search

trunk-rs / trunk

Build, bundle & ship your Rust WASM application to the web.
https://trunkrs.dev/
Apache License 2.0
3.53k stars 255 forks source link

Upgrade to v0.19.1 seems to initiate the download of a rogue `trunk` executable! #747

Closed carlca closed 7 months ago

carlca commented 7 months ago

Bit of a strange one, this. I upgraded to v0.19.1 using cargo install trunk --force --version 0.19.1. The very next thing I did was to issue a t3 command. This is an alias to trunk serve --port 3000 - nothing controversial there! As soon as I had pressed <enter> a download started. This turned out to be an executable called trunk from https://trunk.io and it installed itself in my /usr/local/bin folder and, due to its position in my system path, took precedence in terms of execution priority. I didn't realise this straight away - cue much bewilderment!

The discovery of the rogue identity was only because I ran trunk --help which mentioned https://trunk.io and not https://trunkrs.dev as I would have expected.

To be clear, until this happened, I wasn't even aware of the existence of another company with an identically named product, let alone try to explicitly download it.

I'm reasonably certain that this is nothing that I have done and that somehow the two products have somehow been linked due to some mistake presumably with trunkrs's code.

https://trunk.io isn't a source of malware, as far as I can see, but I thought that you should be aware of what happened.

ctron commented 7 months ago

I am sorry, but I have no idea what t3 is. Running cargo trunk will install trunk from crates.io. Which is trunk. trunk also is not a product from a company, but an open source project maintained by some volunteers. Whatever installed something from trunk.io seems to be tied to your local setup, and I don't think there is anything that this repository can/should do on this topic.

carlca commented 7 months ago

to issue a t3 command. This is an alias to trunk serve --port 3000.

I don't know how much clearer I could have been in explaining what t3 was...

In any case I've just been through my ZSH history and it seems that just prior to successfully upgrading trunk, I had issued the command curl https://get.trunk.io -fsSL | bash. Clearly my fault, and, I'm guessing as a result of me searching for install truck or similar and finding the get started section on this page https://github.com/trunk-io, not noticing that it was for an entirely different thing.

However, one does have to question the wisdom of naming the tool trunk, though it's difficult to be certain who was first. trunk.io claim to have been formed in 2021, while I see from your Github repo, that your first issue was in 2020 🤷🏽 Mind you, I see from your responses to https://github.com/trunk-rs/trunk/issues/733, you are not minded to rectify the situation, so I guess the question is moot 😮

ctron commented 7 months ago

Ok, so I don't think there is anything that we can do here.