What's going on with bincode?

(This is a cross-post from Reddit).

In August, the bincode GitHub repository was archived, pointing users to the new sourcehut repo:

This repo has migrated to sourcehut as its primary development hub. Go there for any future code updates.

This decision was made for multiple reasons, but the primary one was Github's rampant and inherently immoral integration of generative AI. Bincode and its authors have never and will never support this. If you have a problem with this we encourage you not to contact us about it. If you feel generative AI is not a problem, do better.

This is fair enough; other people are choosing to migrate away from GitHub for similar reasons.

However, there are some weird circumstances surrounding this migration:

1. The commit adding that to the README was made on August 15 by "stygianentity", a user who joined on...August 21? OK, you can backdate Git commits, but the repository was archived on the 15th as well.
2. "stygianentity" has seemingly no online presence to speak of.
3. There's been absolutely no activity in the bincode SourceHut repo since the migration. They have also not added an issue tracker or any mailing lists (SourceHut doesn't do pull requests), so there is no way to report bugs or submit patches. This is especially weird since there is a "Usage Manifesto" in the README mentioning "PR/issue descriptions", which hasn't been updated for SourceHut.
4. There has been no communication from any bincode maintainers in the only remaining avenue of communication, the Matrix chat.
5. The Git commit history from the original bincode repo on GitHub was completely purged. It's been rewritten to a single commit from Aug 15.
6. And this one is really eyebrow-raising: the commit history on the SourceHut repo has been completely rewritten. "stygianentity" seems to have taken the repo migration as an opportunity to mark themselves as the author of many past commits.

If the maintainer of a package wants to migrate to a different website, or write a manifesto about who's allowed to contribute to their repo, that's one thing. In this case, however, they've created an entirely new online identity with no established presence, rewritten the commit history of a very popular crate while migrating it to a new platform, changed the repo from being controlled by the bincode-org organization to their own account, completely emptied out the old commit history to the best of their ability, and disabled the issue tracker and provided no way to submit patches.

bincode 2.0 also depends on two new crates, virtue and unty, owned by the bincode GitHub organization. Those crates have not yet been archived or moved to SourceHut, and their status is unclear.

Even if "stygianentity" has no malicious intent, it seems hard to trust bincode now. I'm not sure what's going on, and by creating an entirely new account and rewriting the commit history, they seem to be trying their hardest to avoid answers and be as anonymous as possible.

From the reddit thread:

We have confirmed privately that there is no supply-chain attack going on here.

The repo & crate was moved and is under control by the original owners.

the primary one was Github's rampant and inherently immoral integration of generative AI

I allow my code to be used for training AI on GitHub. Not because I fear AI taking our jobs—but because I’m confident my code will slow it down enough to save us all.

Who does "we" refer to? I don't use Reddit or Discord, so I'm not familiar — are the moderators of "r/rust" and "the Rust Programming Language Community Discord" members of the official Rust teams (such as compiler team, infrastructure team, etc.)?

No.^[1] Unlike, for example, this site, neither the Subreddit nor the Discord channel are official community venues.

1. At least I don't think that a member of the moderation team happens to also moderate either the Subreddit or the Discord channel. ↩︎

At least I don't think that a member of the moderation team happens to also moderate either the Subreddit or the Discord channel.

Yeah, we're occasionally in communication with the official Rust moderation team, but we are not on it.

EDIT: It seems prudent to mention that I'm talking about the Discord, here. The subreddit mod team has occasionally had members on the official mod team, to my recollection.

Just two days ago bincode posted this on its Sourcehut: "Due to a doxxing incident bincode development has officially ceased and will not resume." It looks like the "doxxing incident" they're referring to is this very Reddit discussion.

I'm not sure what you want to express, but this looks suspicious enough to motivate me to consider this library a choice-of-last-resort.

With that in mind, would someone share alternatives to the library, or could someone who had submitted PRs to the project upload their stored git repository?

Edit: I seem to have misunderstood somehow. See my follow-ups below.

I'm unaware of any maintained library that's a drop-in replacement for bincode. Unfortunately, I haven't found any that are even close. All have slightly different on-disk formats and slightly different APIs. As for bincode's git history, I'm afraid that the most recent copy I have is from 2019.

But there's good news! David Koloski created an excellent benchmark comparing dozens of alternatives. Be aware that there are more differences here than mere performance. All of these libraries have different on-disk formats, and some may not be suitable for all applications. Also, some of them, like bitcode, don't guarantee format stability across versions. For my own projects, I'm currently investigating speedy, nanoserde, and rkyv as possibile replacements for bincode. I think that I'm going to go for speedy for stuff that needs to get persisted to disk, and rkyv for stuff that doesn't. But I haven't made a final decision. If you find a suitable replacement for bincode in your own projects from among this list, perhaps you could let us know?

8 posts were split into a new topic: Figuring out the meaning of “doxxing” in the other “bincode” thread

For anyone else being confused, let me just note following point of information regarding the nature of “doxxing”, as the bincode author has shared themselves on reddit:

Real names were posted, familial relations were posted and speculated on, home addresses were revealed.

source: old.reddit.com/r/rust/comments/1pnz1iz/_/nubjxg4

bincode 1 has some weird interactions with serde. The format isn't self-describing and so any struct that implements Serialize, but, say, skips None fields will not deserialize (at best!). I think using flatten causes similar issues. But there's no way to fix this without bloating the format. bincode 2 solved this I think by creating a whole new set of traits for serialization and deserialization. I'm curious what the alternatives are (and whether the fact that it is so fragile is a reason to use protobuf instead).