455
submitted 1 month ago by SatyrSack@lemmy.one to c/opensource@lemmy.ml

I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.

top 50 comments
sorted by: hot top controversial new old
[-] Antagnostic@lemmy.world 218 points 1 month ago* (last edited 1 month ago)

I was bored at work one day. I decided to put a nyan cat easter egg in my company's app. If at the loading progress bar screen you typed NYAN it would turn the progress bar into a rainbow being created by a little nyan cat while playing the nyan cat song. The mp3 (inconspicuously renamed without the extension) doubled our build size. No one batted an eye cause no one paid attention to the build size much.

Fast forward 5 years later, at a different job, I get a phone call from the old boss. Do you happen to know anything about this nyan cat file we found?

I had no idea what he was talking about.

[-] fmstrat@lemmy.nowsci.com 64 points 1 month ago

Years and years ago I worked on a project where the logo was the outline of a head and an inward swirl for the brain.

For the website, if you held your mouse over it for 9 seconds, it would spin and flush. No one ever found that one that I know of.

load more comments (1 replies)
[-] SynopsisTantilize@lemm.ee 30 points 1 month ago
[-] delirious_owl@discuss.online 25 points 1 month ago

Aaaand thats why all commits should be signed with your pgp key

load more comments (7 replies)
load more comments (1 replies)
[-] mashbooq@lemmy.world 86 points 1 month ago

After I saw that issue, I attempted to build Ventoy from source. After making numerous modifications and getting only the first couple components built, I got tired of it and quit. I've made some modifications to glim and use that instead, although it's still not as easy as Ventoy. But I don't trust Ventoy if I can't build it myself.

Further, when @vkc@linuxmom.net made some criticisms of Ventoy in one of her YouTube videos, she was subjected to a harassment campaign, and others told her the same happened to them. That pushed me from not trusting Ventoy to actively distrusting it.

[-] SnotFlickerman@lemmy.blahaj.zone 43 points 1 month ago

Further, when @vkc@linuxmom.net made some criticisms of Ventoy in one of her YouTube videos, she was subjected to a harassment campaign, and others told her the same happened to them.

What the fuck is happening to the world? Are we regressing or were we always this regressed and we've just given powerful tools to fucking chowderheads?

[-] Telorand@reddthat.com 37 points 1 month ago

There's a subset of the Linux/FOSS/etc. community who are Conservative, misogynistic, racist, and/or otherwise general bigots. Compare the Ventoy-bros against the Elon-bros, and you'll see a similar pattern of behavior.

I don't personally understand it, since development is still sometimes seen as "work for weirdo nerds," so you'd think they would understand what it feels like to be rejected or bullied, but here we are. They manage to stay under the radar, because there's usually no reason to discuss politics or philosophy when you're debugging code.

[-] SnotFlickerman@lemmy.blahaj.zone 25 points 1 month ago* (last edited 1 month ago)

There’s a subset of the Linux/FOSS/etc. community who are Conservative, misogynistic, racist, and/or otherwise general bigots.

right, the hackernews set...

[-] WldFyre@lemm.ee 26 points 1 month ago

Don't know why you're being downvoted, hackernews is an awful site of smug, dumb software "engineer" tech bros with some of the worst takes on anything that isn't explicitly about how to code

load more comments (1 replies)
load more comments (2 replies)
[-] n2burns@lemmy.ca 81 points 1 month ago

I too wish the developer would respond, but I don't think this is the catastrophe people are making it out to be. One comment seems to explain why these binaries are included:

Because ventoy supports shim, and by extension secure boot, these files needs to come from a signed Linux distro. In this case they are taken from Fedora releases, and OpenSUSE apparently, as they publish shim binaries and grub binaries signed by their certificate.

[-] stickmanmeyhem@lemmy.world 34 points 1 month ago

If the hashes match the files from the Fedora or OpenSUSE releases, then does this really matter?

