from thingsiplay@beehaw.org to rust@programming.dev on 11 Oct 07:57
https://beehaw.org/post/22614332
crates.io/crates/fnmatch-regex at version v0.2.1, repository: gitlab.com/ppentchev/fnmatch-regex-rs
crates.io/crates/fnmatch-regex2 at version v0.4.0, repository: gitlab.com/brmmm3/fnmatch-regex2-rs (DO NOT SIGN IN, UNTIL WE KNOW ITS SAFE)
I was looking through some crates and noticed there is “fnmatch-regex2”, just below “fnmatch-regex”. The second one is newer; 4 months ago updated, compared to the original 12 months ago updated. And it has more recent downloads and a “higher version number”.
My first thought was, this either adds new functionality, or the old one is abandoned maybe? Looking in readme and documentation, I could not find anything that describes the differences. Looking at the source code on Gitlab, the first crate just shows it normally to me, but the second wants me to log in. My alarm glocks go on. Even the changelog for both are identical at version 0.2.1 (the original crate 1) without any word about changes, but the crate repository shows it should be at version v0.4.0.
I would like to know what you guys think about it. I can’t even audit the code right now, even if its the same Gitlab instance on gitlab.com. Should this be reported? Or am I just paranoid?
EDIT:
After asking in Discord, someone said I can view the source code in Docs.rs: docs.rs/crate/fnmatch-regex2/0.4.0/source/ . This is much better, but I am still cautious. I still don’t know what the actual changes are and would need to dive into the code and compare to find out. Which is not really something I expect to do from a trustful library.
threaded - newest
You can clone the original, add fnmatch-regex2 as a remote, fetch it, and do a diff between them to see what changed if you want.
If you go with this route, do not open the code with rust-analyzer active because it might run build scripts and proc macros automatically.
Quick analysis of code shows that there’s no suspicious build scripts or imports added, just an additional poorly documented and not tested function.
Documentation is additionally published to a third-party website.
Repository is probably is hidden which is ok.
Why you’ve wrote “dont sign in…” for GitLab? GitLab is safe
Because I never encountered signing into Gitlab before. And the repository of fnmatch-regex itself does not require me to sign in. So i was a bit suspicious. I mean who knows if it would be possible to provide fake sign in. Guess I’m just paranoid.
It’s likely a private/internal project, so you need to log in to prove you are allowed access. The same thing happens for one of my personal private projects.
Edit: After logging in, the URL you posted 404’s.
Thank you for checking! As for the private thing, they have the source code provided on a different place: docs.rs/crate/fnmatch-regex2/0.4.0/source/ Maybe it makes sense now, because they want people to focus on the other source, and do not want to work on Gitlab itself.
You have to provide source to a rust repository. Otherwise, it’s impossible to compile and link Rust safely. There was an article in the topic.
Long story short you can prepare and link a binary library, but you can’t guarantee any type safety or additional optimisations.
You know repository info is just metadata, right? You can set it to anything.
And you could have grabbed the actually published versions easily, before randomly fear mongering against a random forked crate.
Run this for both crates, and you will have these crates locally at:
from there
diff -ru fnmatch-regex-0.2.1/.cargo_vcs_info.json fnmatch-regex2-0.4.0/.cargo_vcs_info.json --- fnmatch-regex-0.2.1/.cargo_vcs_info.json 1970-01-01 02:00:01.000000000 +0200 +++ fnmatch-regex2-0.4.0/.cargo_vcs_info.json 1970-01-01 02:00:01.000000000 +0200 @@ -1,6 +1,6 @@ { "git": { - "sha1": "73bd95ec60b4f9ee3ab2ad8d3475e005df7ddc4a" + "sha1": "2f810aaeef8eefcee722a29822e46c4091940c8b" }, "path_in_vcs": "" } \ No newline at end of file diff -ru fnmatch-regex-0.2.1/.editorconfig fnmatch-regex2-0.4.0/.editorconfig --- fnmatch-regex-0.2.1/.editorconfig 2006-07-24 04:21:28.000000000 +0300 +++ fnmatch-regex2-0.4.0/.editorconfig 2006-07-24 04:21:28.000000000 +0300 @@ -1,6 +1,6 @@ # https://editorconfig.org/ # -# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net> +# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>, Martin Bammer <mrbm74@gmail.com> # SPDX-License-Identifier: BSD-2-Clause root = true diff -ru fnmatch-regex-0.2.1/.gitignore fnmatch-regex2-0.4.0/.gitignore --- fnmatch-regex-0.2.1/.gitignore 2006-07-24 04:21:28.000000000 +0300 +++ fnmatch-regex2-0.4.0/.gitignore 2006-07-24 04:21:28.000000000 +0300 @@ -5,3 +5,4 @@ site/ target/ +Cargo.lock diff -ru fnmatch-regex-0.2.1/.readthedocs.yaml fnmatch-regex2-0.4.0/.readthedocs.yaml --- fnmatch-regex-0.2.1/.readthedocs.yaml 2006-07-24 04:21:28.000000000 +0300 +++ fnmatch-regex2-0.4.0/.readthedocs.yaml 2006-07-24 04:21:28.000000000 +0300 @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net> +# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>, Martin Bammer <mrbm74@gmail.com> # SPDX-License-Identifier: BSD-2-Clause version: 2 Only in fnmatch-regex-0.2.1: .reuse Only in fnmatch-regex2-0.4.0: Cargo.lock diff -ru fnmatch-regex-0.2.1/Cargo.toml fnmatch-regex2-0.4.0/Cargo.toml --- fnmatch-regex