SatyrSackVentoy source code contains some unknown BLOBs, still no word on the issue from the dev after months
n2burnsI too wish the developer would respond, but I don’t think this is the catastrophe people are making it out to be. One comment seems to explain why these binaries are included:
Because ventoy supports shim, and by extension secure boot, these files needs to come from a signed Linux distro. In this case they are taken from Fedora releases, and OpenSUSE apparently, as they publish shim binaries and grub binaries signed by their certificate.
If the hashes match the files from the Fedora or OpenSUSE releases, then does this really matter?
It matters because nobody is going to check the hashes for all of the files match whenever there’s a change so the maintainer can just replace them with whatever he wants.
Taasz/WoofIs that any different from no one checking the code every update?
The amount of malware you can cram in a source-code patch without drawing attention vs. in a binary is vastly different.
FerkI think the point wasn’t so much about there being malware publicly shown in the published code… but that there’s a source-code patch secretly being applied before uploading the binaries, even if all the code published was open and clean. This is why it’s important for builds to be reproducible, you should be able to build your own binary and obtain the exact same hash.
The problem is not near enough projects support reproducible builds, and many that do aren’t being regularly verified, at least publicly.
Yes, but I’m not sure if that’s the problem in this case. And if it is, then that’d be an issue with the upstream project rather than ventoy.