this post was submitted on 11 Oct 2025
3 points (71.4% liked)

Rust

7507 readers
18 users here now

Welcome to the Rust community! This is a place to discuss about the Rust programming language.

Wormhole

!performance@programming.dev

Credits

  • The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)

founded 2 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
EdTheLegendary@programming.dev
kahnclusions@programming.dev
torcherist@programming.dev
3
Is crate fnmatch-regex2 a scam? (crates.io)
submitted 1 month ago* (last edited 1 month ago) by thingsiplay@beehaw.org to c/rust@programming.dev
8 comments fedilink hide all child comments
 

https://crates.io/search?q=fnmatch

https://crates.io/crates/fnmatch-regex at version v0.2.1, repository: https://gitlab.com/ppentchev/fnmatch-regex-rs

https://crates.io/crates/fnmatch-regex2 at version v0.4.0, repository: https://gitlab.com/brmmm3/fnmatch-regex2-rs (DO NOT SIGN IN, UNTIL WE KNOW ITS SAFE)

I was looking through some crates and noticed there is "fnmatch-regex2", just below "fnmatch-regex". The second one is newer; 4 months ago updated, compared to the original 12 months ago updated. And it has more recent downloads and a "higher version number".

My first thought was, this either adds new functionality, or the old one is abandoned maybe? Looking in readme and documentation, I could not find anything that describes the differences. Looking at the source code on Gitlab, the first crate just shows it normally to me, but the second wants me to log in. My alarm glocks go on. Even the changelog for both are identical at version 0.2.1 (the original crate 1) without any word about changes, but the crate repository shows it should be at version v0.4.0.

I would like to know what you guys think about it. I can't even audit the code right now, even if its the same Gitlab instance on gitlab.com. Should this be reported? Or am I just paranoid?

EDIT:

After asking in Discord, someone said I can view the source code in Docs.rs: https://docs.rs/crate/fnmatch-regex2/0.4.0/source/ . This is much better, but I am still cautious. I still don't know what the actual changes are and would need to dive into the code and compare to find out. Which is not really something I expect to do from a trustful library.

top 8 comments
sorted by: hot top controversial new old
[–] TehPers@beehaw.org 4 points 1 month ago (1 children)

You can clone the original, add fnmatch-regex2 as a remote, fetch it, and do a diff between them to see what changed if you want.

If you go with this route, do not open the code with rust-analyzer active because it might run build scripts and proc macros automatically.

[–] blazebra@programming.dev 3 points 1 month ago

Quick analysis of code shows that there’s no suspicious build scripts or imports added, just an additional poorly documented and not tested function.

Documentation is additionally published to a third-party website.

Repository is probably is hidden which is ok.

[–] MoSal@programming.dev 2 points 1 month ago

You know repository info is just metadata, right? You can set it to anything.

And you could have grabbed the actually published versions easily, before randomly fear mongering against a random forked crate.

#/bin/bash

crate_name = $1

while read url; do
  curl -L $url | bsdtar xfv -
done <<(curl -L https://crates.io/api/v1/crates/$%7Bcrate_name%7D/versions | jq -r '"https://crates.io/" +.versions[].dl_path')

Run this for both crates, and you will have these crates locally at:

fnmatch-regex2-0.3.0
fnmatch-regex2-0.4.0
fnmatch-regex-0.1.0
fnmatch-regex-0.2.0
fnmatch-regex-0.2.1

