[junon]

> reassess their reaction once the anger subsides.

You have completely missed the point. It is because things go unnoticed that security minded folks are upset. We don't get off from finding security problems, we get off on being safe to begin with.

[rcxdude]

But the whole reaction here was 'this makes it more difficult to find security problems' (running a binary is not intrinsicly a security problem, if instead you are just going to compile it and then run it, it's just harder to audit a binary) and yet no-one was even doing the easy bit (auditing the source code). If someone had injected malicious code into the build.rs file it would have exactly the same effect.

[progval]

> yet no-one was even doing the easy bit (auditing the source code).

Someone did: the Fedora maintainer who raised the issue. One of the reasons I avoid installing from wild-west package managers like Cargo/NPM/..., is specifically because Debian/Fedora/... maintainers performs some basic checks like this so I don't have to.

[worthless-trash]

The fedora/rhel builds also go through virus/malware / security checks as part of the release process.

Each exception needs to be documented and specific.

[veec_cas_tant]

Respectfully, I think we agree? The current proc macro situation allows security vulnerabilities and a potentially dangerous change went unnoticed for weeks. This RFC aims to address that, at least in part. If the comments I read reflected your view, I wouldn't have made my snarky remark. Unfortunately, I read many comments full of fury aimed at dtolnay while ignoring the system that enabled it.

[junon]

I agree with the comments about dtolnay's decision and lack of communication here.

[veec_cas_tant]

Oh, I misunderstood. I believe you are missing the forest for the trees but can't fault you for feeling angry if you believe trust was broken.