Serde, a popular Rust (de)serialization project, has decided to ship its serde_derive macro as a precompiled binary. This has generated a fair amount of concern among some developers who highlight the future legal and technical issues this may pose, along with a potential for supply chain attacks.
If the binary matched the source code, that argument would hold, but it doesn’t, which is sounding alarm bells in my head. Just what is in those 600 kilobytes of machine code?