What happened with #xz is precisely why I ceased support of serde versions that had pre-compiled binaries included. It doesn't matter how trustworthy someone seems or how long they've been maintaining a project.
I caught flak from a number of people, including one person (in person, and respectfully!) saying that I was "policing the ecosystem". Which...yes, that's the point. Unknown, unverified binaries being executed is unacceptable and dangerous until proven safe, not the other way around.
Jacob Pratt /
npub128…y3c2n
2024-03-30 23:32:45
Author Public Key
npub128h5ddhu5j6axsa8j4ad48aqaykezpvq50lumnew05nq0tdpqwfqey3c2nSeen on
wss://relay.nostr.bandPublished at
2024-03-30 23:32:45Event JSON
{
"id": "6196fd8b3cc5a0076c4d98170b0ddc150fc05c3957e0047cd959a9c75b96b048",
"pubkey": "51ef46b6fca4b5d343a7957ada9fa0e92d910580a3ffcdcf2e7d2607ada10392",
"created_at": 1711841565,
"kind": 1,
"tags": [
[
"t",
"xz"
],
[
"proxy",
"https://mastodon.social/users/jhpratt/statuses/112187248810383305",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://mastodon.social/users/jhpratt/statuses/112187248810383305",
"pink.momostr"
]
],
"content": "What happened with #xz is precisely why I ceased support of serde versions that had pre-compiled binaries included. It doesn't matter how trustworthy someone seems or how long they've been maintaining a project.\n\nI caught flak from a number of people, including one person (in person, and respectfully!) saying that I was \"policing the ecosystem\". Which...yes, that's the point. Unknown, unverified binaries being executed is unacceptable and dangerous until proven safe, not the other way around.",
"sig": "81ccf054834ec73383da4304212c3342ac31584dae0ad5b0ae3447df1338c25a5d75b0dba41c60bf48e959ec7a659a5f14daab3da41c362646e1330fe639d611"
}