I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.

  • n2burns@lemmy.ca
    link
    fedilink
    arrow-up
    1
    ·
    2 months ago

    I too wish the developer would respond, but I don’t think this is the catastrophe people are making it out to be. One comment seems to explain why these binaries are included:

    Because ventoy supports shim, and by extension secure boot, these files needs to come from a signed Linux distro. In this case they are taken from Fedora releases, and OpenSUSE apparently, as they publish shim binaries and grub binaries signed by their certificate.

    • infeeeee@lemm.ee
      link
      fedilink
      arrow-up
      1
      ·
      2 months ago

      It sounds to me as a documentation issue, as the next comment says, simply including a wget script should solve this.

      • Quail4789@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        It matters because nobody is going to check the hashes for all of the files match whenever there’s a change so the maintainer can just replace them with whatever he wants.

        • Pup Biru@aussie.zone
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          that’s what automation is for - nobody is going to manually check them, but anyone is able to automatically set something up to check their hashes in change… the fact that it’s possible that anyone is doing that now that it’s a known issue perhaps makes it less problematic as an attack vector

          • refalo@programming.dev
            link
            fedilink
            arrow-up
            1
            ·
            2 months ago

            That is true, but also nobody is doing it. Just like nobody is verifying Signal’s “reproducible builds”.

            • Pup Biru@aussie.zone
              link
              fedilink
              English
              arrow-up
              1
              ·
              2 months ago

              are you sure?

              there could be thousands just waiting for a failure to come out and say “HEY THIS IS DODGY”

    • grue@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      On the contrary: that just goes to show what a fucking catastrophe for software freedom “Secure[sic] Boot” is.

    • nialv7@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      While this is true, it only requires the shim and grub to be copied for another distro.

      From other comments there are a lot more blobs than just these two.

          • davad@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            2 months ago

            I think they did say that in the older thread. But for proper security, you shouldn’t have to trust them. You should have build tools that will re-fetch everything to create an identical build. That gives a clear chain of custody, which proves that morning has been tampered with.