Ventoy source code contains some unknown BLOBs, still no word on the issue from the dev after months

SatyrSack@lemmy.one to Open Source@lemmy.ml – 444 points – [issue]: Remove BLOBs from the source tree · Issue #2795 · ventoy/Ventoy
github.com

I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.

133

I was bored at work one day. I decided to put a nyan cat easter egg in my company's app. If at the loading progress bar screen you typed NYAN it would turn the progress bar into a rainbow being created by a little nyan cat while playing the nyan cat song. The mp3 (inconspicuously renamed without the extension) doubled our build size. No one batted an eye cause no one paid attention to the build size much.

Fast forward 5 years later, at a different job, I get a phone call from the old boss. Do you happen to know anything about this nyan cat file we found?

I had no idea what he was talking about.

Years and years ago I worked on a project where the logo was the outline of a head and an inward swirl for the brain.

For the website, if you held your mouse over it for 9 seconds, it would spin and flush. No one ever found that one that I know of.

Aaaand thats why all commits should be signed with your pgp key

It sounds like they weren’t using any form of version control, so that’s definitely on them at this point

What makes you say that? To me, it sounds like that's what they do have cause they tracked the change back to him. The commit message obviously said nothing about the file.

Ah I could see that. I took it as them not knowing where the file came from at all, so they’re just asking all the devs who would have had access at that point, which is why it was “hey do you know anything about this file?” and not “is there a specific reason you committed this file to the build?”

You think they'd call up devs who left them just to ask if they happen to know about a random file?

You think they’d call up devs who left them just to ask if they happen to know about a random file?

I mean, that’s what op said happened. Literally with the verbiage of “file we found” and not “file you committed”

I did mean random devs, not the dev they tracked down that made the change.

Right, I based it on an estimate on the size of the company and how many devs they’ve had. But if a 7MB file doubled their build size and nobody noticed for 5 years, it likely wasn’t code reviewed or committed and rather just added somewhere, It’d be my guess that it’s a pretty small team, and if they’re willing to call anyone at this point anyway as they only have a few devs, and not just remove the file, they’re probably unsure on if it serves any sort of point, which usually would be clear in a commit or PR

After I saw that issue, I attempted to build Ventoy from source. After making numerous modifications and getting only the first couple components built, I got tired of it and quit. I've made some modifications to glim and use that instead, although it's still not as easy as Ventoy. But I don't trust Ventoy if I can't build it myself.

Further, when @vkc@linuxmom.net made some criticisms of Ventoy in one of her YouTube videos, she was subjected to a harassment campaign, and others told her the same happened to them. That pushed me from not trusting Ventoy to actively distrusting it.

Further, when @vkc@linuxmom.net made some criticisms of Ventoy in one of her YouTube videos, she was subjected to a harassment campaign, and others told her the same happened to them.

What the fuck is happening to the world? Are we regressing or were we always this regressed and we've just given powerful tools to fucking chowderheads?

There's a subset of the Linux/FOSS/etc. community who are Conservative, misogynistic, racist, and/or otherwise general bigots. Compare the Ventoy-bros against the Elon-bros, and you'll see a similar pattern of behavior.

I don't personally understand it, since development is still sometimes seen as "work for weirdo nerds," so you'd think they would understand what it feels like to be rejected or bullied, but here we are. They manage to stay under the radar, because there's usually no reason to discuss politics or philosophy when you're debugging code.

There’s a subset of the Linux/FOSS/etc. community who are Conservative, misogynistic, racist, and/or otherwise general bigots.

right, the hackernews set...

Don't know why you're being downvoted, hackernews is an awful site of smug, dumb software "engineer" tech bros with some of the worst takes on anything that isn't explicitly about how to code

It’s the other way around I think. We are progressing. More voices are heard which “should” be a good thing. Right? Right…?

/s

I too wish the developer would respond, but I don't think this is the catastrophe people are making it out to be. One comment seems to explain why these binaries are included:

Because ventoy supports shim, and by extension secure boot, these files needs to come from a signed Linux distro. In this case they are taken from Fedora releases, and OpenSUSE apparently, as they publish shim binaries and grub binaries signed by their certificate.

If the hashes match the files from the Fedora or OpenSUSE releases, then does this really matter?

It matters because nobody is going to check the hashes for all of the files match whenever there's a change so the maintainer can just replace them with whatever he wants.

that’s what automation is for - nobody is going to manually check them, but anyone is able to automatically set something up to check their hashes in change… the fact that it’s possible that anyone is doing that now that it’s a known issue perhaps makes it less problematic as an attack vector

That is true, but also nobody is doing it. Just like nobody is verifying Signal's "reproducible builds".

are you sure?

there could be thousands just waiting for a failure to come out and say “HEY THIS IS DODGY”

Yea because I tested it myself. Nobody else seems to care, and if they did, I would think there would be a public way to see regular test results regardless.

