Ventoy source code contains some unknown BLOBs, still no word on the issue from the dev after months
Ventoy source code contains some unknown BLOBs, still no word on the issue from the dev after months
What happened? Due to the recent XZ-Utils drama I checked the code and I'm appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f8946...
![[issue]: Remove BLOBs from the source tree · Issue #2795 · ventoy/Ventoy](https://lemmy.blahaj.zone/pictrs/image/83ed7177-de24-4936-8e8a-f10b3ad59df3.webp?format=webp&thumbnail=256)
I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.
You're viewing a single thread.
I haven't read to far into this but the issue is completely devoid of contributors and maintainers. I find the wording of the issue quite concerning:
Due to the recent XZ-Utils drama I checked the code and I'm appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/cryptsetup https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/Unix/ventoy_unix https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/DMSETUP
There is no reason to have those not be build in the release process. Of course it's convenient, they are prebuild, it's fast and nobody has a problem with it.
Recent events however showed that these BLOBs can contain everything and nothing. The build instructions would not produce the exact same executable for everyone. It's better to have GitHub build it on-push and use them out of the build cache.
I would do it myself, but unfortunately I'm not familiar enough with the Ventoy build process to actually do it. I understand that removing BLOBs isn't a priority over new and shiny features. But due to recent events, this should be rethought.
Thank you for reading this and I hope for a productive conversation
This is free software, they don't owe you anything and this kind of language sounds angry and entitled. You can't just Gordon Ramsay on someone else's codebase.
I cannot fathom what in this issue description gives rise to your concern. It’s worded very calmly, clearly explaining why the author thinks these BLOBs shouldn’t be there, expressing an understanding that it’s not a top priority and even closing with a thank you.
Is this not rude:
I checked the code and I’m appalled. There are more BLOBs than source code
And this:
I understand that removing BLOBs isn't a priority over new and shiny features. But due to recent events, this should be rethought.
We didn’t like it when MS made an issue trying to direct ffmpeg
They should have opened with a complement or asked for directions if they didn’t know. In this message “Thank You” means fuck all
Is this not rude:
I checked the code and I’m appalled. There are more BLOBs than source code
No. The commenter is voicing their own feelings and explains why they have them. There is neither blaming nor rudeness here.
And this:
I understand that removing BLOBs isn’t a priority over new and shiny features. But due to recent events, this should be rethought.
It would have been nice if you had explained why you think this is rude. The author expresses understanding that the maintainers’ priorities don’t align with the author’s. This seems to be an uncontroversial statement to me.
Then the author explains (I agree, it’s more a hint than an explanation) why they think the priorities should be changed. In my view their argument is sound. Again, there is no blaming or rudeness here.
They should have opened with a complement
I assume you mean “compliment”.
I’ve often heard of the “sandwich technique” – start with a compliment, then voice criticism, end with another positive thing. I find this is an appropriate procedure when voicing open feedback, that is, good things and bad things. However, this is a Github issue. Its whole point is to point out a perceived problem, not to give the maintainers a pat on the back or thank them.
I don't understand how "appalled" being strong language is so controversial, maybe everyone here is just a rude little shit.
I would have worded it like so:
Hi, I'm concerned about the BLOBs used in this repo as they are a security risk, making the code less auditable. It looks like we could generate these BLOBs in a github action or something so we can keep the fast build process while making it easier to audit the code. I'm not exactly sure how to go about this myself but I've done similar things in other projects, maybe you could point me in the right direction as I am unfamiliar with the ventoy build process? Thanks for the really cool project, and hopefully we can sort this out easily. Looking forward to your response.
I did it with less anger and entitlement and in less words
I mean the author has simply ignored this issue. If you look into it there are a few that people simply do not know how to generate, so without the maintainer it's impossible to make a PR solving this.
I mean if I got an issue that sounded that entitled and this is something I do in my spare time, I'd probably ignore it.
My point is they could have worded it better and it might have gotten a response. If you ask kindly about the BLOBs and maybe for some help to push you in the right direction instead of saying "I don't know", then it is fair to call the maintainer rude for ignoring it completely.