from there

diff -ru fnmatch-regex-0.2.1 fnmatch-regex2-0.4.0

or du -ruN if you want the full content of Cargo.lock in the diff 😉

diff -ru fnmatch-regex-0.2.1/.cargo_vcs_info.json fnmatch-regex2-0.4.0/.cargo_vcs_info.json
***
fnmatch-regex-0.2.1/.cargo_vcs_info.json	1970-01-01 02:00:01.000000000 +0200
+++ fnmatch-regex2-0.4.0/.cargo_vcs_info.json	1970-01-01 02:00:01.000000000 +0200
@@ -1,6 +1,6 @@
 {
   "git": {
-    "sha1": "73bd95ec60b4f9ee3ab2ad8d3475e005df7ddc4a"
+    "sha1": "2f810aaeef8eefcee722a29822e46c4091940c8b"
   },
   "path_in_vcs": ""
 }
\ No newline at end of file
diff -ru fnmatch-regex-0.2.1/.editorconfig fnmatch-regex2-0.4.0/.editorconfig
***
fnmatch-regex-0.2.1/.editorconfig	2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/.editorconfig	2006-07-24 04:21:28.000000000 +0300
@@ -1,6 +1,6 @@
 # https://editorconfig.org/
 #
-# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>
+# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>, Martin Bammer <mrbm74@gmail.com>
 # SPDX-License-Identifier: BSD-2-Clause
 
 root = true
diff -ru fnmatch-regex-0.2.1/.gitignore fnmatch-regex2-0.4.0/.gitignore
***
fnmatch-regex-0.2.1/.gitignore	2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/.gitignore	2006-07-24 04:21:28.000000000 +0300
@@ -5,3 +5,4 @@
 
 site/
 target/
+Cargo.lock
diff -ru fnmatch-regex-0.2.1/.readthedocs.yaml fnmatch-regex2-0.4.0/.readthedocs.yaml
***
fnmatch-regex-0.2.1/.readthedocs.yaml	2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/.readthedocs.yaml	2006-07-24 04:21:28.000000000 +0300
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>
+# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>, Martin Bammer <mrbm74@gmail.com>
 # SPDX-License-Identifier: BSD-2-Clause
 
 version: 2
Only in fnmatch-regex-0.2.1: .reuse
Only in fnmatch-regex2-0.4.0: Cargo.lock
diff -ru fnmatch-regex-0.2.1/Cargo.toml fnmatch-regex2-0.4.0/Cargo.toml
***
fnmatch-regex-0.2.1/Cargo.toml	1970-01-01 02:00:01.000000000 +0200
+++ fnmatch-regex2-0.4.0/Cargo.toml	1970-01-01 02:00:01.000000000 +0200
@@ -10,12 +10,16 @@
 # See Cargo.toml.orig for the original contents.
 
 [package]
-edition = "2021"
-rust-version = "1.58"
-name = "fnmatch-regex"
-version = "0.2.1"
-authors = ["Peter Pentchev <roam@ringlet.net>"]
+edition = "2024"
+rust-version = "1.85"
+name = "fnmatch-regex2"
+version = "0.4.0"
+authors = [
+    "Peter Pentchev <roam@ringlet.net>",
+    "Martin Bammer <mrbm74@gmail.com>",
+]
 build = false
+autolib = false
 autobins = false
 autoexamples = false
 autotests = false
@@ -34,23 +38,23 @@
     "parser-implementations",
 ]
 license = "BSD-2-Clause"
-repository = "https://gitlab.com/ppentchev/fnmatch-regex-rs"
+repository = "https://gitlab.com/brmmm3/fnmatch-regex2-rs"
 
 [lib]
-name = "fnmatch_regex"
+name = "fnmatch_regex2"
 path = "src/lib.rs"
 
 [dependencies.anyhow]
-version = "1.0.69"
+version = "1.0"
 
 [dependencies.itertools]
-version = ">= 0.10.3, < 0.14"
+version = "0.14"
 
 [dependencies.regex]
-version = "1.7.1"
+version = "1.11"
 
 [dependencies.thiserror]
-version = "1.0.38"
+version = "2.0"
 
