I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.
- ⸻ Ban DHMO 🇦🇺 ⸻ ( @unionagainstdhmo@aussie.zone ) English8•17 hours ago
I haven’t read to far into this but the issue is completely devoid of contributors and maintainers. I find the wording of the issue quite concerning:
Due to the recent XZ-Utils drama I checked the code and I’m appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/cryptsetup https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/Unix/ventoy_unix https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/DMSETUP
There is no reason to have those not be build in the release process. Of course it’s convenient, they are prebuild, it’s fast and nobody has a problem with it.
Recent events however showed that these BLOBs can contain everything and nothing. The build instructions would not produce the exact same executable for everyone. It’s better to have GitHub build it on-push and use them out of the build cache.
I would do it myself, but unfortunately I’m not familiar enough with the Ventoy build process to actually do it. I understand that removing BLOBs isn’t a priority over new and shiny features. But due to recent events, this should be rethought.
Thank you for reading this and I hope for a productive conversation
This is free software, they don’t owe you anything and this kind of language sounds angry and entitled. You can’t just Gordon Ramsay on someone else’s codebase.
- bleistift2 ( @bleistift2@sopuli.xyz ) English2•1 hour ago
I cannot fathom what in this issue description gives rise to your concern. It’s worded very calmly, clearly explaining why the author thinks these BLOBs shouldn’t be there, expressing an understanding that it’s not a top priority and even closing with a thank you.
- lorty ( @lorty@lemmy.ml ) 1•8 hours ago
I mean the author has simply ignored this issue. If you look into it there are a few that people simply do not know how to generate, so without the maintainer it’s impossible to make a PR solving this.
- ⸻ Ban DHMO 🇦🇺 ⸻ ( @unionagainstdhmo@aussie.zone ) English1•7 hours ago
I mean if I got an issue that sounded that entitled and this is something I do in my spare time, I’d probably ignore it.
My point is they could have worded it better and it might have gotten a response. If you ask kindly about the BLOBs and maybe for some help to push you in the right direction instead of saying “I don’t know”, then it is fair to call the maintainer rude for ignoring it completely.
- Wave ( @JameUwU@lemmy.ml ) English4•10 hours ago
I mean, people are allowed to have opinions. They may not be good opinions but thats the glory of opinions. You can Gordon Ramsey someone’s codebase, and someone else can Gordon Ramsey their comment, as you just did.
- ⸻ Ban DHMO 🇦🇺 ⸻ ( @unionagainstdhmo@aussie.zone ) English1•7 hours ago
I didn’t say they’re wrong it’s the way they communicated which I found off-putting and Gordon Ramsay -esque
- jsomae ( @jsomae@lemmy.ml ) 6•17 hours ago
What does BLOB stand for?
- ⸻ Ban DHMO 🇦🇺 ⸻ ( @unionagainstdhmo@aussie.zone ) English11•17 hours ago
Binary Large OBject
- Todd Bonzalez ( @todd_bonzalez@lemm.ee ) 19•1 day ago
Anyone who wants to fix this can help fix it, but people are just making demands of an unpaid maintainer. The devs can run this project the way they want to. If you don’t like it, don’t use Ventoy.
The people comparing this to the xz exploit are out of line. xz was a library that was deeply embedded in a lot of software. Ventoy is an IT tool used to boot live OSes. Not even remotely the same attack surface.
Blobs in the source tree are not ideal, but people need to pick their battles.
- Lemongrab ( @Lemongrab@lemmy.one ) 30•1 day ago
From what others have said: The blobs violate GPL because they are taken from other FOSS project but the changes Ventoy makes are not viewable.
- thepiguy ( @thepiguy@lemmy.ml ) 21•1 day ago
As a wise one once said: “Talk is cheap, send patches”
- tetris11 ( @tetris11@lemmy.ml ) 3•1 day ago
Little did they know that Patches the Cat bit through their LAN lines and actually increased the cost of their communication.
- Mikelius ( @Mikelius@lemmy.ml ) 30•2 days ago
Glad it’s getting a little more light. Been trying to tell people this for a few years now lol. It’s the reason I’ve stayed away from it since first learning of the tool and looking at the “source code”.
- delirious_owl ( @delirious_owl@discuss.online ) 22•2 days ago
Wtf is ventoy and why is nobody explaining it
- Moah ( @Moah@lemmy.blahaj.zone ) 15•2 days ago
Wtf is a BLOB and why is nobody explaining it
- spikespaz ( @spikespaz@programming.dev ) 1•17 hours ago
Because you can look it up.
- Tamo240 ( @Tamo240@programming.dev ) 16•1 day ago
Binary Large OBject
Basically any binary file, often objected to in open source repos because of the lack of source and ‘openness’. See also the recent xz backdoor.
- thingsiplay ( @thingsiplay@beehaw.org ) 8•1 day ago
- thingsiplay ( @thingsiplay@beehaw.org ) 24•2 days ago
I used Ventoy (its still on my USB stick). Its actually a pretty cool concept. Normally without Ventoy, you would flash your Linux distribution on the USB stick. And then you can boot from it, right?
Ventoy instead allows you to have a folder where you put an ISO without flashing it, and then you can boot from it by selecting in the menu. You just need to flash Ventoy once, as the base system, then you can put as many ISO files into that directory. I tested it and have 7 different Linux distributions (ranging from 1 GB to 4 GB variants) on the same USB stick, and I can boot any of them without flashing again. Replacing ISO is extremely easy, just delete it and copy a new one. Filenames does not matter, anything can be found.
