Serde, a popular Rust (de)serialization project, has decided to ship its serde_derive macro as a precompiled binary. This has generated a fair amount of concern among some developers who highlight the future legal and technical issues this may pose, along with a potential for supply chain attacks.
Since it’s open source, could someone fork off a drop-in replacement that compiles from source?
Edit: No need now:
https://github.com/serde-rs/serde/releases/tag/v1.0.184
TLDR: Forking is a hostile move, let us keep it as a last resort and start by communicating first.
Someone could, but it is much more complicate than that.
You will need to convince every crate that uses
serde
(or at least every crate in your dependencies) to switch to your fork. Andserde
is extremely popular in the Rust community, you would be quite busy.You will need to reach out to every author of a crate depending on
serde
. Some of them will not be aware of this problem. Some will not understand why this is a problem. Some will agree with the current implementation. Some will refuse to switch in order to avoid splitting the community.And the split is going to happen anyway, because many will not switch due to these points.
Then you will have to maintain such fork, which might or might not be a particularly time-consuming job for a particular project, but it is a job nonetheless.
Also, just straight forking a project is a quite hostile move. The proper way to handle this is to contact the maintainer, ask why this change was made, and start a discussion arguing the drawbacks and asking to revert it.
It is also worth mentioning that the maintainer of
serde
is very active in the Rust community, and they maintain a lot of other popular crates. Just to name a few:anyhow
,async-trait
,semver
,syn
,thiserror
. They are definitely an important member of the community, and a very experienced one. They are not immune from mistakes, of course, but I think we would be much better off by talking to them than just assuming bad faith and hijacking their project.Diplomacy goes a long way, and I would be very surprised to find out that they are completely unreasonable with respect to this issue (from my limited interaction with them, they seem a rather decent person).
Meanwhile, we can pin a version of
serde
that does not have this issue. There is no need to rush.