I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.

  • PowerCrazy@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    Hey guys open source is great you can look at all the code and therefore there are no security backdoors etc. Also here are a bunch of pre-compiled blobs in the repo, don’t worry about those, but they are required to run the program.

    • snooggums@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      The fact that people know there are pre-compiled blobs in open source means they have an informed reason to avoid the software!

      • ulkesh@beehaw.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        Exactly. Acting like this is an “ah-ha, see?!!” moment when this is exactly what open source is designed for. That’s like saying global warming is a hoax because “oh look it’s snowing”.

        • PowerCrazy@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          This isn’t a knock against opensource programming, but there shouldn’t ever be precompiled blobs in the repo unless they are the official builds for the various OS’s and if you want to build from source, the pre-compiled blobs shouldn’t be part of that, otherwise you can’t really claim you are opensource.

  • Feathercrown@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    God I hate people who use github comments for their own benefit. “Just fork it bro” is never helpful.

    • friend_of_satan@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      2 months ago

      Seriously this. Any comment about a complicated system that starts with “just” can be ignored 99% of the time.

      Also, there are 4k forks of Ventoy already. Obviously forking it isn’t helping. Actual work needs to be done.

    • Sem@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      For me the problem is more in GPL violation: they distribute blobs under GPL3, user made a request of the source code by creating an issue, but they ignored that request. It is not only about “you have to fix it” versus “just fork it” imo.

  • Antagnostic@lemmy.world
    link
    fedilink
    arrow-up
    5
    ·
    edit-2
    2 months ago

    I was bored at work one day. I decided to put a nyan cat easter egg in my company’s app. If at the loading progress bar screen you typed NYAN it would turn the progress bar into a rainbow being created by a little nyan cat while playing the nyan cat song. The mp3 (inconspicuously renamed without the extension) doubled our build size. No one batted an eye cause no one paid attention to the build size much.

    Fast forward 5 years later, at a different job, I get a phone call from the old boss. Do you happen to know anything about this nyan cat file we found?

    I had no idea what he was talking about.

    • fmstrat@lemmy.nowsci.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      Years and years ago I worked on a project where the logo was the outline of a head and an inward swirl for the brain.

      For the website, if you held your mouse over it for 9 seconds, it would spin and flush. No one ever found that one that I know of.

      • kautau@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        2 months ago

        It sounds like they weren’t using any form of version control, so that’s definitely on them at this point

        • Alexstarfire@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          2 months ago

          What makes you say that? To me, it sounds like that’s what they do have cause they tracked the change back to him. The commit message obviously said nothing about the file.

          • kautau@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            2 months ago

            Ah I could see that. I took it as them not knowing where the file came from at all, so they’re just asking all the devs who would have had access at that point, which is why it was “hey do you know anything about this file?” and not “is there a specific reason you committed this file to the build?”

  • mashbooq@lemmy.world
    link
    fedilink
    arrow-up
    3
    ·
    2 months ago

    After I saw that issue, I attempted to build Ventoy from source. After making numerous modifications and getting only the first couple components built, I got tired of it and quit. I’ve made some modifications to glim and use that instead, although it’s still not as easy as Ventoy. But I don’t trust Ventoy if I can’t build it myself.

    Further, when @vkc@linuxmom.net made some criticisms of Ventoy in one of her YouTube videos, she was subjected to a harassment campaign, and others told her the same happened to them. That pushed me from not trusting Ventoy to actively distrusting it.

    • Snot Flickerman@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      Further, when @vkc@linuxmom.net made some criticisms of Ventoy in one of her YouTube videos, she was subjected to a harassment campaign, and others told her the same happened to them.

      What the fuck is happening to the world? Are we regressing or were we always this regressed and we’ve just given powerful tools to fucking chowderheads?

      • Telorand@reddthat.com
        link
        fedilink
        arrow-up
        3
        ·
        2 months ago

        There’s a subset of the Linux/FOSS/etc. community who are Conservative, misogynistic, racist, and/or otherwise general bigots. Compare the Ventoy-bros against the Elon-bros, and you’ll see a similar pattern of behavior.

        I don’t personally understand it, since development is still sometimes seen as “work for weirdo nerds,” so you’d think they would understand what it feels like to be rejected or bullied, but here we are. They manage to stay under the radar, because there’s usually no reason to discuss politics or philosophy when you’re debugging code.

        • Snot Flickerman@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          2 months ago

          There’s a subset of the Linux/FOSS/etc. community who are Conservative, misogynistic, racist, and/or otherwise general bigots.

          right, the hackernews set…

          • WldFyre@lemm.ee
            link
            fedilink
            arrow-up
            2
            ·
            2 months ago

            Don’t know why you’re being downvoted, hackernews is an awful site of smug, dumb software “engineer” tech bros with some of the worst takes on anything that isn’t explicitly about how to code

  • ⸻ Ban DHMO 🇦🇺 ⸻@aussie.zone
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    I haven’t read to far into this but the issue is completely devoid of contributors and maintainers. I find the wording of the issue quite concerning:

    Due to the recent XZ-Utils drama I checked the code and I’m appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/cryptsetup https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/Unix/ventoy_unix https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/DMSETUP

    There is no reason to have those not be build in the release process. Of course it’s convenient, they are prebuild, it’s fast and nobody has a problem with it.

    Recent events however showed that these BLOBs can contain everything and nothing. The build instructions would not produce the exact same executable for everyone. It’s better to have GitHub build it on-push and use them out of the build cache.

    I would do it myself, but unfortunately I’m not familiar enough with the Ventoy build process to actually do it. I understand that removing BLOBs isn’t a priority over new and shiny features. But due to recent events, this should be rethought.

