Is crate fnmatch-regex2 a scam?
8mon 9d ago by beehaw.org/u/thingsiplay in rust@programming.dev from crates.io
https://crates.io/search?q=fnmatch
https://crates.io/crates/fnmatch-regexat version v0.2.1, repository: https://gitlab.com/ppentchev/fnmatch-regex-rs
https://crates.io/crates/fnmatch-regex2at version v0.4.0, repository: https://gitlab.com/brmmm3/fnmatch-regex2-rs(DO NOT SIGN IN, UNTIL WE KNOW ITS SAFE)
I was looking through some crates and noticed there is "fnmatch-regex2", just below "fnmatch-regex". The second one is newer; 4 months ago updated, compared to the original 12 months ago updated. And it has more recent downloads and a "higher version number".
My first thought was, this either adds new functionality, or the old one is abandoned maybe? Looking in readme and documentation, I could not find anything that describes the differences. Looking at the source code on Gitlab, the first crate just shows it normally to me, but the second wants me to log in. My alarm glocks go on. Even the changelog for both are identical at version 0.2.1 (the original crate 1) without any word about changes, but the crate repository shows it should be at version v0.4.0.
I would like to know what you guys think about it. I can't even audit the code right now, even if its the same Gitlab instance on gitlab.com. Should this be reported? Or am I just paranoid?
EDIT:
After asking in Discord, someone said I can view the source code in Docs.rs: https://docs.rs/crate/fnmatch-regex2/0.4.0/source/. This is much better, but I am still cautious. I still don't know what the actual changes are and would need to dive into the code and compare to find out. Which is not really something I expect to do from a trustful library.
You can clone the original, add fnmatch-regex2 as a remote, fetch it, and do a diff between them to see what changed if you want.
If you go with this route, do not open the code with rust-analyzer active because it might run build scripts and proc macros automatically.
Quick analysis of code shows that there’s no suspicious build scripts or imports added, just an additional poorly documented and not tested function.
Documentation is additionally published to a third-party website.
Repository is probably is hidden which is ok.
You know repository info is just metadata, right? You can set it to anything.
And you could have grabbed the actually published versions easily, before randomly fear mongering against a random forked crate.
#/bin/bash
crate_name = $1
while read url; do
curl -L $url | bsdtar xfv -
done <<(curl -L https://crates.io/api/v1/crates/$%7Bcrate_name%7D/versions | jq -r '"https://crates.io/" +.versions[].dl_path')
Run this for both crates, and you will have these crates locally at:
fnmatch-regex2-0.3.0
fnmatch-regex2-0.4.0
fnmatch-regex-0.1.0
fnmatch-regex-0.2.0
fnmatch-regex-0.2.1
from there
diff -ru fnmatch-regex-0.2.1 fnmatch-regex2-0.4.0
or
du -ruNif you want the full content ofCargo.lockin the diff 😉
diff -ru fnmatch-regex-0.2.1/.cargo_vcs_info.json fnmatch-regex2-0.4.0/.cargo_vcs_info.json
--- fnmatch-regex-0.2.1/.cargo_vcs_info.json 1970-01-01 02:00:01.000000000 +0200
+++ fnmatch-regex2-0.4.0/.cargo_vcs_info.json 1970-01-01 02:00:01.000000000 +0200
@@ -1,6 +1,6 @@
{
"git": {
- "sha1": "73bd95ec60b4f9ee3ab2ad8d3475e005df7ddc4a"
+ "sha1": "2f810aaeef8eefcee722a29822e46c4091940c8b"
},
"path_in_vcs": ""
}
\ No newline at end of file
diff -ru fnmatch-regex-0.2.1/.editorconfig fnmatch-regex2-0.4.0/.editorconfig
--- fnmatch-regex-0.2.1/.editorconfig 2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/.editorconfig 2006-07-24 04:21:28.000000000 +0300
@@ -1,6 +1,6 @@
# https://editorconfig.org/
#
-# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>
+# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>, Martin Bammer <mrbm74@gmail.com>
# SPDX-License-Identifier: BSD-2-Clause
root = true
diff -ru fnmatch-regex-0.2.1/.gitignore fnmatch-regex2-0.4.0/.gitignore
--- fnmatch-regex-0.2.1/.gitignore 2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/.gitignore 2006-07-24 04:21:28.000000000 +0300
@@ -5,3 +5,4 @@
site/
target/
+Cargo.lock
diff -ru fnmatch-regex-0.2.1/.readthedocs.yaml fnmatch-regex2-0.4.0/.readthedocs.yaml
--- fnmatch-regex-0.2.1/.readthedocs.yaml 2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/.readthedocs.yaml 2006-07-24 04:21:28.000000000 +0300
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>
+# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>, Martin Bammer <mrbm74@gmail.com>
