I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.

215 points
*

I was bored at work one day. I decided to put a nyan cat easter egg in my company’s app. If at the loading progress bar screen you typed NYAN it would turn the progress bar into a rainbow being created by a little nyan cat while playing the nyan cat song. The mp3 (inconspicuously renamed without the extension) doubled our build size. No one batted an eye cause no one paid attention to the build size much.

Fast forward 5 years later, at a different job, I get a phone call from the old boss. Do you happen to know anything about this nyan cat file we found?

I had no idea what he was talking about.

permalink
report
reply
63 points

Years and years ago I worked on a project where the logo was the outline of a head and an inward swirl for the brain.

For the website, if you held your mouse over it for 9 seconds, it would spin and flush. No one ever found that one that I know of.

permalink
report
parent
reply
8 points

Should’ve included that in your FE analytics.

permalink
report
parent
reply
29 points

10/10

permalink
report
parent
reply
26 points

Aaaand thats why all commits should be signed with your pgp key

permalink
report
parent
reply
10 points

It sounds like they weren’t using any form of version control, so that’s definitely on them at this point

permalink
report
parent
reply
18 points

What makes you say that? To me, it sounds like that’s what they do have cause they tracked the change back to him. The commit message obviously said nothing about the file.

permalink
report
parent
reply
11 points

That story was a journey.

permalink
report
parent
reply
90 points

After I saw that issue, I attempted to build Ventoy from source. After making numerous modifications and getting only the first couple components built, I got tired of it and quit. I’ve made some modifications to glim and use that instead, although it’s still not as easy as Ventoy. But I don’t trust Ventoy if I can’t build it myself.

Further, when @vkc@linuxmom.net made some criticisms of Ventoy in one of her YouTube videos, she was subjected to a harassment campaign, and others told her the same happened to them. That pushed me from not trusting Ventoy to actively distrusting it.

permalink
report
reply
46 points

Further, when @vkc@linuxmom.net made some criticisms of Ventoy in one of her YouTube videos, she was subjected to a harassment campaign, and others told her the same happened to them.

What the fuck is happening to the world? Are we regressing or were we always this regressed and we’ve just given powerful tools to fucking chowderheads?

permalink
report
parent
reply
39 points

There’s a subset of the Linux/FOSS/etc. community who are Conservative, misogynistic, racist, and/or otherwise general bigots. Compare the Ventoy-bros against the Elon-bros, and you’ll see a similar pattern of behavior.

I don’t personally understand it, since development is still sometimes seen as “work for weirdo nerds,” so you’d think they would understand what it feels like to be rejected or bullied, but here we are. They manage to stay under the radar, because there’s usually no reason to discuss politics or philosophy when you’re debugging code.

permalink
report
parent
reply
28 points
*

There’s a subset of the Linux/FOSS/etc. community who are Conservative, misogynistic, racist, and/or otherwise general bigots.

right, the hackernews set…

permalink
report
parent
reply
5 points
*

It’s the other way around I think. We are progressing. More voices are heard which “should” be a good thing. Right? Right…?

/s

permalink
report
parent
reply
7 points

I remember this thread! Before I saw this comment, I had already gone to look it up again:

Here’s the initial post of Verionica’s video on booting from ISO files: https://linuxmom.net/@vkc/112905487325961707
And here’s the post on 'The Ventoy conspiracy": https://linuxmom.net/@vkc/112906968594601449

permalink
report
parent
reply
1 point
*

it’s the opposite, actually: she got harassed because she didn’t talk about it when talking about creating a bootable drive.

permalink
report
parent
reply
80 points

I too wish the developer would respond, but I don’t think this is the catastrophe people are making it out to be. One comment seems to explain why these binaries are included:

Because ventoy supports shim, and by extension secure boot, these files needs to come from a signed Linux distro. In this case they are taken from Fedora releases, and OpenSUSE apparently, as they publish shim binaries and grub binaries signed by their certificate.

permalink
report
reply
34 points

If the hashes match the files from the Fedora or OpenSUSE releases, then does this really matter?