 [dev-dependencies.rstest]
-version = ">= 0.17, < 0.24"
+version = "0.25"
diff -ru fnmatch-regex-0.2.1/Cargo.toml.orig fnmatch-regex2-0.4.0/Cargo.toml.orig
***
fnmatch-regex-0.2.1/Cargo.toml.orig	2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/Cargo.toml.orig	2006-07-24 04:21:28.000000000 +0300
@@ -1,24 +1,21 @@
-# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>
-# SPDX-License-Identifier: BSD-2-Clause
-
 [package]
-name = "fnmatch-regex"
-version = "0.2.1"
-rust-version = "1.58"
-authors = ["Peter Pentchev <roam@ringlet.net>"]
-edition = "2021"
+name = "fnmatch-regex2"
+version = "0.4.0"
+authors = ["Peter Pentchev <roam@ringlet.net>", "Martin Bammer <mrbm74@gmail.com>"]
+edition = "2024"
 description = "Convert a glob-style pattern to a regular expression."
 readme = "README.md"
-repository = "https://gitlab.com/ppentchev/fnmatch-regex-rs"
+repository = "https://gitlab.com/brmmm3/fnmatch-regex2-rs"
 license = "BSD-2-Clause"
 categories = ["encoding", "filesystem", "parser-implementations"]
 keywords = ["fnmatch", "glob", "pattern", "regex"]
+rust-version = "1.85"
 
 [dependencies]
-anyhow = "1.0.69"
-itertools = ">= 0.10.3, < 0.14"
-regex = "1.7.1"
-thiserror = "1.0.38"
+anyhow = "1.0"
+itertools = "0.14"
+regex = "1.11"
+thiserror = "2.0"
 
 [dev-dependencies]
-rstest = ">= 0.17, < 0.24"
+rstest = "0.25"
Only in fnmatch-regex2-0.4.0: NEWS.md
Only in fnmatch-regex-0.2.1: docs
diff -ru fnmatch-regex-0.2.1/mkdocs.yml fnmatch-regex2-0.4.0/mkdocs.yml
***
fnmatch-regex-0.2.1/mkdocs.yml	2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/mkdocs.yml	2006-07-24 04:21:28.000000000 +0300
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>
+# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>, Martin Bammer <mrbm74@gmail.com>
 # SPDX-License-Identifier: BSD-2-Clause
 
 theme:
diff -ru fnmatch-regex-0.2.1/pyproject.toml fnmatch-regex2-0.4.0/pyproject.toml
***
fnmatch-regex-0.2.1/pyproject.toml	2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/pyproject.toml	2006-07-24 04:21:28.000000000 +0300
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>
+# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>, Martin Bammer <mrbm74@gmail.com>
 # SPDX-License-Identifier: BSD-2-Clause
 
 [tool.publync.format.version]
diff -ru fnmatch-regex-0.2.1/requirements/docs.txt fnmatch-regex2-0.4.0/requirements/docs.txt
***
fnmatch-regex-0.2.1/requirements/docs.txt	2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/requirements/docs.txt	2006-07-24 04:21:28.000000000 +0300
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>
+# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>, Martin Bammer <mrbm74@gmail.com>
 # SPDX-License-Identifier: BSD-2-Clause
 
 mkdocs >= 1.4.2, < 2
diff -ru fnmatch-regex-0.2.1/run-clippy.sh fnmatch-regex2-0.4.0/run-clippy.sh
***
fnmatch-regex-0.2.1/run-clippy.sh	2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/run-clippy.sh	2006-07-24 04:21:28.000000000 +0300
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>
+# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>, Martin Bammer <mrbm74@gmail.com>
 # SPDX-License-Identifier: BSD-2-Clause
 
 
diff -ru fnmatch-regex-0.2.1/src/glob.rs fnmatch-regex2-0.4.0/src/glob.rs
***
fnmatch-regex-0.2.1/src/glob.rs	2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/src/glob.rs	2006-07-24 04:21:28.000000000 +0300
@@ -37,7 +37,7 @@
 //! # use std::error::Error;
 //!
 //! # fn main() -> Result<(), Box<dyn Error>> {
-//! let re_name = fnmatch_regex::glob_to_regex("linux-[0-9]*-{generic,aws}")?;
+//! let re_name = fnmatch_regex2::glob_to_regex("linux-[0-9]*-{generic,aws}")?;
 //! for name in &[
 //!     "linux-5.2.27b1-generic",
 //!     "linux-4.0.12-aws",
@@ -60,7 +60,7 @@
 
 use anyhow::anyhow;
 use itertools::{Either, Itertools as _};
-use regex::Regex;
+use regex::{Regex, RegexBuilder};
 
 use crate::error::Error as FError;
 
