this post was submitted on 17 Sep 2024
404 points (99.0% liked)

Open Source

30302 readers
831 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
Cloak@lemmy.ml
kevincox@lemmy.ml
CrypticCoffee@lemmy.ml
Lettuceeatlettuce@lemmy.ml
404
Ventoy source code contains some unknown BLOBs, still no word on the issue from the dev after months (github.com)
submitted 1 day ago by SatyrSack@lemmy.one to c/opensource@lemmy.ml
114 comments fedilink hide all child comments
 

I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.

top 50 comments
sorted by: hot top controversial new old
[–] unionagainstdhmo@aussie.zone 5 points 7 hours ago (1 children)

I haven't read to far into this but the issue is completely devoid of contributors and maintainers. I find the wording of the issue quite concerning:

Due to the recent XZ-Utils drama I checked the code and I'm appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/cryptsetup https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/Unix/ventoy_unix https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/DMSETUP

There is no reason to have those not be build in the release process. Of course it's convenient, they are prebuild, it's fast and nobody has a problem with it.

Recent events however showed that these BLOBs can contain everything and nothing. The build instructions would not produce the exact same executable for everyone. It's better to have GitHub build it on-push and use them out of the build cache.

I would do it myself, but unfortunately I'm not familiar enough with the Ventoy build process to actually do it. I understand that removing BLOBs isn't a priority over new and shiny features. But due to recent events, this should be rethought.

Thank you for reading this and I hope for a productive conversation

This is free software, they don't owe you anything and this kind of language sounds angry and entitled. You can't just Gordon Ramsay on someone else's codebase.

[–] JameUwU@lemmy.ml 2 points 1 hour ago

I mean, people are allowed to have opinions. They may not be good opinions but thats the glory of opinions. You can Gordon Ramsey someone's codebase, and someone else can Gordon Ramsey their comment, as you just did.

[–] jsomae@lemmy.ml 4 points 8 hours ago (1 children)

What does BLOB stand for?

[–] unionagainstdhmo@aussie.zone 10 points 7 hours ago

Binary Large OBject

[–] todd_bonzalez@lemm.ee 15 points 20 hours ago (1 children)

Anyone who wants to fix this can help fix it, but people are just making demands of an unpaid maintainer. The devs can run this project the way they want to. If you don't like it, don't use Ventoy.

The people comparing this to the xz exploit are out of line. xz was a library that was deeply embedded in a lot of software. Ventoy is an IT tool used to boot live OSes. Not even remotely the same attack surface.

Blobs in the source tree are not ideal, but people need to pick their battles.

[–] Lemongrab@lemmy.one 33 points 19 hours ago

From what others have said: The blobs violate GPL because they are taken from other FOSS project but the changes Ventoy makes are not viewable.

[–] thepiguy@lemmy.ml 25 points 23 hours ago (1 children)

As a wise one once said: "Talk is cheap, send patches"

[–] tetris11@lemmy.ml 5 points 15 hours ago

Little did they know that Patches the Cat bit through their LAN lines and actually increased the cost of their communication.

[–] Mikelius@lemmy.ml 35 points 1 day ago

Glad it's getting a little more light. Been trying to tell people this for a few years now lol. It's the reason I've stayed away from it since first learning of the tool and looking at the "source code".

[–] Antagnostic@lemmy.world 181 points 1 day ago* (last edited 1 day ago) (4 children)

I was bored at work one day. I decided to put a nyan cat easter egg in my company's app. If at the loading progress bar screen you typed NYAN it would turn the progress bar into a rainbow being created by a little nyan cat while playing the nyan cat song. The mp3 (inconspicuously renamed without the extension) doubled our build size. No one batted an eye cause no one paid attention to the build size much.

Fast forward 5 years later, at a different job, I get a phone call from the old boss. Do you happen to know anything about this nyan cat file we found?

I had no idea what he was talking about.

[–] fmstrat@lemmy.nowsci.com 46 points 1 day ago (1 children)

Years and years ago I worked on a project where the logo was the outline of a head and an inward swirl for the brain.

