I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.
I was bored at work one day. I decided to put a nyan cat easter egg in my company’s app. If at the loading progress bar screen you typed NYAN it would turn the progress bar into a rainbow being created by a little nyan cat while playing the nyan cat song. The mp3 (inconspicuously renamed without the extension) doubled our build size. No one batted an eye cause no one paid attention to the build size much.
Fast forward 5 years later, at a different job, I get a phone call from the old boss. Do you happen to know anything about this nyan cat file we found?
I had no idea what he was talking about.
Years and years ago I worked on a project where the logo was the outline of a head and an inward swirl for the brain.
For the website, if you held your mouse over it for 9 seconds, it would spin and flush. No one ever found that one that I know of.
Should’ve included that in your FE analytics.
Aaaand thats why all commits should be signed with your pgp key
It sounds like they weren’t using any form of version control, so that’s definitely on them at this point
What makes you say that? To me, it sounds like that’s what they do have cause they tracked the change back to him. The commit message obviously said nothing about the file.
Ah I could see that. I took it as them not knowing where the file came from at all, so they’re just asking all the devs who would have had access at that point, which is why it was “hey do you know anything about this file?” and not “is there a specific reason you committed this file to the build?”
You think they’d call up devs who left them just to ask if they happen to know about a random file?
You think they’d call up devs who left them just to ask if they happen to know about a random file?
I mean, that’s what op said happened. Literally with the verbiage of “file we found” and not “file you committed”
I did mean random devs, not the dev they tracked down that made the change.
10/10
That story was a journey.
After I saw that issue, I attempted to build Ventoy from source. After making numerous modifications and getting only the first couple components built, I got tired of it and quit. I’ve made some modifications to glim and use that instead, although it’s still not as easy as Ventoy. But I don’t trust Ventoy if I can’t build it myself.
Further, when @[email protected] made some criticisms of Ventoy in one of her YouTube videos, she was subjected to a harassment campaign, and others told her the same happened to them. That pushed me from not trusting Ventoy to actively distrusting it.
Further, when @[email protected] made some criticisms of Ventoy in one of her YouTube videos, she was subjected to a harassment campaign, and others told her the same happened to them.
What the fuck is happening to the world? Are we regressing or were we always this regressed and we’ve just given powerful tools to fucking chowderheads?
There’s a subset of the Linux/FOSS/etc. community who are Conservative, misogynistic, racist, and/or otherwise general bigots. Compare the Ventoy-bros against the Elon-bros, and you’ll see a similar pattern of behavior.
I don’t personally understand it, since development is still sometimes seen as “work for weirdo nerds,” so you’d think they would understand what it feels like to be rejected or bullied, but here we are. They manage to stay under the radar, because there’s usually no reason to discuss politics or philosophy when you’re debugging code.
There’s a subset of the Linux/FOSS/etc. community who are Conservative, misogynistic, racist, and/or otherwise general bigots.
right, the hackernews set…
Don’t know why you’re being downvoted, hackernews is an awful site of smug, dumb software “engineer” tech bros with some of the worst takes on anything that isn’t explicitly about how to code
it’s the opposite, actually: she got harassed because she didn’t talk about it when talking about creating a bootable drive.
I remember this thread! Before I saw this comment, I had already gone to look it up again:
Here’s the initial post of Verionica’s video on booting from ISO files: https://linuxmom.net/@vkc/112905487325961707
And here’s the post on 'The Ventoy conspiracy": https://linuxmom.net/@vkc/112906968594601449
I too wish the developer would respond, but I don’t think this is the catastrophe people are making it out to be. One comment seems to explain why these binaries are included:
Because ventoy supports shim, and by extension secure boot, these files needs to come from a signed Linux distro. In this case they are taken from Fedora releases, and OpenSUSE apparently, as they publish shim binaries and grub binaries signed by their certificate.
If the hashes match the files from the Fedora or OpenSUSE releases, then does this really matter?
deleted by creator
that’s what automation is for - nobody is going to manually check them, but anyone is able to automatically set something up to check their hashes in change… the fact that it’s possible that anyone is doing that now that it’s a known issue perhaps makes it less problematic as an attack vector
That is true, but also nobody is doing it. Just like nobody is verifying Signal’s “reproducible builds”.
are you sure?
there could be thousands just waiting for a failure to come out and say “HEY THIS IS DODGY”
On the contrary: that just goes to show what a fucking catastrophe for software freedom “Secure[sic] Boot” is.
While this is true, it only requires the shim and grub to be copied for another distro.
From other comments there are a lot more blobs than just these two.
It sounds like most, if not all, come from upstream projects.
Would be nice if the dev can respond and confirm that…
I think they did say that in the older thread. But for proper security, you shouldn’t have to trust them. You should have build tools that will re-fetch everything to create an identical build. That gives a clear chain of custody, which proves that morning has been tampered with.
It sounds to me as a documentation issue, as the next comment says, simply including a
wgetscript should solve this.
God I hate people who use github comments for their own benefit. “Just fork it bro” is never helpful.
For me the problem is more in GPL violation: they distribute blobs under GPL3, user made a request of the source code by creating an issue, but they ignored that request. It is not only about “you have to fix it” versus “just fork it” imo.
Licence doesn’t apply to the creator.
He already owns the copyright, he doesn’t need a licence, he doesn’t need to adhere to the gpl
The binaries in question are various GNU and FOSS tools from elsewhere, not part of the Ventoy project itself. So no, the Ventoy author does not own the copyright of the tools in question.
