[tronicdude]

FWIW, I've used zshell for years now and had a great experience. When vetting it against the other zinit fork, it seemed better documented and more active (new features still being added) while the other fork was simply archival. The dev has been extremely responsive whenever I've had issues or questions.

This is all that is in my zshrc:

  # Install Zi if not already installed
  if [[ ! -f $HOME/.zi/bin/zi.zsh ]]; then
    print -P "%F{33} %F{160}Installing (%F{33}z-shell/zi%F{160})…%f"
    command mkdir -p "$HOME/.zi" && command chmod go-rwX "$HOME/.zi"
    command git clone -q --depth=1 --branch "main" https://github.com/z-shell/zi "$HOME/.zi/bin" && \
      print -P "%F{33} %F{34}Installation successful.%f%b" || \
      print -P "%F{160} The clone has failed.%f%b"
  fi

This seems like a bit of an overreaction to someone contributing open source software. Every component of zshell is open (including the website) under the github organization. If they fucked up the checksum version of the download (didn't exist when I started using zshell), submit a PR maybe? As far as the accusation that they're trying to look like official Zsh: the description for the website and repo is literally "A Swiss Army Knife for Zsh - Unix Shell." You cannot miss it.

I don't have a dog in this but this is clearly an overreaction. ss-o has put a lot of time into this and made the best zsh plugin manager imo. Calling it "scammy looking" and "boo hoo he works in marketing" is a cheap blow.

[dzaima]

A couple weeks ago anyone calling Jia Tan of xz untrustworthy (without having discovered the backdoor) would have been laughed at, but apparently we're in a world where long-time maintainers of open-source projects can be malicious. And here there are even actual ongoing red flags, and multiple of them. There's even an open issue on curl-ing[0], with no action for 6 months (and given that the "verified" version seemingly would fail to load anything at all if the script really updated, it's pushing users to not use it). Even if it's discernible from zsh, similarities can nevertheless provide a feeling of credibility/officiality.

It can of course all be unfortunate accidents (and still has a good chance to be such), but that means nothing - a malicious person would of course try to make all their actions seem as such.

[0]: https://github.com/z-shell/zi/issues/287, though it doesn't notice the double-curl in "verified" being a massive security issue which makes it worse than useless

[dylnuge]

I'll say it's entirely possible this is an overreaction. I was writing up a fun weekend investigation of a weird looking project as I dug into it. There's a reason it's a series of posts on Mastadon and not anything more formal than that.

To clarify one thing, I'm not concerned that they "work in marketing". I am concerned that that the marketing page is fake: it's a bunch of AI generated faces and fake LinkedIn profiles. This does not lead me to the conclusion that they work in marketing at all.

As for your version of the script, it still strikes me as a _little_ weird (why put a self-install inside the .zshrc that is only expected to run once per system you have it on), but clearly far less concerning than the version they have in the current docs.

All code execution involves some degree of trust. There's enough here to make me personally not trust the developer, but if the information here doesn't give someone else the same qualms, that's entirely fine.

[tronicdude]

It's entirely open source and pretty comprehensible. That being said, of course the dev could tear up years of work and go rogue at any moment, like any other solo open source project dev.

It's not my version of the script, it's what his auto-installer did to my zshrc, which I've retained.

And the purpose of a self-install in the zshrc is twofold: portability to new systems, ie when I moved from macOS to Arch, my zshrc could stay mostly the same, and package management stuff. You may not be familiar with zshell/zinit forks but one can also use them as general package managers (https://wiki.zshell.dev/ecosystem/packages/synopsis) and do pretty cool shim stuff as well (https://wiki.zshell.dev/ecosystem/annexes/bin-gem-node) (https://zdharma-continuum.github.io/zinit/wiki/Annexes/).

I don't think the genuine issues brought up (his new silly way of auto-installing zshell, etc) warrant the reaction this is getting (unixorn taking it off of awesome-zsh-plugins, etc).

[oskarkk]

> It's entirely open source

Not very reassuring in the context of the xz backdoor and sketchiness of this particular author. I think it's better to avoid it, regardless of whether the author is actually malicious. Giving the vibe of being somehow official and having this fake "company" is rightly criticized. That's not the behavior of the developer whose code I would want to run.

> of course the dev could tear up years of work and go rogue at any moment, like any other solo open source project dev

Given the sketchiness I'd say it's much more likely than with average dev.

[tronicdude]

Also just discovered this issue was acknowledged by ss-o months ago; it's on his project board here https://github.com/orgs/z-shell/projects/4/views/10

Issue was from last september so he's pretty behind but--accusations of being malicious/scammy are not credible.