Zola on crates.io

[JoelMon]

I almost compiled and installed a package called zola via cargo install zola today. After taking a long time and not using any dependencies I canceled it and took a look at https://crates.io/crates/zola. Doesn't really look like it belong to you folks.

Can someone take a look at it and see if it's legit or someone squatting the name for nefarious intents?

I also emailed [email protected] about it.

[c-git]

I couldn't figure out how to see the code (not even sure if it's available). But I don't think the main maintainer of zola wants to upload to crates.io right now based on this previous issue. But I'd agree it doesn't appear to be related to this zola not sure if it's a coincidence, but it's pretty hard to tell since the other one doesn't even have a readme.

[JoelMon]

I couldn't figure out how to see the code (not even sure if it's available).

Same here.

Look at the user and all the other packages he has on creates.io. It's a lot of popular create names and it all looks sketchy.

[svalouch]

Download:

$ wget  https://crates.io/api/v1/crates/zola/0.1.1/download -O zola-0.1.1.tar.gz
$ sha256sum zola-0.1.1.tar.gz
7364421172804213dae74173b50ce904d3e904d34b97af11ae6252f7cd303bcb  zola-0.1.1.tar.gz

Content:

$ file zola-0.1.1/*
zola-0.1.1/build:           ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=e2b9dec846125b8adb673a9a832ffe5ca3af6787, for GNU/Linux 4.4.0, with debug_info, not stripped
zola-0.1.1/build.rs:        C source, ASCII text
zola-0.1.1/Cargo.lock:      ASCII text
zola-0.1.1/Cargo.toml:      ASCII text
zola-0.1.1/Cargo.toml.orig: ASCII text
zola-0.1.1/main.rs:         C source, ASCII text

I'm not sure what the binary file build actually contains or if it is even executed, I'm not familiar with cargo's mechanisms, but binary and source have the same mtime. The build.rs does what it says on the tin, at least:

fn main() {
    println!("cargo:rerun-if-changed=build.rs");
    let mut cmd = std::process::Command::new("cargo");
    cmd.args(vec!["install", "--git", "https://github.com/getzola/zola", "--locked"]);
    let mut child = cmd.spawn().expect("failed to call cargo install");
    let _ = child.wait();
}

It runs cargo in the background and installs zola from this repo, which explains the long time of seemingly nothing happening, as its output is not forwarded to the terminal.
The application itself is a hello world stub.

Unless the binary does something nasty it appears somewhat okay in that regard, but it's definitely fishy and misleads users. That being said, IMHO, the entire account looks fishy, a bit like typo-squatting. I wonder if there's a way to block names in crates.io, it would certainly make a lot of sense for a project like this that can't be easily published there. I guess @Keats, you'd have to take action here as the owner of the repository.

[Keats]

It's not mine but I think this kind of squatting is completely allowed by crates.io so unless it's doing something bad, it's unlikely to be removed

[JoelMon]

It's not mine but I think this kind of squatting is completely allowed by crates.io so unless it's doing something bad, it's unlikely to be removed

Yeah, you are right. I spoke to Josh from [email protected] and he tells me that there isn't anything to do unless it goes malicious.

He did say that you can always try asking @btwiuse to see if he/she would like to pass ownership over though.

[btwiuse]

Hi, I am the current owner of the zola crate.

I created the crate for convinience. (see #1713 (comment))

The build binary was not intended to be packaged into the crate. It was generated by rustc build.rs and I forgot to tell Cargo.toml to ignore it.

Even if you installed it through cargo install zola, the binary won't be executed. It is 100% safe.

If you need it , I can transfer the crate to the zola project maintainer.

Please tell me whom to transfer to. I need your username on crates.io.

I will add you as owner then feel free to remove my ownership of the crate.

[Keats]

My username is Keats on crates.io.
I would probably yank it and push something with a readme saying it's not installable via cargo FWIW

[btwiuse]

An invite has been sent to you. You can remove my ownership after you accept the invite.

My username is Keats on crates.io. I would probably yank it and push something with a readme saying it's not installable via cargo FWIW

[Keats]

Thanks!