I know this exists for some projects, but somehow nothing privacy-sensitive

Is that any different from no one checking the code every update?

The amount of malware you can cram in a source-code patch without drawing attention vs. in a binary is vastly different.

There's also the fact that if you want to ship binaries, you can just wget them from source during the build process. Not a perfect solution but much better than what's ventoy doing. The source code updates works the same in every project because it has to. That's why this is drawing more attention.

That's ok if we are talking about malware publicly shown in the published source code.. but there's also the possibility of a private source-code patch with malware that it's secretly being applied when building the binaries for distribution. Having clean source code in the repo is not a guarantee that the source code is the same that was used to produce the binaries.

This is why it's important for builds to be reproducible, any third party should be able to build their own binary from clean source code and be able to obtain the exact same binary with the same hash. If the hashes match, then you have a proof of the binary being clean. You have this same problem with every single binary distribution, even the ones that don't include pre-compiled binaries in their repo.

The problem is not near enough projects support reproducible builds, and many that do aren't being regularly verified, at least publicly.

Yes, that's why im saying that this kind of problem isn't something particular about this project.

In fact I'm not sure if it's the case that the builds aren't reproducible/verifiable for these binaries in ventoy. And if they aren't, then I think it's in the upstream projects where it should be fixed.

Of course ventoy should try to provide traceability for the specific versions they are using, but in principle I don't think it should be a problem to rely on those binaries if they are verifiable.. just the same way as we rely on binaries for many dynamic libraries in a lot of distributions. After all, Ventoy is closer to being an OS/distribution than a particular program.

On the contrary: that just goes to show what a fucking catastrophe for software freedom "Secure[sic] Boot" is.

While this is true, it only requires the shim and grub to be copied for another distro.

From other comments there are a lot more blobs than just these two.

It sounds like most, if not all, come from upstream projects.

Would be nice if the dev can respond and confirm that...

It sounds to me as a documentation issue, as the next comment says, simply including a wget script should solve this.

Hey guys open source is great you can look at all the code and therefore there are no security backdoors etc. Also here are a bunch of pre-compiled blobs in the repo, don't worry about those, but they are required to run the program.

The fact that people know there are pre-compiled blobs in open source means they have an informed reason to avoid the software!

Right, the fact that it's open is the reason this came to light, and we're having this discussion

Exactly. Acting like this is an “ah-ha, see?!!” moment when this is exactly what open source is designed for. That’s like saying global warming is a hoax because “oh look it’s snowing”.

Well, it is an "ah-ha, see!" moment, because it shows the benefit of open source.

Its more like pointing at the absence of a glacier on a mountaintop and saying "yep, see, climate change does exist"

I was referring to the commenter and how it read to me :) But agreed, what you said, too.

This isn't a knock against opensource programming, but there shouldn't ever be precompiled blobs in the repo unless they are the official builds for the various OS's and if you want to build from source, the pre-compiled blobs shouldn't be part of that, otherwise you can't really claim you are opensource.

Yes, and that’s what is being called out here. But your original comment makes it sound like you are advocating for closed source software and that somehow open source software is bad.

This is the system working as intended. When potential issues arise, it’s openly discussed and ideally resolved. And if not, trust is lost and people will stop using it.

I don't know about the history of the project, but it sounds like those blobs have been there for quite some time. When in reality, the PR that added the blobs in the first place shouldn't ever have been approved.

Actually just checked 3+ years.

God I hate people who use github comments for their own benefit. "Just fork it bro" is never helpful.

For me the problem is more in GPL violation: they distribute blobs under GPL3, user made a request of the source code by creating an issue, but they ignored that request. It is not only about "you have to fix it" versus "just fork it" imo.

Licence doesn't apply to the creator.

He already owns the copyright, he doesn't need a licence, he doesn't need to adhere to the gpl

The binaries in question are various GNU and FOSS tools from elsewhere, not part of the Ventoy project itself. So no, the Ventoy author does not own the copyright of the tools in question.

Seriously this. Any comment about a complicated system that starts with "just" can be ignored 99% of the time.

Also, there are 4k forks of Ventoy already. Obviously forking it isn't helping. Actual work needs to be done.

I agree that comments like that are unhelpful/unnecessary, but how is that "for their own benefit"? Other than the actual devs themselves using that as a way to just ignore issues, I do not follow

It makes them feel good and devalues the quality of discussion. Benefits them, harms others.

Glad it's getting a little more light. Been trying to tell people this for a few years now lol. It's the reason I've stayed away from it since first learning of the tool and looking at the "source code".

Makes me wonder how far the closest alternative, glim, could be upgraded to match Ventoy given the confines of GRUB.

