nordic-dev.net/rust
nordic-dev.net/rust
2
0
Fork 0
mirror of https://github.com/rust-lang/rust.git synced 2024-11-30 18:53:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto merge of #3032 - RalfJung:serde, r=RalfJung,oli-obk

Browse Source 
pin a version of serde without intransparent unreproducible binary blobs

Serde is [shipping a binary blob in its derive crate](https://github.com/serde-rs/serde/issues/2538), which is highly unexpected and subverts user trust. To make matters worse, the binary is [not even reproducible](https://github.com/serde-rs/serde/issues/2575), making the crate largely unauditable and relinquishing the security benefits of open-source software. Build times are not nearly painful enough to justify forcing users to trust binary blobs.
This commit is contained in:
bors 2023-08-20 14:44:52 +00:00
commit 92217bb93d
4 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/tools/miri/Cargo.lock
View File

@ -443,6 +443,7 @@ dependencies = [
"rand",
"regex",
"rustc_version",
"serde",
"smallvec",
"ui_test",
]

2
src/tools/miri/Cargo.toml
View File

@ -41,6 +41,8 @@ rustc_version = "0.4"
# Features chosen to match those required by env_logger, to avoid rebuilds
regex = { version = "1.5.5", default-features = false, features = ["perf", "std"] }
lazy_static = "1.4.0"
# Pin a version of serde without intransparent unreproducible binary blobs.
serde = { version = "1.0, < 1.0.172", features = ["derive"] }
[package.metadata.rust-analyzer]
# This crate uses #[feature(rustc_private)].

3
src/tools/miri/cargo-miri/Cargo.toml
View File

@ -22,7 +22,8 @@ rustc-build-sysroot = "0.4.1"
# Enable some feature flags that dev-dependencies need but dependencies
# do not. This makes `./miri install` after `./miri build` faster.
serde = { version = "*", features = ["derive"] }
# Pin a version of serde without intransparent unreproducible binary blobs.
serde = { version = "1.0, < 1.0.172", features = ["derive"] }
[build-dependencies]
rustc_tools_util = "0.3"

4
src/tools/miri/test-cargo-miri/Cargo.toml
View File

@ -20,7 +20,9 @@ issue_rust_86261 = { path = "issue-rust-86261" }
[dev-dependencies]
byteorder_2 = { package = "byteorder", version = "0.5" } # to test dev-dependencies behave as expected, with renaming
serde_derive = "1.0" # not actually used, but exercises some unique code path (`--extern` .so file)
# Not actually used, but exercises some unique code path (`--extern` .so file).
# Pin a version without intransparent unreproducible binary blobs.
serde_derive = "=1.0.152"
[build-dependencies]
autocfg = "1"