@@ -572,3 +572,24 @@
     let re_pattern = parser.flatten_ok().collect::<Result<Vec<_>, _>>()?.join("");
     Regex::new(&re_pattern).map_err(|err| FError::InvalidRegex(re_pattern, err))
 }
+
+/// Parse a shell glob-like pattern into a regular expression.
+///
+/// See the module-level documentation for a description of the pattern
+/// features supported.
+///
+/// # Errors
+/// Most of the [`crate::error::Error`] values, mostly syntax errors in
+/// the specified glob pattern.
+#[allow(clippy::missing_inline_in_public_items)]
+pub fn glob_to_regex_ext(pattern: &str, ignore_case: bool) -> Result<Regex, FError> {
+    let parser = GlobIterator {
+        pattern: pattern.chars(),
+        state: State::Start,
+    };
+    let re_pattern = parser.flatten_ok().collect::<Result<Vec<_>, _>>()?.join("");
+    RegexBuilder::new(&re_pattern)
+        .case_insensitive(ignore_case)
+        .build()
+        .map_err(|err| FError::InvalidRegex(re_pattern, err))
+}
diff -ru fnmatch-regex-0.2.1/src/lib.rs fnmatch-regex2-0.4.0/src/lib.rs
***
fnmatch-regex-0.2.1/src/lib.rs	2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/src/lib.rs	2006-07-24 04:21:28.000000000 +0300
@@ -15,7 +15,9 @@
 pub mod error;
 pub mod glob;
 
-pub use glob::glob_to_regex;
+pub use glob::{glob_to_regex, glob_to_regex_ext};
+
+pub use regex::Regex;
 
 #[cfg(test)]
 pub mod tests;
diff -ru fnmatch-regex-0.2.1/tox.ini fnmatch-regex2-0.4.0/tox.ini
***
fnmatch-regex-0.2.1/tox.ini	2006-07-24 04:21:28.000000000 +0300
+++ fnmatch-regex2-0.4.0/tox.ini	2006-07-24 04:21:28.000000000 +0300
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>
+# SPDX-FileCopyrightText: Peter Pentchev <roam@ringlet.net>, Martin Bammer <mrbm74@gmail.com>
 # SPDX-License-Identifier: BSD-2-Clause
 
 [tox]

And you do know that the docs.rs service itself generates docs from published crates in crates.io, and that is the exactly same code you see when viewing sources there, right?

[–] blazebra@programming.dev 2 points 1 month ago (1 children)

Why you’ve wrote “dont sign in…” for GitLab? GitLab is safe

[–] thingsiplay@beehaw.org 0 points 1 month ago (1 children)

Because I never encountered signing into Gitlab before. And the repository of fnmatch-regex itself does not require me to sign in. So i was a bit suspicious. I mean who knows if it would be possible to provide fake sign in. Guess I'm just paranoid.

[–] oscar@programming.dev 4 points 1 month ago* (last edited 1 month ago) (1 children)

It's likely a private/internal project, so you need to log in to prove you are allowed access. The same thing happens for one of my personal private projects.

Edit: After logging in, the URL you posted 404's.

[–] thingsiplay@beehaw.org 2 points 1 month ago (1 children)

Thank you for checking! As for the private thing, they have the source code provided on a different place: https://docs.rs/crate/fnmatch-regex2/0.4.0/source/ Maybe it makes sense now, because they want people to focus on the other source, and do not want to work on Gitlab itself.

[–] blazebra@programming.dev 2 points 1 month ago

You have to provide source to a rust repository. Otherwise, it’s impossible to compile and link Rust safely. There was an article in the topic.

Long story short you can prepare and link a binary library, but you can’t guarantee any type safety or additional optimisations.