https://crates.io/search?q=fnmatch

https://crates.io/crates/fnmatch-regex at version v0.2.1, repository: https://gitlab.com/ppentchev/fnmatch-regex-rs

https://crates.io/crates/fnmatch-regex2 at version v0.4.0, repository: https://gitlab.com/brmmm3/fnmatch-regex2-rs (DO NOT SIGN IN, UNTIL WE KNOW ITS SAFE)

I was looking through some crates and noticed there is “fnmatch-regex2”, just below “fnmatch-regex”. The second one is newer; 4 months ago updated, compared to the original 12 months ago updated. And it has more recent downloads and a “higher version number”.

My first thought was, this either adds new functionality, or the old one is abandoned maybe? Looking in readme and documentation, I could not find anything that describes the differences. Looking at the source code on Gitlab, the first crate just shows it normally to me, but the second wants me to log in. My alarm glocks go on. Even the changelog for both are identical at version 0.2.1 (the original crate 1) without any word about changes, but the crate repository shows it should be at version v0.4.0.

I would like to know what you guys think about it. I can’t even audit the code right now, even if its the same Gitlab instance on gitlab.com. Should this be reported? Or am I just paranoid?


EDIT:

After asking in Discord, someone said I can view the source code in Docs.rs: https://docs.rs/crate/fnmatch-regex2/0.4.0/source/ . This is much better, but I am still cautious. I still don’t know what the actual changes are and would need to dive into the code and compare to find out. Which is not really something I expect to do from a trustful library.

  • thingsiplay@beehaw.orgOP
    link
    fedilink
    arrow-up
    1
    arrow-down
    1
    ·
    2 days ago

    Because I never encountered signing into Gitlab before. And the repository of fnmatch-regex itself does not require me to sign in. So i was a bit suspicious. I mean who knows if it would be possible to provide fake sign in. Guess I’m just paranoid.

    • Oscar@programming.dev
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      2 days ago

      It’s likely a private/internal project, so you need to log in to prove you are allowed access. The same thing happens for one of my personal private projects.

      Edit: After logging in, the URL you posted 404’s.