- n2burns ( @n2burns@lemmy.ca ) 52•2 days ago
I too wish the developer would respond, but I don’t think this is the catastrophe people are making it out to be. One comment seems to explain why these binaries are included:
Because ventoy supports shim, and by extension secure boot, these files needs to come from a signed Linux distro. In this case they are taken from Fedora releases, and OpenSUSE apparently, as they publish shim binaries and grub binaries signed by their certificate.
- ReversalHatchery ( @ReversalHatchery@beehaw.org ) English4•2 days ago
that’s only a few files out of the 153
- infeeeee ( @infeeeee@lemm.ee ) 6•2 days ago
It sounds to me as a documentation issue, as the next comment says, simply including a
wget
script should solve this.
- PowerCrazy ( @PowerCrazy@lemmy.ml ) English45•2 days ago
Hey guys open source is great you can look at all the code and therefore there are no security backdoors etc. Also here are a bunch of pre-compiled blobs in the repo, don’t worry about those, but they are required to run the program.
- delirious_owl ( @delirious_owl@discuss.online ) 12•2 days ago
Right, the fact that it’s open is the reason this came to light, and we’re having this discussion
- ulkesh ( @ulkesh@beehaw.org ) English2•1 day ago
Exactly. Acting like this is an “ah-ha, see?!!” moment when this is exactly what open source is designed for. That’s like saying global warming is a hoax because “oh look it’s snowing”.
- delirious_owl ( @delirious_owl@discuss.online ) 1•1 day ago
Well, it is an “ah-ha, see!” moment, because it shows the benefit of open source.
Its more like pointing at the absence of a glacier on a mountaintop and saying “yep, see, climate change does exist”
- ulkesh ( @ulkesh@beehaw.org ) English1•1 day ago
I was referring to the commenter and how it read to me :) But agreed, what you said, too.
- PowerCrazy ( @PowerCrazy@lemmy.ml ) English1•1 day ago
This isn’t a knock against opensource programming, but there shouldn’t ever be precompiled blobs in the repo unless they are the official builds for the various OS’s and if you want to build from source, the pre-compiled blobs shouldn’t be part of that, otherwise you can’t really claim you are opensource.
- ulkesh ( @ulkesh@beehaw.org ) English1•1 day ago
Yes, and that’s what is being called out here. But your original comment makes it sound like you are advocating for closed source software and that somehow open source software is bad.
This is the system working as intended. When potential issues arise, it’s openly discussed and ideally resolved. And if not, trust is lost and people will stop using it.
- PowerCrazy ( @PowerCrazy@lemmy.ml ) English1•1 day ago
I don’t know about the history of the project, but it sounds like those blobs have been there for quite some time. When in reality, the PR that added the blobs in the first place shouldn’t ever have been approved.
Actually just checked 3+ years.
- Snot Flickerman ( @SnotFlickerman@lemmy.blahaj.zone ) English13•2 days ago
- monovergent ( @monovergent@lemmy.ml ) 20•2 days ago
Makes me wonder how far the closest alternative, glim, could be upgraded to match Ventoy given the confines of GRUB.
Someone had mentioned that Fedora fails to verify when booting from Ventoy. Now I’m thinking if I could dd the media loaded via Ventoy and compare with an original copy to see what changed.
- ulterno ( @ulterno@lemmy.kde.social ) English6•2 days ago
I like multiboot. Used it back when I used Windows.
The Ventoy advertisements on Reddit looked too suspicious, so I never checked it out. - sorter_plainview ( @sorter_plainview@lemmy.today ) 10•2 days ago
This is a bit absurd. I really don’t think this is as serious as some comments say. Also there is a comment from AUR package manager which explains more details. . And even the blobs in the first post there are source and build instructions in their respective folder.
- thingsiplay ( @thingsiplay@beehaw.org ) 12•2 days ago
That linked reply doesn’t explain anything. It just says “bro trust him”. Just because you and the AUR maintainer says its trustful, does not make it clear whats behind the binary blobs. It doesn’t matter what anyone says, if we can’t verify. In my opinion, its absurd calling others absurd for not trusting the word of others.
- LalSalaamComrade ( @velox_vulnus@lemmy.ml ) English16•2 days ago
Thank you for sharing this. I remember using Ventoy quite often back when I was still on Windows. I’ll be sticking with the good old
dd
command.- ryannathans ( @ryannathans@aussie.zone ) 3•2 days ago
I love double d
- GolfNovemberUniform ( @GolfNovemberUniform@lemmy.ml ) 12•2 days ago
I never trusted it because I thought it was completely proprietary. Well now I know it basically is.
- Quail4789 ( @Quail4789@lemmy.ml ) English2•2 days ago
Yep, some people these are saying just 7 of the 150 binaries don’t have source or build info. Yeah, one binary is enough to do all the evil in the world, not that other binaries support reproducible builds anyway.
- Snot Flickerman ( @SnotFlickerman@lemmy.blahaj.zone ) English11•2 days ago
All my laziness about not checking it out has come to fruition. Now I simply don’t have to, because this is sketch as fuck until it is handled.
- pokexpert30 ( @pokexpert30@lemmy.pussthecat.org ) 5•2 days ago
I just wish it had a real alternative. GRUB on USB doesnt support as much distros or windows.