[issue]: Remove BLOBs from the source tree · Issue #2795 · ventoy/Ventoy
github.com
What happened? Due to the recent XZ-Utils drama I checked the code and I'm appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f8946...

I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.

  • n2burns@lemmy.ca
    0·
    26 days ago

    I too wish the developer would respond, but I don’t think this is the catastrophe people are making it out to be. One comment seems to explain why these binaries are included:

    Because ventoy supports shim, and by extension secure boot, these files needs to come from a signed Linux distro. In this case they are taken from Fedora releases, and OpenSUSE apparently, as they publish shim binaries and grub binaries signed by their certificate.

      • Quail4789@lemmy.mlEnglish
        0·
        26 days ago

        It matters because nobody is going to check the hashes for all of the files match whenever there’s a change so the maintainer can just replace them with whatever he wants.

        • Pup Biru@aussie.zoneEnglish
          1·
          26 days ago

          that’s what automation is for - nobody is going to manually check them, but anyone is able to automatically set something up to check their hashes in change… the fact that it’s possible that anyone is doing that now that it’s a known issue perhaps makes it less problematic as an attack vector