I remember a story where people asked about blobs included in Ventoy and there were no comments from the devs, leading to suspicion.

At the time it wasn’t clear to me if there was any substance to the story or if it was the usual Internet exaggeration, so I resolved to ignore it for the time being and saved a reminder to look into it after a while.

Now my reminder fired off and I looked around, but couldn’t find how the story ended… do you know?

    • mumblerfish@lemmy.world
      link
      fedilink
      arrow-up
      21
      arrow-down
      2
      ·
      4 days ago

      That screenshot is from another site. An account named longpanda has also appeared on lemmy and had their post/replies removed because of impersonation suspicions.

      I think it is wise to take extra care on this issue on what you read and trust.

      • exu@feditown.com
        link
        fedilink
        English
        arrow-up
        11
        ·
        4 days ago

        Afaik that particular post is on the official Ventoy forum. Probably legit

        The Lemmy one was fake

      • priapus@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        ·
        4 days ago

        That is the owners account from the official forum, which is known to be real. The Lemmy account was a fake that copied their name from that account.

  • IcyToes@sh.itjust.works
    link
    fedilink
    arrow-up
    12
    arrow-down
    1
    ·
    4 days ago

    Looks like contributor is busy with work. Always the risk with open source. If things aren’t raised in a reasonable manner, I can imagine the temptation is to follow it up with a middle finger.

    Many seemed to care about it enough to bash it, but not enough to create and maintain a fork. They just want to boss it over the maintainer.

    • gomp@lemmy.mlOP
      link
      fedilink
      arrow-up
      6
      ·
      4 days ago

      Agreed: now that I’m looking at the whole thing, this looks like a story where the FOSS community left much to be desired.

  • rudyharrelson@lemmy.radio
    link
    fedilink
    arrow-up
    31
    ·
    5 days ago

    I’m in a similar boat to you; whether the blobs constitute a security threat seems to still be up in the air. I read through the issue thread on github a few months back and it seemed the vast majority of the blobs were built by scripts contained in the repository, but some weren’t documented well, leading to uncertainty.

    The comment by Long0x0 on Aug 05 lists a lot of the blob files.

  • fool
    link
    fedilink
    arrow-up
    8
    ·
    edit-2
    4 days ago

    Not fixed yet. People either quit, let their threat model allow Ventoy’s shellscripts to git-commit bins, or built it from source (i.e. PKGBUILD or ebuild).

  • slazer2au@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    ·
    5 days ago

    I thought one of them did comment about it and it was something like the uefi drivers taken from Fedora or something.

  • Aatube@kbin.melroy.org
    link
    fedilink
    arrow-up
    10
    arrow-down
    4
    ·
    5 days ago

    Blobs aren’t really a concern as they reference the sources which produce the same binaries, but there are suspicions of compromise due to the Lemmy comments mentioned in the thread. The official accounts’ comments alleviate some of that, though.

          • FlappyBubble@lemmy.ml
            link
            fedilink
            arrow-up
            7
            ·
            4 days ago

            Presuming the software is working ans secure, is the time that passed since the last commit importang?

            • Telorand@reddthat.com
              link
              fedilink
              arrow-up
              3
              ·
              4 days ago

              I also check the open issues when I judge a repo, and there’s only 22, with nearly all of them being feature requests and not bug reports. Also, the majority were opened by the repo owner, and they’re checklist items for future functionality (like making less common ISO’s work).

              It could be that it’s abandoned, or it could be that the maintainer just doesn’t have the time or drive to include edge cases like “NixOS” and “Fedora 37 clones” right now.