Even then, he’s still allowed to provide binary blobs. He doesn’t have to provide it as source code. If that was the case, we’d all have to build from source and package managers like apt, dnf and flatpak wouldn’t exist.
All he has to do is make the source code available, i.e. just link back to the original Github Repo.
Seriously this. Any comment about a complicated system that starts with “just” can be ignored 99% of the time.
Also, there are 4k forks of Ventoy already. Obviously forking it isn’t helping. Actual work needs to be done.
Glad it’s getting a little more light. Been trying to tell people this for a few years now lol. It’s the reason I’ve stayed away from it since first learning of the tool and looking at the “source code”.
Hey guys open source is great you can look at all the code and therefore there are no security backdoors etc. Also here are a bunch of pre-compiled blobs in the repo, don’t worry about those, but they are required to run the program.
The fact that people know there are pre-compiled blobs in open source means they have an informed reason to avoid the software!
Right, the fact that it’s open is the reason this came to light, and we’re having this discussion
Exactly. Acting like this is an “ah-ha, see?!!” moment when this is exactly what open source is designed for. That’s like saying global warming is a hoax because “oh look it’s snowing”.
This isn’t a knock against opensource programming, but there shouldn’t ever be precompiled blobs in the repo unless they are the official builds for the various OS’s and if you want to build from source, the pre-compiled blobs shouldn’t be part of that, otherwise you can’t really claim you are opensource.
deleted by creator
Good ol’ disk destroyer
Makes me wonder how far the closest alternative, glim, could be upgraded to match Ventoy given the confines of GRUB.
Someone had mentioned that Fedora fails to verify when booting from Ventoy. Now I’m thinking if I could dd the media loaded via Ventoy and compare with an original copy to see what changed.
Is there an alternative to Ventoy for booting Windows vhd images from an ntfs partition?
Wtf is ventoy and why is nobody explaining it
Wtf is a BLOB and why is nobody explaining it
Binary Large OBject
Basically any binary file, often objected to in open source repos because of the lack of source and ‘openness’. See also the recent xz backdoor.
Binary data. In the case of lz it was a carefully “corrupted” archive.
Because you can look it up.
Basically an OS which let’s you choose another OS to boot into. This way you can chose between multiple OS’s on one USB drive. You drag your ISO files into a USB folder and choose between them on boot.
That sounded like grub until you said ISO file
Yeah basically grub but on a USB stick and with ISO files
because search engines exist
Wtf is search engines and why is no one explaining it
Search engines are websites that people used to go to in order to get helpful information. These days, they just spam out a bunch of SEO garbage, AI-generated bullshit, and ads.
Google, probably
shh…it’s a spyware and adware!
I used Ventoy (its still on my USB stick). Its actually a pretty cool concept. Normally without Ventoy, you would flash your Linux distribution on the USB stick. And then you can boot from it, right?
Ventoy instead allows you to have a folder where you put an ISO without flashing it, and then you can boot from it by selecting in the menu. You just need to flash Ventoy once, as the base system, then you can put as many ISO files into that directory. I tested it and have 7 different Linux distributions (ranging from 1 GB to 4 GB variants) on the same USB stick, and I can boot any of them without flashing again. Replacing ISO is extremely easy, just delete it and copy a new one. Filenames does not matter, anything can be found.
going back to using multiple usb
It’s a useful tool, but there is a security concern for anything not fully open source. You will have to weigh your risk factors, I doubt that it’s any problem for most consumers or distro hoppers.
Best to keep an eye in case any new contributers arrive suddenly…
deleted by creator
From what others have said: The blobs violate GPL because they are taken from other FOSS project but the changes Ventoy makes are not viewable.
If you don’t like it,
don’t usefork Ventoy.
deleted by creator
I mean the author has simply ignored this issue. If you look into it there are a few that people simply do not know how to generate, so without the maintainer it’s impossible to make a PR solving this.
I cannot fathom what in this issue description gives rise to your concern. It’s worded very calmly, clearly explaining why the author thinks these BLOBs shouldn’t be there, expressing an understanding that it’s not a top priority and even closing with a thank you.
deleted by creator
Is this not rude:
I checked the code and I’m appalled. There are more BLOBs than source code
No. The commenter is voicing their own feelings and explains why they have them. There is neither blaming nor rudeness here.
And this:
I understand that removing BLOBs isn’t a priority over new and shiny features. But due to recent events, this should be rethought.
It would have been nice if you had explained why you think this is rude. The author expresses understanding that the maintainers’ priorities don’t align with the author’s. This seems to be an uncontroversial statement to me.
Then the author explains (I agree, it’s more a hint than an explanation) why they think the priorities should be changed. In my view their argument is sound. Again, there is no blaming or rudeness here.
They should have opened with a complement
I assume you mean “compliment”.
I’ve often heard of the “sandwich technique” – start with a compliment, then voice criticism, end with another positive thing. I find this is an appropriate procedure when voicing open feedback, that is, good things and bad things. However, this is a Github issue. Its whole point is to point out a perceived problem, not to give the maintainers a pat on the back or thank them.
deleted by creator
maybe everyone here is just a rude little shit.
Or maybe you’re just a snowflake that can’t handle criticism.
deleted by creator
deleted by creator
deleted by creator
All my laziness about not checking it out has come to fruition. Now I simply don’t have to, because this is sketch as fuck until it is handled.
