I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.
I haven’t read to far into this but the issue is completely devoid of contributors and maintainers. I find the wording of the issue quite concerning:
Due to the recent XZ-Utils drama I checked the code and I’m appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/cryptsetup https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/Unix/ventoy_unix https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/DMSETUP
There is no reason to have those not be build in the release process. Of course it’s convenient, they are prebuild, it’s fast and nobody has a problem with it.
Recent events however showed that these BLOBs can contain everything and nothing. The build instructions would not produce the exact same executable for everyone. It’s better to have GitHub build it on-push and use them out of the build cache.
I would do it myself, but unfortunately I’m not familiar enough with the Ventoy build process to actually do it. I understand that removing BLOBs isn’t a priority over new and shiny features. But due to recent events, this should be rethought.
Thank you for reading this and I hope for a productive conversation
This is free software, they don’t owe you anything and this kind of language sounds angry and entitled. You can’t just Gordon Ramsay on someone else’s codebase.
What does BLOB stand for?
Binary Large OBject
Anyone who wants to fix this can help fix it, but people are just making demands of an unpaid maintainer. The devs can run this project the way they want to. If you don’t like it, don’t use Ventoy.
The people comparing this to the xz exploit are out of line. xz was a library that was deeply embedded in a lot of software. Ventoy is an IT tool used to boot live OSes. Not even remotely the same attack surface.
Blobs in the source tree are not ideal, but people need to pick their battles.
From what others have said: The blobs violate GPL because they are taken from other FOSS project but the changes Ventoy makes are not viewable.
As a wise one once said: “Talk is cheap, send patches”
Little did they know that Patches the Cat bit through their LAN lines and actually increased the cost of their communication.
I like multiboot. Used it back when I used Windows.
The Ventoy advertisements on Reddit looked too suspicious, so I never checked it out.Glad it’s getting a little more light. Been trying to tell people this for a few years now lol. It’s the reason I’ve stayed away from it since first learning of the tool and looking at the “source code”.
I’ve had too many issues with Ventoy that I’d rather just use fedora media writer or balenaetcher for when that doesn’t work. I mean honestly it’s a bit gimmicky, even if it’s a cool concept. I believe Glim and some other options exist too
Time for a fork, then?
Wtf is ventoy and why is nobody explaining it
because search engines exist
Wtf is search engines and why is no one explaining it
Search engines are websites that people used to go to in order to get helpful information. These days, they just spam out a bunch of SEO garbage, AI-generated bullshit, and ads.
Google, probably
shh…it’s a spyware and adware!
Wtf is a BLOB and why is nobody explaining it
Because you can look it up.
Binary Large OBject
Basically any binary file, often objected to in open source repos because of the lack of source and ‘openness’. See also the recent xz backdoor.
Binary data. In the case of lz it was a carefully “corrupted” archive.
Basically an OS which let’s you choose another OS to boot into. This way you can chose between multiple OS’s on one USB drive. You drag your ISO files into a USB folder and choose between them on boot.
That sounded like grub until you said ISO file
Yeah basically grub but on a USB stick and with ISO files
I used Ventoy (its still on my USB stick). Its actually a pretty cool concept. Normally without Ventoy, you would flash your Linux distribution on the USB stick. And then you can boot from it, right?
Ventoy instead allows you to have a folder where you put an ISO without flashing it, and then you can boot from it by selecting in the menu. You just need to flash Ventoy once, as the base system, then you can put as many ISO files into that directory. I tested it and have 7 different Linux distributions (ranging from 1 GB to 4 GB variants) on the same USB stick, and I can boot any of them without flashing again. Replacing ISO is extremely easy, just delete it and copy a new one. Filenames does not matter, anything can be found.
This is a bit absurd. I really don’t think this is as serious as some comments say. Also there is a comment from AUR package manager which explains more details. . And even the blobs in the first point there are source and build instructions in their respective folder.
I firmly believe there are no backdoors or anything dodgy going on here
OK but that’s hardly reassuring.
Not suspicious at all.
That linked reply doesn’t explain anything. It just says “bro trust him”. Just because you and the AUR maintainer says its trustful, does not make it clear whats behind the binary blobs. It doesn’t matter what anyone says, if we can’t verify. In my opinion, its absurd calling others absurd for not trusting the word of others.
And even the blobs in the first point there are source and build instructions in their respective folder.
No it is not. It is supposedly the built result based on the instruction provided. If they can just provide that instruction, why not provide the source as well?
The issue thread also highlights the stubbornness and hostility of the project maintainer toward possible contributors.
Need to compare hashes between a stock ISO and one flashed by Ventoy (dd the latter to a file and check)
Wat? Ventoy doesn’t flash isos, it boots from them
Makes me wonder how far the closest alternative, glim, could be upgraded to match Ventoy given the confines of GRUB.
Someone had mentioned that Fedora fails to verify when booting from Ventoy. Now I’m thinking if I could dd the media loaded via Ventoy and compare with an original copy to see what changed.
I just wish it had a real alternative. GRUB on USB doesnt support as much distros or windows.
Is BLOB an acronym?
Nope, but it has become a backronym https://wikipedia.org/wiki/Object_storage#Origins
Cool thanks :)
I was bored at work one day. I decided to put a nyan cat easteregg my companies app. If at the loading progress bar screen you typed NYAN it would turn the progress bar into a rainbow being created by a little nyan cat while playing the nyan cat song. The mp3 doubled our build size. No one batted an eye cause no one paid attention much.
Fast forward 5 years later at a differentjob, I get a phone call from the old boss. Do you happen to know anything about this nyan cat file we found?
I had no idea what he was talking about.
Aaaand thats why all commits should be signed with your pgp key
It sounds like they weren’t using any form of version control, so that’s definitely on them at this point
What makes you say that? To me, it sounds like that’s what they do have cause they tracked the change back to him. The commit message obviously said nothing about the file.
Ah I could see that. I took it as them not knowing where the file came from at all, so they’re just asking all the devs who would have had access at that point, which is why it was “hey do you know anything about this file?” and not “is there a specific reason you committed this file to the build?”
You think they’d call up devs who left them just to ask if they happen to know about a random file?
Years and years ago I worked on a project where the logo was the outline of a head and an inward swirl for the brain.
For the website, if you held your mouse over it for 9 seconds, it would spin and flush. No one ever found that one that I know of.
Should’ve included that in your FE analytics.
10/10
That story was a journey.
