POLL: Should time
restrict the version of serde
that is used?
#611
Replies: 14 comments 15 replies
-
Something missing from this is the implications of this change. By putting an upper bound on a version requirement, it can make impossible to resolve dependency combinations that are confusing to end users, especially when these are transitive dependencies (e.g. reddit thread) See https://doc.rust-lang.org/nightly/cargo/reference/specifying-dependencies.html#multiple-requirements for more details |
Beta Was this translation helpful? Give feedback.
-
I think the pinning also prevents swapping serde with something like https://github.com/commons-rs/serde-deblobbed since the latter uses the newer version number (see note in their README). |
Beta Was this translation helpful? Give feedback.
-
First of all, I appreciate that this poll is being done and that there is a plan in place to deal with whatever decision However, I'd like to continue discussing the security implications of this change, as I believe they are more nuanced than they might appear at first glance, and those nuances may justify changing the actions taken. I also think that, in general,
That's a reasonable a priori view, but it's not complete. To begin the discussion, let's keep in mind what I think we can all agree are the essential items to review when assessing whether or not a software supply chain is secure:
In the case of the precompiled The relevant contents of
Approaches to deciding whether to trust On the other hand, the approaches to deciding whether to trust But the possibility of source code being obfuscated is not the only reason why I said "usually". As much as I don't like it, the vast majority of computers in the world are running binaries whose source code and build process are not publicly known: from Intel Management Engine firmware to NVIDIA drivers, passing through proprietary operating systems and beyond, there are many binaries with unknown source code running on a typical system, and any one of them can create security vulnerabilities. In practice, how do people even get some sense sense of security with all these black boxes of code? There are several approaches, and some of them can be easier than reviewing source code under some circumstances:
Given this walkthrough of how would a responsible and resourceful developer would evaluate security vulnerabilities and ways to address them, I think it's abundantly clear that the solution of enforcing stricter than necessary version requirements on As I said in other posts, the proper way for By the way, may I remember you all of the fact fact that, as far as I know, three weeks have gone by without |
Beta Was this translation helpful? Give feedback.
-
This is basic supply-chain security ... and a lot about trust when it's lost Given this change was never done in a manner that ensured
This exposes potentially the Even if someone for once makes auditable / reproducible build it will take long time until this gets into the tooling given wide ecosystem. This change flew through unnoticed - granted https://crates.io/crates/cackle gave a heads-up It was easy to be naive when it was not properly documented though. Many FOSS things require informed "non-free" or so opt-in - not by default - mechanism to binary blobs Using precompiled binaries at libraries is IMO not the way to go and I am glad time made the choice of not opting into the bins. This isn't just a security issue but this is a build issue that was supposed to be "Experiment" given changelog. Does that tell anyone about opting into something knowingly ? I don't think so. Besides that it takes agency away and this was done silently in the supply-chain. We should not be operating at reverse-engineering binaries level or changing my workflows to audit any upstream code changes. The code-changes as per current workflows are designed for source-level changes and not running binary-level reproducible builds. Sorry but until the system evolves - these kind of changes should not be pushed like this and anyone is welcome to opt-out. And by opting out,
Let's keep in mind that people have different build & development environments. And the fact that it is reversible and temporary which can be relaxed after this has been vetted and ironed out. So needless to say I am woting 👍 |
Beta Was this translation helpful? Give feedback.
-
Decisions by both |
Beta Was this translation helpful? Give feedback.
-
I'd like to mention that @pinkforest has submitted a PR to |
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
I voted 👎🏾, because there are workarounds that this change would disable: serde-rs/serde#2538 (comment) Also taking options away isn't any better and we should wait for things to cold down. |
Beta Was this translation helpful? Give feedback.
-
How about declaring serde 1.0.171 as the latest "officially" supported and testing it on CI (by running |
Beta Was this translation helpful? Give feedback.
-
I hope that everyone voting with thumbs up is aware of the implications of their decision? Effectively causing a split of the whole Rust ecosystem that has dependencies on serde. This is inevitable if only some but not all crates decide to restrict the versions of serde. You could only use the libraries from either side, but not both. More and more version conflicts will arise. Personally I don't understand why libraries try to act as a guardian for their users without any necessity. Upper version bounds could be applied by binaries in their local scope without affecting everyone else. |
Beta Was this translation helpful? Give feedback.
-
There's a chance that the situation will be resolved: serde-rs/serde#2584 (comment) |
Beta Was this translation helpful? Give feedback.
-
Ok the issue has been resolved - see: We've spent some time auditing the previous versions. |
Beta Was this translation helpful? Give feedback.
-
That's not an excuse for publishing a patch release without review that breaks builds. |
Beta Was this translation helpful? Give feedback.
-
As the deadline how now been reached, the vote is over. The result is clear: 121 in favor (70%) and 51 opposed (30%). I have saved this page with archive.org for verifiability: link. Given this result, the versions of Thank you to everyone who provided input! There were far more people who voted than I expected. I will be closing this discussion as the poll has ended, but it will not be locked (such that further comments can be made). |
Beta Was this translation helpful? Give feedback.
-
Context: serde-rs/serde#2538
There is a roughly 8 second improvement in compile time for the initial (non-incremental) build, with incremental builds being slightly slower. My thoughts are present here. One correction is that it is not a 3 millisecond improvement, but a 3 millisecond regression per invocation.
Due to the change in
serde
being a potential security vulnerability, I changed the semver requirement to be<= 1.0.171
, which excludes all versions with pre-built binaries. This has caused a fair amount of disagreement about the reasonableness of my action.Voting
If you support the change and want versions of
serde
with pre-built binaries to be unsupported bytime
, please react with 👍.If you do not support the change and want all versions of
serde
to be supported bytime
, including those with pre-built binaries, please react with 👎All other reactions will be ignored.
This poll will remain open until 2022-08-22 0:00 UTC. After voting closes, a new release will be made if necessary. For the result to be valid, a minimum of 20 total votes are required.
Discussion
I will be leaving the discussion unlocked, but will not be responding to any messages. However, all replies will be monitored for compliance with the code of conduct.
Results
The results can be viewed here.
Beta Was this translation helpful? Give feedback.
All reactions