Fraud crate in crates.io (j4rs)

[astonbitecode]

Hi, I published today a new release of the j4rs crate (0.18.0) and saw there is a crate that impersonates the real j4rs, having a patch version greater than reality (0.18.1).

There is the possibility that someone by mistake uses the wrong crate.

What can I do?

Here is the fraud crate in crates.io: https://crates.io/crates/j4rs-171h.

[Turbo87]

I'm not sure whether this constitutes impersonation. I looks like it could also be a private fork of your project, since the author has their username appended to the package name.

https://diff.rs/j4rs-171h/0.18.0/0.18.1/ shows the diff between the two versions of the crate. unfortunately that tool is not able to compare across different crate names AFAIK.

[astonbitecode]

Thanks for the link. I was not aware of diff.rs

[eth3lbert]

I've sent a PR to add support for diffing across crates.

Comparing version 0.18.0, it's mostly only different in EOL format, except for the .jar file, which not only has a different filename but also different content.

There's still a need to add some other options for different diffing strategies to ignore noise, such as ignoring whitespace.

[astonbitecode]

Thank you very much for this.

The fact that jar has different content, could mean the code is different too, however one would need to decompile the contents of the jar first.

[astonbitecode]

The repository field shows the original instead of some fork.

I guess this allows hiding code, giving the wrong impression that this is legitimate code from the original repo.

[fintelia]

The crate owner has a github repository named j4rs which is a fork of yours, so I'd guess they just forget to update the repository field in the Cargo.toml

[astonbitecode]

Thanks for all the responses.

I checked the rust code, decompiled the java code and did not find anything suspicious. Only the versions are changed, not the actual code.
It seems to me a bit weird not to have any changes and nevertheless having a forked version of a maintained crate changing the version only to a future one...

Anyway we can close this discussion and I guess I will revisit this in the future with the hope to not find anything.