Someone had mentioned that Fedora fails to verify when booting from Ventoy. Now I'm thinking if I could dd the media loaded via Ventoy and compare with an original copy to see what changed.

As a wise one once said: "Talk is cheap, send patches"

Little did they know that Patches the Cat bit through their LAN lines and actually increased the cost of their communication.

Thank you for sharing this. I remember using Ventoy quite often back when I was still on Windows. I'll be sticking with the good old dd command.

Wtf is ventoy and why is nobody explaining it

Basically an OS which let's you choose another OS to boot into. This way you can chose between multiple OS's on one USB drive. You drag your ISO files into a USB folder and choose between them on boot.

I used Ventoy (its still on my USB stick). Its actually a pretty cool concept. Normally without Ventoy, you would flash your Linux distribution on the USB stick. And then you can boot from it, right?

Ventoy instead allows you to have a folder where you put an ISO without flashing it, and then you can boot from it by selecting in the menu. You just need to flash Ventoy once, as the base system, then you can put as many ISO files into that directory. I tested it and have 7 different Linux distributions (ranging from 1 GB to 4 GB variants) on the same USB stick, and I can boot any of them without flashing again. Replacing ISO is extremely easy, just delete it and copy a new one. Filenames does not matter, anything can be found.

Wtf is a BLOB and why is nobody explaining it

Binary Large OBject

Basically any binary file, often objected to in open source repos because of the lack of source and 'openness'. See also the recent xz backdoor.

because search engines exist

Wtf is search engines and why is no one explaining it

Search engines are websites that people used to go to in order to get helpful information. These days, they just spam out a bunch of SEO garbage, AI-generated bullshit, and ads.

Google, probably

shh..it's spyware and adware!

Anyone who wants to fix this can help fix it, but people are just making demands of an unpaid maintainer. The devs can run this project the way they want to. If you don't like it, don't use Ventoy.

The people comparing this to the xz exploit are out of line. xz was a library that was deeply embedded in a lot of software. Ventoy is an IT tool used to boot live OSes. Not even remotely the same attack surface.

Blobs in the source tree are not ideal, but people need to pick their battles.

From what others have said: The blobs violate GPL because they are taken from other FOSS project but the changes Ventoy makes are not viewable.

Any alternatives to this tool? I've used it a lot lately because I was testing out live OSes before installing one to the hard drive, but otherwise I don't need it on a daily basis.

but otherwise I don’t need it on a daily basis.

I'll be real, this is part of why I didn't understand Ventoy. I keep a bunch of large, fast thumbdrives around blank and available. When I need/want to put an OS on there, I do it when I need it, and then I'm always installing the most current version of the install. It takes under 5 minutes, at best.

I used to try to keep various installs on thumbdrives... but it would be two years down the line by the time I needed to use it again and by that time it's literally pointless to be using two year old installation media.

Part of the point behind Ventoy is that you don't need to prepare the USB to be bootable. You can just copy/paste the whole iso into Ventoy and it will be bootable. New release comes out? Just copy it onto your USB drive. Don't even need to remove the old version of you don't want to.

Makes things much easier in the tech world for having a single USB with 50+ bootable tools and installers on there like with MediCat (which uses Ventoy as a base).

Only thing I've had issues with booting from Ventoy is the ProxMox install iso. Everything else has worked first try.

Ventoy wasn't a foolproof solution but it really did beat the hell out of using 6 different USB drives. Most USB "pen drives" don't make labeling easy and without labeling I'm just plugging them in one by one till I find the one I want.

I remember various different concepts of USB flash drives with integrated LCDs that would display a label and the remaining capacity. Then they vanished and the only thing left were the Lexar Echo drives. Until a few years ago, when they have been pulled from the markets. Probably, because they didn't work with the now default GPT and its many different partition types.

IODD makes some. I had the older HDD version that stopped working after it got dropped, so now I use this one:

https://www.iodd.shop/IODD-SSD-drive-with-mini-USB-30-with-secure-256-bit-encryption

The IODD is basically a small drive enclosure, not a "stupid" USB drive.

I was more thinking of devices like this, this or this. Which have the simplicity of a normal USB device (just plug it in and go) and come with an automatically updating label so you can find the correct dongle.

But yeah, nowadays, I'd probably prefer the IODD thing.

I use this thing all the time. It will serve up ISOs and VMDK images also. It’s quite fast

When I was working in IT, this would have been a very useful tool for doing some on-site troubleshooting with various tools or for one-off reimaging machines that were missed during a big update or something. Instead, I had a bag of USB sticks with labels on them, which was annoying to use and to maintain.

