I’m something of a proprietary blob myself.
You should open sauce!
Linux moment
nvidia?
And here I am, marking unfree software as installable as the first thing I do on any distro.
I’ll absolutely take FLOSS if I can get it, but failing that, FOSS is still a nice improvement over closed-source software.
It’s good that it’s opt in
Oh, agreed. There are definitely people who can live without unfree software. Me, I can’t do without Steam and Lutris.
Ventoy?
Just open source blobs instead of proprietary blobs
There is also a new community fork to get rid of the blobs and bad cert loading. The ventroy dev has made a bunch of concerning choices so some people hard forked the code. I forgot where is was though.
Is this the one you’re talking about? https://github.com/fnr1r/ventoy-cpio
That’s the one
oh wow that really put the trust back into Ventoy. Nice! Thanks for the link
Happened after a partner product in the Ventoy repo was found to have a pretty major vulnerability due to a… you guessed it, pre-compiled supply chain attack.
Off topic, but I’d never heard of Ventoy before and looking at it now, holy shit, I wish I’d known about it sooner.
just started using this for the first time, Is it still ok to use?
Yes, but people have concerns. Ventoy is fully open-source, but the build process pulls binary blobs (compiled executables, think of them like blob chips) from other F/OSS projects, which is an issue for some people. They have legitimate concerns about trusting Ventoy because they have to implicitly trust the projects that Ventoy pulls from but can’t verify what is getting pulled. If such a project were to become compromised (the way XZ-Utils was), it would eventually spread to Ventoy.
That being said, the developers (or singular developer, not sure) are taking steps to reduce Ventoy’s dependency on external blobs. It’s a difficult task and they have limited resources, but they have acknowledged that it is an issue and are working on a solution.
I don’t believe iVentroy (PXE tool) is fully foss but I could be wrong.
If such a project were to become compromised (the way XZ-Utils was), it would eventually spread to Ventoy.
What a lot of people don’t know is that the XZ attack entirely relied on binary blobs: Partially in the repo as binary test files, and partially in only the github release (binary).
If someone actually built it from source, they weren’t vulnerable. So contrary to some, it wasn’t a vulnerability that was in plain view that somehow passed volunteer review.
This is why allowing binary data in open-source repos should be heavily frowned upon.
Yea it’s fine.
From memory the blob everyone was complaining about was related to eufi and came from Fedora.
Except for the part where it completely nullifies secure boot…
Fine if you don’t care about that but it caused a lot of security issues in the enterprise
Ah yes, telegram
Unzips my ghidra 😏
I can only recommend Guix system 👍
Noice!
