I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.
I was bored at work one day. I decided to put a nyan cat easter egg in my company’s app. If at the loading progress bar screen you typed NYAN it would turn the progress bar into a rainbow being created by a little nyan cat while playing the nyan cat song. The mp3 (inconspicuously renamed without the extension) doubled our build size. No one batted an eye cause no one paid attention to the build size much.
Fast forward 5 years later, at a different job, I get a phone call from the old boss. Do you happen to know anything about this nyan cat file we found?
I had no idea what he was talking about.
Years and years ago I worked on a project where the logo was the outline of a head and an inward swirl for the brain.
For the website, if you held your mouse over it for 9 seconds, it would spin and flush. No one ever found that one that I know of.
Should’ve included that in your FE analytics.
10/10
That story was a journey.
Aaaand thats why all commits should be signed with your pgp key
It sounds like they weren’t using any form of version control, so that’s definitely on them at this point
I too wish the developer would respond, but I don’t think this is the catastrophe people are making it out to be. One comment seems to explain why these binaries are included:
Because ventoy supports shim, and by extension secure boot, these files needs to come from a signed Linux distro. In this case they are taken from Fedora releases, and OpenSUSE apparently, as they publish shim binaries and grub binaries signed by their certificate.
While this is true, it only requires the shim and grub to be copied for another distro.
From other comments there are a lot more blobs than just these two.
It sounds like most, if not all, come from upstream projects.
Would be nice if the dev can respond and confirm that…
I think they did say that in the older thread. But for proper security, you shouldn’t have to trust them. You should have build tools that will re-fetch everything to create an identical build. That gives a clear chain of custody, which proves that morning has been tampered with.
If the hashes match the files from the Fedora or OpenSUSE releases, then does this really matter?
God I hate people who use github comments for their own benefit. “Just fork it bro” is never helpful.
For me the problem is more in GPL violation: they distribute blobs under GPL3, user made a request of the source code by creating an issue, but they ignored that request. It is not only about “you have to fix it” versus “just fork it” imo.
Licence doesn’t apply to the creator.
He already owns the copyright, he doesn’t need a licence, he doesn’t need to adhere to the gpl
The binaries in question are various GNU and FOSS tools from elsewhere, not part of the Ventoy project itself. So no, the Ventoy author does not own the copyright of the tools in question.
Is there an alternative to Ventoy for booting Windows vhd images from an ntfs partition?
Any alternatives to this tool? I’ve used it a lot lately because I was testing out live OSes before installing one to the hard drive, but otherwise I don’t need it on a daily basis.
but otherwise I don’t need it on a daily basis.
I’ll be real, this is part of why I didn’t understand Ventoy. I keep a bunch of large, fast thumbdrives around blank and available. When I need/want to put an OS on there, I do it when I need it, and then I’m always installing the most current version of the install. It takes under 5 minutes, at best.
I used to try to keep various installs on thumbdrives… but it would be two years down the line by the time I needed to use it again and by that time it’s literally pointless to be using two year old installation media.
Part of the point behind Ventoy is that you don’t need to prepare the USB to be bootable. You can just copy/paste the whole iso into Ventoy and it will be bootable. New release comes out? Just copy it onto your USB drive. Don’t even need to remove the old version of you don’t want to.
Makes things much easier in the tech world for having a single USB with 50+ bootable tools and installers on there like with MediCat (which uses Ventoy as a base).
Only thing I’ve had issues with booting from Ventoy is the ProxMox install iso. Everything else has worked first try.
Hey guys open source is great you can look at all the code and therefore there are no security backdoors etc. Also here are a bunch of pre-compiled blobs in the repo, don’t worry about those, but they are required to run the program.
Wtf is ventoy and why is nobody explaining it
Wtf is a BLOB and why is nobody explaining it
Binary Large OBject
Basically any binary file, often objected to in open source repos because of the lack of source and ‘openness’. See also the recent xz backdoor.
Binary data. In the case of lz it was a carefully “corrupted” archive.
because search engines exist
Wtf is search engines and why is no one explaining it
Search engines are websites that people used to go to in order to get helpful information. These days, they just spam out a bunch of SEO garbage, AI-generated bullshit, and ads.
Google, probably
