consider downgrading to serde_derive 1.0.171

starting with serde 1.0.172, the proc-macro part of serde_derive is precompiled and shipped as a blob. For now, I'm not aware of anybody being able to reproduce (as in reproducible build) that bin. Running cargo is always a risk (proc-macros and build.rs can be used to do arbitrary code execution), but running code you can't even audit is a whole new level I'm personally not found of.