rustc Compiler zum Compilieren.

3. OCaml benötigt ebenfalls Binaries zum Bootstrappen

4. OCaml bietet, wie Rust eine normale Binary Installation

5. Rust hat Bootstrap Crates

Das mit serde ist Mist, blöde Polemik auch.

@megmac the precompiled binary had been removed in the recent version 1.0.184

https://github.com/serde-rs/serde/releases/tag/v1.0.184

#rust #rustlang #serde

Seems like the #serde #rustlang situation turned back to sanity.

The mystery meat binary has been removed.

https://github.com/serde-rs/serde/releases/tag/v1.0.184

@berkes @radon @zenforyen

Checkmate to y'all wanting to ship and use binaries.

https://www.bleepingcomputer.com/news/security/rust-devs-push-back-as-serde-project-ships-precompiled-binaries

@Python #Python #Rust #Rustlang #Serde

Rust devs push back as Serde project ships precompiled binaries, https://www.bleepingcomputer.com/news/security/rust-devs-push-back-as-serde-project-ships-precompiled-binaries/.

A short summary of what’s happening around serde right now in Rust.

#RustLang #serde

dtolany's dictatorship…

#Rust #RustLang #Serde

Based on the discussion here and in the PR, I've gone ahead and completed the PR to support null values in #Serde. If you use it currently, please review and make sure it doesn't break more than I already know it does. 🙂 #PHP I'll probably merge in a week or so, baring any contrary reviews.

https://github.com/Crell/Serde/pull/25

Hey #serde if you keep hiding these questions then people are gonna keep asking why it's not opt-in!!

https://github.com/serde-rs/serde/pull/2580

I think that #Rust needs a concept like #Gnome core and circle apps:

https://apps.gnome.org/

Here are more details about Gnome circle:

https://circle.gnome.org/

This will not only support developers of central crates in the ecosystem, but should also prevent another one-owner-dictatorship.

Yes, maintainers can do whatever they want in their own projects, but the community should have a backup when a maintainer doesn't act with the community in mind anymore.

#RustLang #Serde

Anyone else more than anything just really sad about the whole #serde thing?

It's really sad that this has happened, and that it has irrevocably eroded a lot of trust in not just serde, but all of dtolnay's crates, and by extension almost the entire Rust ecosystem.

The situation so *plainly* exposes one of the biggest problems in #OSS *when it is relied upon at scale* - which is that voluntary work cannot be demanded to answer to expectations

Well, this didn't take long 😬

serde-deblobbed: Fork of serde-rs without binary blobs
https://github.com/commons-rs/serde-deblobbed

Can someone design a logo for this please that shows a blob emoji that is crossed out.😄

Edit: I've made a logo and opened an issue:
https://github.com/commons-rs/serde-deblobbed/issues/1

🤓

#Rust #RustLang #Fork #Serde

Rust people out there: the #serde drama (gosh I already hate me for picking that up) and „should we move serde to rust-lang“ got me a question: why syn crate? Like it is a 3rd party rust code parser for macros which is written even if we already have a rust code parser (the compiler itself lol). Can’t we just move the parser out of rustc and make it available for everyone?

PS: pls don’t tell me that syn is autogen or smth like that?
#rust #rustlang

HN discussion on the #rustlang #serde issue: https://news.ycombinator.com/item?id=37189462. I am no expert on supply chain problems, but packages shipping binary blobs instinctively doesn't feel right.