[issue]: Remove BLOBs from the source tree · Issue #2795 · ventoy/Ventoy
github.com
What happened? Due to the recent XZ-Utils drama I checked the code and I'm appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f8946...

I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.

  • @n2burns@lemmy.ca
    38 months ago

    I too wish the developer would respond, but I don’t think this is the catastrophe people are making it out to be. One comment seems to explain why these binaries are included:

    Because ventoy supports shim, and by extension secure boot, these files needs to come from a signed Linux distro. In this case they are taken from Fedora releases, and OpenSUSE apparently, as they publish shim binaries and grub binaries signed by their certificate.

    • @nialv7@lemmy.world
      18 months ago

      While this is true, it only requires the shim and grub to be copied for another distro.

      From other comments there are a lot more blobs than just these two.

      • davad
        08 months ago

        It sounds like most, if not all, come from upstream projects.

          • davad
            18 months ago

            I think they did say that in the older thread. But for proper security, you shouldn’t have to trust them. You should have build tools that will re-fetch everything to create an identical build. That gives a clear chain of custody, which proves that morning has been tampered with.