[-] Quail4789@lemmy.ml 24 points 1 month ago

It matters because nobody is going to check the hashes for all of the files match whenever there's a change so the maintainer can just replace them with whatever he wants.

[-] pupbiru@aussie.zone 24 points 1 month ago

that’s what automation is for - nobody is going to manually check them, but anyone is able to automatically set something up to check their hashes in change… the fact that it’s possible that anyone is doing that now that it’s a known issue perhaps makes it less problematic as an attack vector

load more comments (3 replies)
[-] MangoPenguin@lemmy.blahaj.zone 17 points 1 month ago

Is that any different from no one checking the code every update?

load more comments (4 replies)
[-] grue@lemmy.world 25 points 1 month ago

On the contrary: that just goes to show what a fucking catastrophe for software freedom "Secure[sic] Boot" is.

[-] nialv7@lemmy.world 17 points 1 month ago

While this is true, it only requires the shim and grub to be copied for another distro.

From other comments there are a lot more blobs than just these two.

load more comments (3 replies)
load more comments (3 replies)
[-] PowerCrazy@lemmy.ml 59 points 1 month ago

Hey guys open source is great you can look at all the code and therefore there are no security backdoors etc. Also here are a bunch of pre-compiled blobs in the repo, don't worry about those, but they are required to run the program.

[-] spankmonkey@lemmy.world 90 points 1 month ago

The fact that people know there are pre-compiled blobs in open source means they have an informed reason to avoid the software!

[-] delirious_owl@discuss.online 18 points 1 month ago

Right, the fact that it's open is the reason this came to light, and we're having this discussion

load more comments (6 replies)
[-] Feathercrown@lemmy.world 51 points 1 month ago

God I hate people who use github comments for their own benefit. "Just fork it bro" is never helpful.

[-] sem@lemmy.ml 28 points 1 month ago

For me the problem is more in GPL violation: they distribute blobs under GPL3, user made a request of the source code by creating an issue, but they ignored that request. It is not only about "you have to fix it" versus "just fork it" imo.

load more comments (3 replies)
load more comments (3 replies)
[-] Mikelius@lemmy.ml 46 points 1 month ago

Glad it's getting a little more light. Been trying to tell people this for a few years now lol. It's the reason I've stayed away from it since first learning of the tool and looking at the "source code".

[-] monovergent@lemmy.ml 33 points 1 month ago

Makes me wonder how far the closest alternative, glim, could be upgraded to match Ventoy given the confines of GRUB.

Someone had mentioned that Fedora fails to verify when booting from Ventoy. Now I'm thinking if I could dd the media loaded via Ventoy and compare with an original copy to see what changed.

[-] thepiguy@lemmy.ml 31 points 1 month ago

As a wise one once said: "Talk is cheap, send patches"

load more comments (1 replies)
[-] todd_bonzalez@lemm.ee 28 points 1 month ago

Anyone who wants to fix this can help fix it, but people are just making demands of an unpaid maintainer. The devs can run this project the way they want to. If you don't like it, don't use Ventoy.

The people comparing this to the xz exploit are out of line. xz was a library that was deeply embedded in a lot of software. Ventoy is an IT tool used to boot live OSes. Not even remotely the same attack surface.

Blobs in the source tree are not ideal, but people need to pick their battles.

[-] Lemongrab@lemmy.one 50 points 1 month ago

From what others have said: The blobs violate GPL because they are taken from other FOSS project but the changes Ventoy makes are not viewable.

load more comments (1 replies)
[-] delirious_owl@discuss.online 27 points 1 month ago

Wtf is ventoy and why is nobody explaining it

[-] Linkerbaan@lemmy.world 36 points 1 month ago* (last edited 1 month ago)

Basically an OS which let's you choose another OS to boot into. This way you can chose between multiple OS's on one USB drive. You drag your ISO files into a USB folder and choose between them on boot.

