Ventoy
Ventoy copied to clipboard
ventoy
[issue]: Remove BLOBs from the source tree
What happened?
Due to the recent XZ-Utils drama I checked the code and I'm appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/cryptsetup https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/Unix/ventoy_unix https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/DMSETUP
There is no reason to have those not be build in the release process. Of course it's convenient, they are prebuild, it's fast and nobody has a problem with it.
Recent events however showed that these BLOBs can contain everything and nothing. The build instructions would not produce the exact same executable for everyone. It's better to have GitHub build it on-push and use them out of the build cache.
I would do it myself, but unfortunately I'm not familiar enough with the Ventoy build process to actually do it. I understand that removing BLOBs isn't a priority over new and shiny features. But due to recent events, this should be rethought.
Thank you for reading this and I hope for a productive conversation
For those that are not familiar with the xz-utils backdoor, here is the original email send by Andres Freund who discovered the backdoor:
https://www.openwall.com/lists/oss-security/2024/03/29/4
Ventoy is in a quite unique position to be the target of state and non-state adversaries as malware and exploits could not only target certain installations or distros but the whole user base. In the face of headlines about linux desktop percentages ventoy could attract focus in search for new vectors.
Ventoy is in a quite unique position to be the target of state and non-state adversaries as malware and exploits could not only target certain installations or distros but the whole user base. In the face of headlines about linux desktop percentages ventoy could attract focus in search for new vectors.
I fully agree, I use this not just at home but work too!
Don't get your hopes up this has been an issue for a very long time. Use something else! https://github.com/ventoy/Ventoy/issues/132
Regardless of recent events, this should be addressed. Ventoy is an excellent concept and pretty solid execution, but security should be a critical focus. If the developer does or does not want to address this, hopefully some community members can contribute to alleviate this as a concern. For now I think it is a good idea to not use Ventoy myself.
An XZ style attack is a once every few years worst case. You can do harmless things with blobs and harmful things with source.
I would do it myself, but unfortunately I'm not familiar enough with the Ventoy build process to actually do it.
Do you want Jia Tan to come in and save us from these blobs?
The main maintainer has been on vacation for a while has only just gotten back online a few days ago.
Regarding the specifically attached binaries. Nearby in these folders (that were last modified years ago) they show how they were built in plain text. The build process already takes 15 to 20 minutes.
There are certainly security considerations when using Ventoy. #135 But becoming Richard Stallman and demanding no binaries at any cost is not very useful.
An XZ style attack is a once every few years worst case. You can do harmless things with blobs and harmful things with source.
You're missing the point. No there's nothing inheritly more dangerous about the blobs themselves. The issue is that one can't verify if it's safe or not. Source code can be audited, vulnerabilities discovered. You can't really do that with binary blobs. That's a major part of the open-source ethos.
It's been a month. I think the developer should have enough time to respond to both the xz attack and this issue. I really hope to hear some official response.
从 XZ 的攻击到现在已经过了一个月了,我想开发者应该有足够的时间就这个 issue 所谈及的问题做出回应了。我真诚希望能够看到开发者官方的回应。
Thanks for developing this useful software.
感谢你开发这个软件的时间精力。
