So, serde seems to be downloading and running a binary on the system without informing the user and without any user consent. Does anyone have any background information on why this is, and how this is supposed to be a good idea?
dtolnay seems like a smart guy, so I assume there is a reason for this, but it doesn’t feel ok at all.
I saw some other crate doing something similar but using wasm, the idea is to sandbox the binary used as a proc macro. So that seems a bit better. Can’t see to find it any more.
EDIT: Found it https://lib.rs/crates/watt
Sandboxing the binary doesn’t protect you. It can still insert malicious code into your application.
Made by the same guy
serdeis maintained by dtolnay, he is not the original author.