Serde, a popular Rust (de)serialization project, has decided to ship its serde_derive macro as a precompiled binary. This has generated a fair amount of concern among some developers who highlight the future legal and technical issues this may pose, along with a potential for supply chain attacks.
Seems the precompiled binary isn’t reproducible. It seems odd that they would even consider this option without figuring that out first.
I don’t like the comparisons to Moq. The issue with Moq was the use of a precompiled binary explicitly designed to exfiltrate PII. That’s not fixable. It’s inherently malicious. This is an implementation detail that will run afoul of security policies and break build systems, but it can be fixed.