[-] delirious_owl@discuss.online 15 points 1 month ago

That sounded like grub until you said ISO file

[-] EddoWagt@feddit.nl 13 points 1 month ago

Yeah basically grub but on a USB stick and with ISO files

load more comments (1 replies)
[-] thingsiplay@beehaw.org 24 points 1 month ago

I used Ventoy (its still on my USB stick). Its actually a pretty cool concept. Normally without Ventoy, you would flash your Linux distribution on the USB stick. And then you can boot from it, right?

Ventoy instead allows you to have a folder where you put an ISO without flashing it, and then you can boot from it by selecting in the menu. You just need to flash Ventoy once, as the base system, then you can put as many ISO files into that directory. I tested it and have 7 different Linux distributions (ranging from 1 GB to 4 GB variants) on the same USB stick, and I can boot any of them without flashing again. Replacing ISO is extremely easy, just delete it and copy a new one. Filenames does not matter, anything can be found.

[-] Moah@lemmy.blahaj.zone 22 points 1 month ago

Wtf is a BLOB and why is nobody explaining it

[-] Tamo240@programming.dev 29 points 1 month ago

Binary Large OBject

Basically any binary file, often objected to in open source repos because of the lack of source and 'openness'. See also the recent xz backdoor.

load more comments (3 replies)
[-] refalo@programming.dev 12 points 1 month ago

because search engines exist

[-] SatyrSack@lemmy.one 35 points 1 month ago

Wtf is search engines and why is no one explaining it

load more comments (2 replies)
load more comments (1 replies)
[-] SnotFlickerman@lemmy.blahaj.zone 22 points 1 month ago* (last edited 1 month ago)

All my laziness about not checking it out has come to fruition. Now I simply don't have to, because this is sketch as fuck until it is handled.

[-] BrianTheeBiscuiteer@lemmy.world 21 points 1 month ago

Any alternatives to this tool? I've used it a lot lately because I was testing out live OSes before installing one to the hard drive, but otherwise I don't need it on a daily basis.

[-] SnotFlickerman@lemmy.blahaj.zone 23 points 1 month ago

but otherwise I don’t need it on a daily basis.

I'll be real, this is part of why I didn't understand Ventoy. I keep a bunch of large, fast thumbdrives around blank and available. When I need/want to put an OS on there, I do it when I need it, and then I'm always installing the most current version of the install. It takes under 5 minutes, at best.

I used to try to keep various installs on thumbdrives... but it would be two years down the line by the time I needed to use it again and by that time it's literally pointless to be using two year old installation media.

[-] CoopaLoopa@lemmy.dbzer0.com 22 points 1 month ago

Part of the point behind Ventoy is that you don't need to prepare the USB to be bootable. You can just copy/paste the whole iso into Ventoy and it will be bootable. New release comes out? Just copy it onto your USB drive. Don't even need to remove the old version of you don't want to.

Makes things much easier in the tech world for having a single USB with 50+ bootable tools and installers on there like with MediCat (which uses Ventoy as a base).

Only thing I've had issues with booting from Ventoy is the ProxMox install iso. Everything else has worked first try.

[-] BrianTheeBiscuiteer@lemmy.world 12 points 1 month ago

Ventoy wasn't a foolproof solution but it really did beat the hell out of using 6 different USB drives. Most USB "pen drives" don't make labeling easy and without labeling I'm just plugging them in one by one till I find the one I want.

load more comments (4 replies)
load more comments (2 replies)
load more comments (2 replies)
[-] GolfNovemberUniform@lemmy.ml 19 points 1 month ago

I never trusted it because I thought it was completely proprietary. Well now I know it basically is.

load more comments (1 replies)
[-] pastermil@sh.itjust.works 13 points 1 month ago

Time for a fork, then?

load more comments
view more: next ›
this post was submitted on 17 Sep 2024
455 points (99.1% liked)

Open Source

30919 readers
397 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS