I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.
I haven’t read to far into this but the issue is completely devoid of contributors and maintainers. I find the wording of the issue quite concerning:
Due to the recent XZ-Utils drama I checked the code and I’m appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/cryptsetup https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/Unix/ventoy_unix https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/DMSETUP
There is no reason to have those not be build in the release process. Of course it’s convenient, they are prebuild, it’s fast and nobody has a problem with it.
Recent events however showed that these BLOBs can contain everything and nothing. The build instructions would not produce the exact same executable for everyone. It’s better to have GitHub build it on-push and use them out of the build cache.
I would do it myself, but unfortunately I’m not familiar enough with the Ventoy build process to actually do it. I understand that removing BLOBs isn’t a priority over new and shiny features. But due to recent events, this should be rethought.
Thank you for reading this and I hope for a productive conversation
This is free software, they don’t owe you anything and this kind of language sounds angry and entitled. You can’t just Gordon Ramsay on someone else’s codebase.
I mean the author has simply ignored this issue. If you look into it there are a few that people simply do not know how to generate, so without the maintainer it’s impossible to make a PR solving this.
I mean if I got an issue that sounded that entitled and this is something I do in my spare time, I’d probably ignore it.
My point is they could have worded it better and it might have gotten a response. If you ask kindly about the BLOBs and maybe for some help to push you in the right direction instead of saying “I don’t know”, then it is fair to call the maintainer rude for ignoring it completely.
I mean, people are allowed to have opinions. They may not be good opinions but thats the glory of opinions. You can Gordon Ramsey someone’s codebase, and someone else can Gordon Ramsey their comment, as you just did.
I cannot fathom what in this issue description gives rise to your concern. It’s worded very calmly, clearly explaining why the author thinks these BLOBs shouldn’t be there, expressing an understanding that it’s not a top priority and even closing with a thank you.
Is this not rude:
I checked the code and I’m appalled. There are more BLOBs than source code
And this:
I understand that removing BLOBs isn’t a priority over new and shiny features. But due to recent events, this should be rethought.
We didn’t like it when MS made an issue trying to direct ffmpeg
They should have opened with a complement or asked for directions if they didn’t know. In this message “Thank You” means fuck all
Actually you can and should Gordon Ramsey all over it. It is the duty of audience members to express how they feel honestly about the artwork.
Open Source can and do understand that and open source software becomes better for it.
I’m not saying don’t criticise it. It’s about communication. The language isn’t very good. See my other comments
This is a bit absurd. I really don’t think this is as serious as some comments say. Also there is a comment from AUR package manager which explains more details. . And even the blobs in the first post there are source and build instructions in their respective folder.
That linked reply doesn’t explain anything. It just says “bro trust him”. Just because you and the AUR maintainer says its trustful, does not make it clear whats behind the binary blobs. It doesn’t matter what anyone says, if we can’t verify. In my opinion, its absurd calling others absurd for not trusting the word of others.
And even the blobs in the first point there are source and build instructions in their respective folder.
No it is not. It is supposedly the built result based on the instruction provided. If they can just provide that instruction, why not provide the source as well?
The issue thread also highlights the stubbornness and hostility of the project maintainer toward possible contributors.
I firmly believe there are no backdoors or anything dodgy going on here
OK but that’s hardly reassuring.
Hey guys open source is great you can look at all the code and therefore there are no security backdoors etc. Also here are a bunch of pre-compiled blobs in the repo, don’t worry about those, but they are required to run the program.
Right, the fact that it’s open is the reason this came to light, and we’re having this discussion
Exactly. Acting like this is an “ah-ha, see?!!” moment when this is exactly what open source is designed for. That’s like saying global warming is a hoax because “oh look it’s snowing”.
Well, it is an “ah-ha, see!” moment, because it shows the benefit of open source.
Its more like pointing at the absence of a glacier on a mountaintop and saying “yep, see, climate change does exist”
This isn’t a knock against opensource programming, but there shouldn’t ever be precompiled blobs in the repo unless they are the official builds for the various OS’s and if you want to build from source, the pre-compiled blobs shouldn’t be part of that, otherwise you can’t really claim you are opensource.
Anyone who wants to fix this can help fix it, but people are just making demands of an unpaid maintainer. The devs can run this project the way they want to. If you don’t like it, don’t use Ventoy.
The people comparing this to the xz exploit are out of line. xz was a library that was deeply embedded in a lot of software. Ventoy is an IT tool used to boot live OSes. Not even remotely the same attack surface.
Blobs in the source tree are not ideal, but people need to pick their battles.
Wtf is ventoy and why is nobody explaining it
Search engines are websites that people used to go to in order to get helpful information. These days, they just spam out a bunch of SEO garbage, AI-generated bullshit, and ads.
Google, probably
Basically an OS which let’s you choose another OS to boot into. This way you can chose between multiple OS’s on one USB drive. You drag your ISO files into a USB folder and choose between them on boot.
I used Ventoy (its still on my USB stick). Its actually a pretty cool concept. Normally without Ventoy, you would flash your Linux distribution on the USB stick. And then you can boot from it, right?
Ventoy instead allows you to have a folder where you put an ISO without flashing it, and then you can boot from it by selecting in the menu. You just need to flash Ventoy once, as the base system, then you can put as many ISO files into that directory. I tested it and have 7 different Linux distributions (ranging from 1 GB to 4 GB variants) on the same USB stick, and I can boot any of them without flashing again. Replacing ISO is extremely easy, just delete it and copy a new one. Filenames does not matter, anything can be found.