    Thank you for reading this and I hope for a productive conversation

    This is free software, they don’t owe you anything and this kind of language sounds angry and entitled. You can’t just Gordon Ramsay on someone else’s codebase.

  • monovergent 🏁@lemmy.ml
    link
    fedilink
    arrow-up
    1
    ·
    2 months ago

    Makes me wonder how far the closest alternative, glim, could be upgraded to match Ventoy given the confines of GRUB.

    Someone had mentioned that Fedora fails to verify when booting from Ventoy. Now I’m thinking if I could dd the media loaded via Ventoy and compare with an original copy to see what changed.

  • Todd Bonzalez@lemm.ee
    link
    fedilink
    arrow-up
    1
    ·
    2 months ago

    Anyone who wants to fix this can help fix it, but people are just making demands of an unpaid maintainer. The devs can run this project the way they want to. If you don’t like it, don’t use Ventoy.

    The people comparing this to the xz exploit are out of line. xz was a library that was deeply embedded in a lot of software. Ventoy is an IT tool used to boot live OSes. Not even remotely the same attack surface.

    Blobs in the source tree are not ideal, but people need to pick their battles.

  • Mikelius@lemmy.ml
    link
    fedilink
    arrow-up
    1
    ·
    2 months ago

    Glad it’s getting a little more light. Been trying to tell people this for a few years now lol. It’s the reason I’ve stayed away from it since first learning of the tool and looking at the “source code”.

  • Rentlar@lemmy.ca
    link
    fedilink
    arrow-up
    1
    ·
    2 months ago

    It’s a useful tool, but there is a security concern for anything not fully open source. You will have to weigh your risk factors, I doubt that it’s any problem for most consumers or distro hoppers.

    Best to keep an eye in case any new contributers arrive suddenly…

  • n2burns@lemmy.ca
    link
    fedilink
    arrow-up
    1
    ·
    2 months ago

    I too wish the developer would respond, but I don’t think this is the catastrophe people are making it out to be. One comment seems to explain why these binaries are included:

    Because ventoy supports shim, and by extension secure boot, these files needs to come from a signed Linux distro. In this case they are taken from Fedora releases, and OpenSUSE apparently, as they publish shim binaries and grub binaries signed by their certificate.

    • infeeeee@lemm.ee
      link
      fedilink
      arrow-up
      1
      ·
      2 months ago

      It sounds to me as a documentation issue, as the next comment says, simply including a wget script should solve this.

    • grue@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      On the contrary: that just goes to show what a fucking catastrophe for software freedom “Secure[sic] Boot” is.

      • Quail4789@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        It matters because nobody is going to check the hashes for all of the files match whenever there’s a change so the maintainer can just replace them with whatever he wants.

        • Pup Biru@aussie.zone
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          that’s what automation is for - nobody is going to manually check them, but anyone is able to automatically set something up to check their hashes in change… the fact that it’s possible that anyone is doing that now that it’s a known issue perhaps makes it less problematic as an attack vector

          • refalo@programming.dev
            link
            fedilink
            arrow-up
            1
            ·
            2 months ago

            That is true, but also nobody is doing it. Just like nobody is verifying Signal’s “reproducible builds”.

            • Pup Biru@aussie.zone
              link
              fedilink
              English
              arrow-up
              1
              ·
              2 months ago

              are you sure?

              there could be thousands just waiting for a failure to come out and say “HEY THIS IS DODGY”

    • nialv7@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      While this is true, it only requires the shim and grub to be copied for another distro.

      From other comments there are a lot more blobs than just these two.

          • davad@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            2 months ago

            I think they did say that in the older thread. But for proper security, you shouldn’t have to trust them. You should have build tools that will re-fetch everything to create an identical build. That gives a clear chain of custody, which proves that morning has been tampered with.

  • MigratingtoLemmy@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    2 months ago

    Need to compare hashes between a stock ISO and one flashed booted by Ventoy (dd the latter to a file and check)

  • BrianTheeBiscuiteer@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Any alternatives to this tool? I’ve used it a lot lately because I was testing out live OSes before installing one to the hard drive, but otherwise I don’t need it on a daily basis.

    • Snot Flickerman@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      0
      arrow-down
      1
      ·
      2 months ago

      but otherwise I don’t need it on a daily basis.

      I’ll be real, this is part of why I didn’t understand Ventoy. I keep a bunch of large, fast thumbdrives around blank and available. When I need/want to put an OS on there, I do it when I need it, and then I’m always installing the most current version of the install. It takes under 5 minutes, at best.

      I used to try to keep various installs on thumbdrives… but it would be two years down the line by the time I needed to use it again and by that time it’s literally pointless to be using two year old installation media.

      • BrianTheeBiscuiteer@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        2 months ago

        Ventoy wasn’t a foolproof solution but it really did beat the hell out of using 6 different USB drives. Most USB “pen drives” don’t make labeling easy and without labeling I’m just plugging them in one by one till I find the one I want.

      • CoopaLoopa@lemmy.dbzer0.com
        link
        fedilink
        arrow-up
        1
        ·
        2 months ago

        Part of the point behind Ventoy is that you don’t need to prepare the USB to be bootable. You can just copy/paste the whole iso into Ventoy and it will be bootable. New release comes out? Just copy it onto your USB drive. Don’t even need to remove the old version of you don’t want to.

        Makes things much easier in the tech world for having a single USB with 50+ bootable tools and installers on there like with MediCat (which uses Ventoy as a base).

        Only thing I’ve had issues with booting from Ventoy is the ProxMox install iso. Everything else has worked first try.