# SPDX-License-Identifier: BSD-2-Clause
version: 2
Only in fnmatch-regex-0.2.1: .reuse
Only in fnmatch-regex2-0.4.0: Cargo.lock
diff -ru fnmatch-regex-0.2.1/Cargo.toml fnmatch-regex2-0.4.0/Cargo.toml
--- fnmatch-regex-0.2.1/Cargo.toml 1970-01-01 02:00:01.000000000 +0200
+++ fnmatch-regex2-0.4.0/Cargo.toml 1970-01-01 02:00:01.000000000 +0200
@@ -10,12 +10,16 @@
# See Cargo.toml.orig for the original contents.
[package]
-edition = "2021"
-rust-version = "1.58"
-name = "fnmatch-regex"
-version = "0.2.1"
-authors = ["Peter Pentchev <roam@ringlet.net>"]
+edition = "2024"
+rust-version = "1.85"
+name = "fnmatch-regex2"
+version = "0.4.0"
+authors = [
+ "Peter Pentchev <roam@ringlet.net>",
+ "Martin Bammer <mrbm74@gmail.com>",
+]
build = false
+autolib = false
autobins = false
autoexamples = false
autotests = false
@@ -34,23 +38,23 @@
"parser-implementations",
]
license = "BSD-2-Clause"
-repository = "https://gitlab.com/ppentchev/fnmatch-regex-rs"
+repository = "https://gitlab.com/brmmm3/fnmatch-regex2-rs"
[lib]
-name = "fnmatch_regex"
+name = "fnmatch_regex2"
path = "src/lib.rs"
[dependencies.anyhow]
-version = "1.0.69"
+version = "1.0"
[dependencies.itertools]
-version = ">= 0.10.3, < 0.14"
+version = "0.14"
[dependencies.regex]
-version = "1.7.1"
+version = "1.11"
[dependencies.thiserror]
-version = "1.0.38"
+version = "2.0"
[dev-dependencies.rstest]
-version = ">= 0.17, < 0.24"
+version = "0.25"
diff -ru fnmatch-regex-0.2.1/Cargo.toml.orig fnmatch-regex2-0.4.0/Cargo.toml.orig
--- fnmatch-regex-0.2.1/Cargo.toml.orig 2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/Cargo.toml.orig 2006-07-24 04:21:28.000000000 +0300
@@ -1,24 +1,21 @@
-# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>
-# SPDX-License-Identifier: BSD-2-Clause
-
[package]
-name = "fnmatch-regex"
-version = "0.2.1"
-rust-version = "1.58"
-authors = ["Peter Pentchev <roam@ringlet.net>"]
-edition = "2021"
+name = "fnmatch-regex2"
+version = "0.4.0"
+authors = ["Peter Pentchev <roam@ringlet.net>", "Martin Bammer <mrbm74@gmail.com>"]
+edition = "2024"
description = "Convert a glob-style pattern to a regular expression."
readme = "README.md"
-repository = "https://gitlab.com/ppentchev/fnmatch-regex-rs"
+repository = "https://gitlab.com/brmmm3/fnmatch-regex2-rs"
license = "BSD-2-Clause"
categories = ["encoding", "filesystem", "parser-implementations"]
keywords = ["fnmatch", "glob", "pattern", "regex"]
+rust-version = "1.85"
[dependencies]
-anyhow = "1.0.69"
-itertools = ">= 0.10.3, < 0.14"
-regex = "1.7.1"
-thiserror = "1.0.38"
+anyhow = "1.0"
+itertools = "0.14"
+regex = "1.11"
+thiserror = "2.0"
[dev-dependencies]
-rstest = ">= 0.17, < 0.24"
+rstest = "0.25"
Only in fnmatch-regex2-0.4.0: NEWS.md
Only in fnmatch-regex-0.2.1: docs
diff -ru fnmatch-regex-0.2.1/mkdocs.yml fnmatch-regex2-0.4.0/mkdocs.yml
--- fnmatch-regex-0.2.1/mkdocs.yml 2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/mkdocs.yml 2006-07-24 04:21:28.000000000 +0300
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>
+# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>, Martin Bammer <mrbm74@gmail.com>
# SPDX-License-Identifier: BSD-2-Clause
theme:
diff -ru fnmatch-regex-0.2.1/pyproject.toml fnmatch-regex2-0.4.0/pyproject.toml
--- fnmatch-regex-0.2.1/pyproject.toml 2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/pyproject.toml 2006-07-24 04:21:28.000000000 +0300
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>
+# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>, Martin Bammer <mrbm74@gmail.com>
# SPDX-License-Identifier: BSD-2-Clause
[tool.publync.format.version]
diff -ru fnmatch-regex-0.2.1/requirements/docs.txt fnmatch-regex2-0.4.0/requirements/docs.txt
--- fnmatch-regex-0.2.1/requirements/docs.txt 2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/requirements/docs.txt 2006-07-24 04:21:28.000000000 +0300
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>
+# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>, Martin Bammer <mrbm74@gmail.com>
# SPDX-License-Identifier: BSD-2-Clause
mkdocs >= 1.4.2, < 2
diff -ru fnmatch-regex-0.2.1/run-clippy.sh fnmatch-regex2-0.4.0/run-clippy.sh
--- fnmatch-regex-0.2.1/run-clippy.sh 2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/run-clippy.sh 2006-07-24 04:21:28.000000000 +0300
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>
+# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>, Martin Bammer <mrbm74@gmail.com>
# SPDX-License-Identifier: BSD-2-Clause
diff -ru fnmatch-regex-0.2.1/src/glob.rs fnmatch-regex2-0.4.0/src/glob.rs
--- fnmatch-regex-0.2.1/src/glob.rs 2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/src/glob.rs 2006-07-24 04:21:28.000000000 +0300
@@ -37,7 +37,7 @@
//! # use std::error::Error;
//!
