Ventoy source code contains some unknown BLOBs, still no word on the issue from the dev after months

I was bored at work one day. I decided to put a nyan cat easter egg in my company's app. If at the loading progress bar screen you typed NYAN it would turn the progress bar into a rainbow being created by a little nyan cat while playing the nyan cat song. The mp3 (inconspicuously renamed without the extension) doubled our build size. No one batted an eye cause no one paid attention to the build size much.

Fast forward 5 years later, at a different job, I get a phone call from the old boss. Do you happen to know anything about this nyan cat file we found?

I had no idea what he was talking about.

After I saw that issue, I attempted to build Ventoy from source. After making numerous modifications and getting only the first couple components built, I got tired of it and quit. I've made some modifications to glim and use that instead, although it's still not as easy as Ventoy. But I don't trust Ventoy if I can't build it myself.

Further, when @vkc@linuxmom.net made some criticisms of Ventoy in one of her YouTube videos, she was subjected to a harassment campaign, and others told her the same happened to them. That pushed me from not trusting Ventoy to actively distrusting it.

I too wish the developer would respond, but I don't think this is the catastrophe people are making it out to be. One comment seems to explain why these binaries are included:

Because ventoy supports shim, and by extension secure boot, these files needs to come from a signed Linux distro. In this case they are taken from Fedora releases, and OpenSUSE apparently, as they publish shim binaries and grub binaries signed by their certificate.

Hey guys open source is great you can look at all the code and therefore there are no security backdoors etc. Also here are a bunch of pre-compiled blobs in the repo, don't worry about those, but they are required to run the program.

God I hate people who use github comments for their own benefit. "Just fork it bro" is never helpful.

Glad it's getting a little more light. Been trying to tell people this for a few years now lol. It's the reason I've stayed away from it since first learning of the tool and looking at the "source code".

Anyone who wants to fix this can help fix it, but people are just making demands of an unpaid maintainer. The devs can run this project the way they want to. If you don't like it, don't use Ventoy.

The people comparing this to the xz exploit are out of line. xz was a library that was deeply embedded in a lot of software. Ventoy is an IT tool used to boot live OSes. Not even remotely the same attack surface.

Blobs in the source tree are not ideal, but people need to pick their battles.

Wtf is ventoy and why is nobody explaining it

As a wise one once said: "Talk is cheap, send patches"

Makes me wonder how far the closest alternative, glim, could be upgraded to match Ventoy given the confines of GRUB.

Someone had mentioned that Fedora fails to verify when booting from Ventoy. Now I'm thinking if I could dd the media loaded via Ventoy and compare with an original copy to see what changed.

All my laziness about not checking it out has come to fruition. Now I simply don't have to, because this is sketch as fuck until it is handled.

Any alternatives to this tool? I've used it a lot lately because I was testing out live OSes before installing one to the hard drive, but otherwise I don't need it on a daily basis.

I never trusted it because I thought it was completely proprietary. Well now I know it basically is.

I haven't read to far into this but the issue is completely devoid of contributors and maintainers. I find the wording of the issue quite concerning:

Due to the recent XZ-Utils drama I checked the code and I'm appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/cryptsetup https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/Unix/ventoy_unix https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/DMSETUP

There is no reason to have those not be build in the release process. Of course it's convenient, they are prebuild, it's fast and nobody has a problem with it.

Recent events however showed that these BLOBs can contain everything and nothing. The build instructions would not produce the exact same executable for everyone. It's better to have GitHub build it on-push and use them out of the build cache.

I would do it myself, but unfortunately I'm not familiar enough with the Ventoy build process to actually do it. I understand that removing BLOBs isn't a priority over new and shiny features. But due to recent events, this should be rethought.

Thank you for reading this and I hope for a productive conversation

This is free software, they don't owe you anything and this kind of language sounds angry and entitled. You can't just Gordon Ramsay on someone else's codebase.

Time for a fork, then?

Need to compare hashes between a stock ISO and one flashed booted by Ventoy (dd the latter to a file and check)

What does BLOB stand for?

I like multiboot. Used it back when I used Windows.
The Ventoy advertisements on Reddit looked too suspicious, so I never checked it out.

Is BLOB an acronym?

I just wish it had a real alternative. GRUB on USB doesnt support as much distros or windows.

It's a useful tool, but there is a security concern for anything not fully open source. You will have to weigh your risk factors, I doubt that it's any problem for most consumers or distro hoppers.

Best to keep an eye in case any new contributers arrive suddenly...

I've had too many issues with Ventoy that I'd rather just use fedora media writer or balenaetcher for when that doesn't work. I mean honestly it's a bit gimmicky, even if it's a cool concept. I believe Glim and some other options exist too

bruh.

Is there an alternative to Ventoy for booting Windows vhd images from an ntfs partition?