permalink
report
parent
reply
23 points
*
Deleted by creator
permalink
report
parent
reply
25 points

that’s what automation is for - nobody is going to manually check them, but anyone is able to automatically set something up to check their hashes in change… the fact that it’s possible that anyone is doing that now that it’s a known issue perhaps makes it less problematic as an attack vector

permalink
report
parent
reply
17 points

Is that any different from no one checking the code every update?

permalink
report
parent
reply
26 points

On the contrary: that just goes to show what a fucking catastrophe for software freedom “Secure[sic] Boot” is.

permalink
report
parent
reply
17 points

While this is true, it only requires the shim and grub to be copied for another distro.

From other comments there are a lot more blobs than just these two.

permalink
report
parent
reply
3 points

It sounds like most, if not all, come from upstream projects.

permalink
report
parent
reply
4 points

Would be nice if the dev can respond and confirm that…

permalink
report
parent
reply
11 points

It sounds to me as a documentation issue, as the next comment says, simply including a wget script should solve this.

permalink
report
parent
reply
4 points

that’s only a few files out of the 153

permalink
report
parent
reply
1 point

153 binaries? where?

permalink
report
parent
reply
57 points

Hey guys open source is great you can look at all the code and therefore there are no security backdoors etc. Also here are a bunch of pre-compiled blobs in the repo, don’t worry about those, but they are required to run the program.

permalink
report
reply
90 points

The fact that people know there are pre-compiled blobs in open source means they have an informed reason to avoid the software!

permalink
report
parent
reply
21 points

permalink
report
parent
reply
18 points

Right, the fact that it’s open is the reason this came to light, and we’re having this discussion

permalink
report
parent
reply
4 points

Exactly. Acting like this is an “ah-ha, see?!!” moment when this is exactly what open source is designed for. That’s like saying global warming is a hoax because “oh look it’s snowing”.

permalink
report
parent
reply
2 points

This isn’t a knock against opensource programming, but there shouldn’t ever be precompiled blobs in the repo unless they are the official builds for the various OS’s and if you want to build from source, the pre-compiled blobs shouldn’t be part of that, otherwise you can’t really claim you are opensource.

permalink
report
parent
reply
1 point

Well, it is an “ah-ha, see!” moment, because it shows the benefit of open source.

Its more like pointing at the absence of a glacier on a mountaintop and saying “yep, see, climate change does exist”

permalink
report
parent
reply
52 points

God I hate people who use github comments for their own benefit. “Just fork it bro” is never helpful.

permalink
report
reply
28 points

For me the problem is more in GPL violation: they distribute blobs under GPL3, user made a request of the source code by creating an issue, but they ignored that request. It is not only about “you have to fix it” versus “just fork it” imo.

permalink
report
parent
reply

Licence doesn’t apply to the creator.

He already owns the copyright, he doesn’t need a licence, he doesn’t need to adhere to the gpl

permalink
report
parent
reply
32 points

The binaries in question are various GNU and FOSS tools from elsewhere, not part of the Ventoy project itself. So no, the Ventoy author does not own the copyright of the tools in question.

permalink
report
parent
reply
4 points
*

Seriously this. Any comment about a complicated system that starts with “just” can be ignored 99% of the time.

Also, there are 4k forks of Ventoy already. Obviously forking it isn’t helping. Actual work needs to be done.

permalink
report
parent
reply
1 point

I agree that comments like that are unhelpful/unnecessary, but how is that “for their own benefit”? Other than the actual devs themselves using that as a way to just ignore issues, I do not follow

permalink
report
parent
reply
1 point

It makes them feel good and devalues the quality of discussion. Benefits them, harms others.

permalink
report
parent
reply

Open Source

!opensource@lemmy.ml

Create post

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

  • Posts must be relevant to the open source ideology
  • No NSFW content
  • No hate speech, bigotry, etc

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

Community stats

  • 3.3K

    Monthly active users

  • 1.2K

    Posts

  • 10K

    Comments