All about open source! Feel free to ask questions, and share news, and interesting stuff!
Community icon from opensource.org, but we are not affiliated with them.
Anyone who wants to fix this can help fix it, but people are just making demands of an unpaid maintainer. The devs can run this project the way they want to. If you don't like it, don't use Ventoy.
The people comparing this to the xz exploit are out of line. xz was a library that was deeply embedded in a lot of software. Ventoy is an IT tool used to boot live OSes. Not even remotely the same attack surface.
Blobs in the source tree are not ideal, but people need to pick their battles.
From what others have said: The blobs violate GPL because they are taken from other FOSS project but the changes Ventoy makes are not viewable.
I like multiboot. Used it back when I used Windows.
The Ventoy advertisements on Reddit looked too suspicious, so I never checked it out.
Glad it's getting a little more light. Been trying to tell people this for a few years now lol. It's the reason I've stayed away from it since first learning of the tool and looking at the "source code".
I've had too many issues with Ventoy that I'd rather just use fedora media writer or balenaetcher for when that doesn't work. I mean honestly it's a bit gimmicky, even if it's a cool concept. I believe Glim and some other options exist too
Time for a fork, then?
Wtf is ventoy and why is nobody explaining it
because search engines exist
Wtf is a BLOB and why is nobody explaining it
Binary Large OBject
Basically any binary file, often objected to in open source repos because of the lack of source and 'openness'. See also the recent xz backdoor.
Binary data. In the case of lz it was a carefully "corrupted" archive.
Basically an OS which let's you choose another OS to boot into. This way you can chose between multiple OS's on one USB drive. You drag your ISO files into a USB folder and choose between them on boot.
So like rEFInd but on the same drive?
That sounded like grub until you said ISO file
Yeah basically grub but on a USB stick and with ISO files
I used Ventoy (its still on my USB stick). Its actually a pretty cool concept. Normally without Ventoy, you would flash your Linux distribution on the USB stick. And then you can boot from it, right?
Ventoy instead allows you to have a folder where you put an ISO without flashing it, and then you can boot from it by selecting in the menu. You just need to flash Ventoy once, as the base system, then you can put as many ISO files into that directory. I tested it and have 7 different Linux distributions (ranging from 1 GB to 4 GB variants) on the same USB stick, and I can boot any of them without flashing again. Replacing ISO is extremely easy, just delete it and copy a new one. Filenames does not matter, anything can be found.
This is a bit absurd. I really don't think this is as serious as some comments say. Also there is a comment from AUR package manager which explains more details. . And even the blobs in the first post there are source and build instructions in their respective folder.
I firmly believe there are no backdoors or anything dodgy going on here
OK but that's hardly reassuring.
Not suspicious at all.
That linked reply doesn't explain anything. It just says "bro trust him". Just because you and the AUR maintainer says its trustful, does not make it clear whats behind the binary blobs. It doesn't matter what anyone says, if we can't verify. In my opinion, its absurd calling others absurd for not trusting the word of others.
And even the blobs in the first point there are source and build instructions in their respective folder.
No it is not. It is supposedly the built result based on the instruction provided. If they can just provide that instruction, why not provide the source as well?
The issue thread also highlights the stubbornness and hostility of the project maintainer toward possible contributors.
Need to compare hashes between a stock ISO and one ~~flashed~~ booted by Ventoy (dd the latter to a file and check)
Wat? Ventoy doesn't flash isos, it boots from them
Thanks edited