As someone with few USBs available, Ventoy takes me 2 minutes to flash, several minutes to copy a set of ISOs, and then any time I need it, it takes 0 minutes to have a working USB with some arbitrary ISO. Sure, it's not up to date, but I don't need it to be if I need to recover an install or use some random tool.

I guess, you could buy a handful of USB sticks...

All my laziness about not checking it out has come to fruition. Now I simply don't have to, because this is sketch as fuck until it is handled.

I never trusted it because I thought it was completely proprietary. Well now I know it basically is.

Yep, some people these are saying just 7 of the 150 binaries don't have source or build info. Yeah, one binary is enough to do all the evil in the world, not that other binaries support reproducible builds anyway.

I like multiboot. Used it back when I used Windows.
The Ventoy advertisements on Reddit looked too suspicious, so I never checked it out.

This is a bit absurd. I really don't think this is as serious as some comments say. Also there is a comment from AUR package manager which explains more details. . And even the blobs in the first post there are source and build instructions in their respective folder.

And even the blobs in the first point there are source and build instructions in their respective folder.

No it is not. It is supposedly the built result based on the instruction provided. If they can just provide that instruction, why not provide the source as well?

The issue thread also highlights the stubbornness and hostility of the project maintainer toward possible contributors.

That linked reply doesn't explain anything. It just says "bro trust him". Just because you and the AUR maintainer says its trustful, does not make it clear whats behind the binary blobs. It doesn't matter what anyone says, if we can't verify. In my opinion, its absurd calling others absurd for not trusting the word of others.

I've had too many issues with Ventoy that I'd rather just use fedora media writer or balenaetcher for when that doesn't work. I mean honestly it's a bit gimmicky, even if it's a cool concept. I believe Glim and some other options exist too

Ugh, balenaetcher messed with my USB pen drive so that I had to jump through hoops to make it usable again. Based on web searches, this was not uncommon at that time. I haven't had issues with ventoy so far. However, maybe I'll just go back to Rufus.

It's a useful tool, but there is a security concern for anything not fully open source. You will have to weigh your risk factors, I doubt that it's any problem for most consumers or distro hoppers.

Best to keep an eye in case any new contributers arrive suddenly...

I haven't read to far into this but the issue is completely devoid of contributors and maintainers. I find the wording of the issue quite concerning:

Due to the recent XZ-Utils drama I checked the code and I'm appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/cryptsetup https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/Unix/ventoy_unix https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/DMSETUP

There is no reason to have those not be build in the release process. Of course it's convenient, they are prebuild, it's fast and nobody has a problem with it.

Recent events however showed that these BLOBs can contain everything and nothing. The build instructions would not produce the exact same executable for everyone. It's better to have GitHub build it on-push and use them out of the build cache.

I would do it myself, but unfortunately I'm not familiar enough with the Ventoy build process to actually do it. I understand that removing BLOBs isn't a priority over new and shiny features. But due to recent events, this should be rethought.

Thank you for reading this and I hope for a productive conversation

This is free software, they don't owe you anything and this kind of language sounds angry and entitled. You can't just Gordon Ramsay on someone else's codebase.

I cannot fathom what in this issue description gives rise to your concern. It’s worded very calmly, clearly explaining why the author thinks these BLOBs shouldn’t be there, expressing an understanding that it’s not a top priority and even closing with a thank you.

Is this not rude:

I checked the code and I’m appalled. There are more BLOBs than source code

And this:

I understand that removing BLOBs isn't a priority over new and shiny features. But due to recent events, this should be rethought.

We didn’t like it when MS made an issue trying to direct ffmpeg

They should have opened with a complement or asked for directions if they didn’t know. In this message “Thank You” means fuck all

I mean, people are allowed to have opinions. They may not be good opinions but thats the glory of opinions. You can Gordon Ramsey someone's codebase, and someone else can Gordon Ramsey their comment, as you just did.

Actually you can and should Gordon Ramsey all over it. It is the duty of audience members to express how they feel honestly about the artwork.

Open Source can and do understand that and open source software becomes better for it.

I’m not saying don’t criticise it. It’s about communication. The language isn’t very good. See my other comments

Yes, that's users for you. A diverse bunch and many lacking in basic politeness. But you just have to listen to whiney users. You just have to... and figure it out if you want to make world class software.

I mean the author has simply ignored this issue. If you look into it there are a few that people simply do not know how to generate, so without the maintainer it's impossible to make a PR solving this.

I mean if I got an issue that sounded that entitled and this is something I do in my spare time, I'd probably ignore it.

My point is they could have worded it better and it might have gotten a response. If you ask kindly about the BLOBs and maybe for some help to push you in the right direction instead of saying "I don't know", then it is fair to call the maintainer rude for ignoring it completely.

Hm, so now people suddenly notice and care about this? lol

First I’m hearing of it and I’m starting to question my security given I installed my OS using it.