Reporting potential abuse

Thanks to this community for creating such a great tool!

How does one report potential abuse by a contributor/cask?

I ran brew cask install sublime earlier today, thinking I’d get my favorite text editor. Instead, I installed an “app” by “Saluki Studios” that seems to have no other purpose than soliciting PayPal donations. Very sketchy!

1 Like

It looks like that cask was originally submitted as sublime-subtitles in https://github.com/Homebrew/homebrew-cask/pull/15865 but was renamed to sublime during the review process?

Not sure what happened under review, but the cask embeds itself in the mac’s “applications” folder as Sublime. The app seems to solicit paypal donations, but nothing more.

It is so sketchy. When I first opened it, I had the sinking feeling that I’d installed ransomware.

Two more observation:

  1. It has never been really updated since it’s added initially. All the updates are things like homepage URL or DSL update.
  2. The homepage (https://salukistudios.com/sublime/) is now 404.

We might want to remove this formula? Or is there a “deprecation process”?

This is what the website used to look like: https://web.archive.org/web/20151227025916/http://www.salukistudios.com/

Thanks for your report and observations @mattalytics and @franklinyu.
Homebrew depends on vigilant users like you!

Looking at the analytics, the sublime cask has about 5,000 yearly installs. It’s difficult to tell how many of those installs are due to name confusion.

While I don’t have a strong opinion about removing the cask, 5k are quite a number.
No engines are currently reporting the binary as malicious.

I have just fired up Hopper to quickly reverse the binary. While the app does solicit PayPal donations, it doesn’t appear be malicious or deceptive; the code contained in the binary is consistent with the features it claims (drag/drop subtitle acquisition). The code reaches out to an XML-RPC service at https://api.opensubtitles.org.

@mattalytics Can you confirm the app does not work at all for you?

2 Likes

Thanks @scpeters!

I see that the latest archive.org capture seems to be nine months old. That means the homepage is probably gone for good.

Due to lack of a homepage, I’ll gladly accept a PR that deletes the sublime cask.

2 Likes

I am glad this issue has been remedied through swift community action – but the question originally posed by @mattalytics

– does still remain unanswered. Is there an official (or unofficial!) mechanism for reporting this sort of abusive behavior within the Homebrew community?

If there’s an issue you could always make an issue in github.