For the website, if you held your mouse over it for 9 seconds, it would spin and flush. No one ever found that one that I know of.

load more comments (1 replies)
[–] delirious_owl@discuss.online 18 points 1 day ago (4 children)

Aaaand thats why all commits should be signed with your pgp key

load more comments (4 replies)
load more comments (2 replies)
[–] delirious_owl@discuss.online 26 points 1 day ago (5 children)

Wtf is ventoy and why is nobody explaining it

[–] Moah@lemmy.blahaj.zone 19 points 1 day ago (4 children)

Wtf is a BLOB and why is nobody explaining it

[–] spikespaz@programming.dev 0 points 8 hours ago

Because you can look it up.

[–] Tamo240@programming.dev 25 points 1 day ago

Binary Large OBject

Basically any binary file, often objected to in open source repos because of the lack of source and 'openness'. See also the recent xz backdoor.

[–] Disregard3145@lemmy.world 8 points 1 day ago

Binary data. In the case of lz it was a carefully "corrupted" archive.

[–] Linkerbaan@lemmy.world 33 points 1 day ago* (last edited 1 day ago) (2 children)

Basically an OS which let's you choose another OS to boot into. This way you can chose between multiple OS's on one USB drive. You drag your ISO files into a USB folder and choose between them on boot.

[–] delirious_owl@discuss.online 13 points 1 day ago (1 children)

That sounded like grub until you said ISO file

[–] EddoWagt@feddit.nl 8 points 1 day ago

Yeah basically grub but on a USB stick and with ISO files

load more comments (1 replies)
[–] refalo@programming.dev 7 points 1 day ago (1 children)

because search engines exist

[–] SatyrSack@lemmy.one 23 points 21 hours ago (1 children)

Wtf is search engines and why is no one explaining it

[–] namingthingsiseasy@programming.dev 4 points 19 hours ago (1 children)

Search engines are websites that people used to go to in order to get helpful information. These days, they just spam out a bunch of SEO garbage, AI-generated bullshit, and ads.

Google, probably

[–] KarnaSubarna@lemmy.ml 1 points 16 hours ago* (last edited 16 hours ago)

shh..it's a spyware and adware!

[–] thingsiplay@beehaw.org 23 points 1 day ago

I used Ventoy (its still on my USB stick). Its actually a pretty cool concept. Normally without Ventoy, you would flash your Linux distribution on the USB stick. And then you can boot from it, right?

Ventoy instead allows you to have a folder where you put an ISO without flashing it, and then you can boot from it by selecting in the menu. You just need to flash Ventoy once, as the base system, then you can put as many ISO files into that directory. I tested it and have 7 different Linux distributions (ranging from 1 GB to 4 GB variants) on the same USB stick, and I can boot any of them without flashing again. Replacing ISO is extremely easy, just delete it and copy a new one. Filenames does not matter, anything can be found.

load more comments (1 replies)
[–] mashbooq@lemmy.world 66 points 1 day ago (6 children)

After I saw that issue, I attempted to build Ventoy from source. After making numerous modifications and getting only the first couple components built, I got tired of it and quit. I've made some modifications to glim and use that instead, although it's still not as easy as Ventoy. But I don't trust Ventoy if I can't build it myself.

Further, when @vkc@linuxmom.net made some criticisms of Ventoy in one of her YouTube videos, she was subjected to a harassment campaign, and others told her the same happened to them. That pushed me from not trusting Ventoy to actively distrusting it.

[–] SteveDinn@lemmy.ca 5 points 21 hours ago

I remember this thread! Before I saw this comment, I had already gone to look it up again:

Here's the initial post of Verionica's video on booting from ISO files: https://linuxmom.net/@vkc/112905487325961707
And here's the post on 'The Ventoy conspiracy": https://linuxmom.net/@vkc/112906968594601449

load more comments (5 replies)
[–] ulterno@lemmy.kde.social 9 points 1 day ago

I like multiboot. Used it back when I used Windows.
The Ventoy advertisements on Reddit looked too suspicious, so I never checked it out.

[–] n2burns@lemmy.ca 74 points 1 day ago (15 children)

I too wish the developer would respond, but I don't think this is the catastrophe people are making it out to be. One comment seems to explain why these binaries are included:

Because ventoy supports shim, and by extension secure boot, these files needs to come from a signed Linux distro. In this case they are taken from Fedora releases, and OpenSUSE apparently, as they publish shim binaries and grub binaries signed by their certificate.

load more comments (15 replies)
load more comments
view more: next ›