//! # fn main() -> Result<(), Box<dyn Error>> {
-//! let re_name = fnmatch_regex::glob_to_regex("linux-[0-9]*-{generic,aws}")?;
+//! let re_name = fnmatch_regex2::glob_to_regex("linux-[0-9]*-{generic,aws}")?;
//! for name in &[
//! "linux-5.2.27b1-generic",
//! "linux-4.0.12-aws",
@@ -60,7 +60,7 @@
use anyhow::anyhow;
use itertools::{Either, Itertools as _};
-use regex::Regex;
+use regex::{Regex, RegexBuilder};
use crate::error::Error as FError;
@@ -572,3 +572,24 @@
let re_pattern = parser.flatten_ok().collect::<Result<Vec<_>, _>>()?.join("");
Regex::new(&re_pattern).map_err(|err| FError::InvalidRegex(re_pattern, err))
}
+
+/// Parse a shell glob-like pattern into a regular expression.
+///
+/// See the module-level documentation for a description of the pattern
+/// features supported.
+///
+/// # Errors
+/// Most of the [`crate::error::Error`] values, mostly syntax errors in
+/// the specified glob pattern.
+#[allow(clippy::missing_inline_in_public_items)]
+pub fn glob_to_regex_ext(pattern: &str, ignore_case: bool) -> Result<Regex, FError> {
+ let parser = GlobIterator {
+ pattern: pattern.chars(),
+ state: State::Start,
+ };
+ let re_pattern = parser.flatten_ok().collect::<Result<Vec<_>, _>>()?.join("");
+ RegexBuilder::new(&re_pattern)
+ .case_insensitive(ignore_case)
+ .build()
+ .map_err(|err| FError::InvalidRegex(re_pattern, err))
+}
diff -ru fnmatch-regex-0.2.1/src/lib.rs fnmatch-regex2-0.4.0/src/lib.rs
--- fnmatch-regex-0.2.1/src/lib.rs 2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/src/lib.rs 2006-07-24 04:21:28.000000000 +0300
@@ -15,7 +15,9 @@
pub mod error;
pub mod glob;
-pub use glob::glob_to_regex;
+pub use glob::{glob_to_regex, glob_to_regex_ext};
+
+pub use regex::Regex;
#[cfg(test)]
pub mod tests;
diff -ru fnmatch-regex-0.2.1/tox.ini fnmatch-regex2-0.4.0/tox.ini
--- fnmatch-regex-0.2.1/tox.ini 2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/tox.ini 2006-07-24 04:21:28.000000000 +0300
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>
+# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>, Martin Bammer <mrbm74@gmail.com>
# SPDX-License-Identifier: BSD-2-Clause
[tox]
And you do know that the docs.rs service itself generates docs from published crates in crates.io, and that is the exactly same code you see when viewing sources there, right?
Why you’ve wrote “dont sign in…” for GitLab? GitLab is safe
Because I never encountered signing into Gitlab before. And the repository of fnmatch-regex itself does not require me to sign in. So i was a bit suspicious. I mean who knows if it would be possible to provide fake sign in. Guess I'm just paranoid.
Thank you for checking! As for the private thing, they have the source code provided on a different place: https://docs.rs/crate/fnmatch-regex2/0.4.0/source/Maybe it makes sense now, because they want people to focus on the other source, and do not want to work on Gitlab itself.
You have to provide source to a rust repository. Otherwise, it’s impossible to compile and link Rust safely. There was an article in the topic.
Long story short you can prepare and link a binary library, but you can’t guarantee any type safety or additional optimisations.