So, serde seems to be downloading and running a binary on the system without informing the user and without any user consent. Does anyone have any background information on why this is, and how this is supposed to be a good idea?
dtolnay seems like a smart guy, so I assume there is a reason for this, but it doesn’t feel ok at all.
bsdtar tfv ᐸ(curl -sL https://static.crates.io/crates/serde_derive/serde_derive-1.0.183.crate)Edit: Ogh, using
ᐸwhich is a replacement character because Lemmy escapes the real one. This is annoying.There, you will see that this file exists:
-rwxr-xr-x 0 0 0 690320 Jul 24 2006 serde_derive-1.0.183/serde_derive-x86_64-unknown-linux-gnuYes, that’s a pre-built binary in the crate source release. It’s that bad.
Looks like I missed that, I was checking locally but I must have been checking an outdated version of the package. I’d feel better about it if it compiled on the user’s machine, which is the impression I was getting.