SatyrSackSep 17, 2024

Ventoy source code contains some unknown BLOBs, still no word on the issue from the dev after months

https://lemmy.one/post/19193506

Ventoy source code contains some unknown BLOBs, still no word on the issue from the dev after months - Lemmy.one

I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.

Show threadn2burnsSep 17, 2024

I too wish the developer would respond, but I don’t think this is the catastrophe people are making it out to be. One comment seems to explain why these binaries are included:

Because ventoy supports shim, and by extension secure boot, these files needs to come from a signed Linux distro. In this case they are taken from Fedora releases, and OpenSUSE apparently, as they publish shim binaries and grub binaries signed by their certificate.

[issue]: Remove BLOBs from the source tree · Issue #2795 · ventoy/Ventoy

What happened? Due to the recent XZ-Utils drama I checked the code and I'm appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f8946...

GitHub
Show threadnialv7Sep 17, 2024

While this is true, it only requires the shim and grub to be copied for another distro.

From other comments there are a lot more blobs than just these two.

Show threaddavadSep 18, 2024
It sounds like most, if not all, come from upstream projects.
Show threadnialv7Sep 19, 2024
Would be nice if the dev can respond and confirm that…
Show threaddavad
I think they did say that in the older thread. But for proper security, you shouldn’t have to trust them. You should have build tools that will re-fetch everything to create an identical build. That gives a clear chain of custody, which proves that morning has been tampered with.
Sep 27, 2024 at 4:26pmWeb