Ventoy is a tool to make a USB with multiple ISOs bootable, letting you select which ISO to use on boot. Another newly-created account claims to be the dev’s friend and translator and has received no contact from the maintainer.

  • @callcc
    link
    631 month ago

    Nobody knows who responded here. Don’t spread rumors.

    • AatubeOP
      link
      fedilink
      71 month ago

      I thought it was clear from the details that it was suspicious. Edited.

      • @callcc
        link
        121 month ago

        Things are suspicious but you still spread gossip and maybe lies.

  • Quack Doc
    link
    461 month ago

    My name is Linus torvalds and this is why I TempleOS…

    • @db2
      link
      31 month ago

      My name is TempleOS and this is why I Linus Torvalds

  • @[email protected]
    link
    fedilink
    English
    38
    edit-2
    1 month ago

    so ive deep dived into as much information as i can find. the TLDR is the main dev LongPanda supposedly went on a vacation to china (most likely his home country?) to which there is conflicting information on his return. one path is he make a lemmy account 9hours ago and made a message that doesn’t describe the blob and sound like a gpt response. to which his "irl friend made an account 3 hours ago to comment that he hasnt heard from LongPanda in months. both were removed from lemmy.ml because of suspected impersonation. the other side of the coin is the LongPanda is still gone and hasn’t addressed the blobs. after looking thought the documentation, you can build from source. in the instructions it says "5. Binaries

    There some binaries in Ventoy install package. These files are downloaded from other open source project’s website, such as busybox."

    i am not a programer but in the source build it lists the blobs and were there from supposedly from other FOSS projects with sha256’s. so theoretically you should be able to verify the blobs, with the sha256.

    https://github.com/ventoy/Ventoy/blob/master/DOC/BuildVentoyFromSource.txt

    • Random Dent
      link
      fedilink
      English
      141 month ago

      I like Ventoy, it’s handy but I don’t think it’s indispensable so probably what I’ll do is go back to using Etcher (which is open source AFAIK) until this resolves itself one way or another. I assume either the dev will respond properly with an explanation and everything will be fine, or someone will get fed up enough to fork it. I feel like it’s probably nothing nefarious, but it doesn’t really hurt to be overly cautious in this case IMO.

      • Bizzle
        link
        English
        31 month ago

        Ventoy’s “killer feature” is the ability to have multiple ISOs in a single drive, can Etcher do that? If so I’ll switch, if not why not just use dd?

          • @mvirts
            link
            11 month ago

            It’s deja vu all over again 😹

            So can grub. Actually ventoy is built on grub

    • @mvirts
      link
      11 month ago

      Imho it will be much easier to replace blobs with verifiably correct blobs or add the source to build them than to retroactively find the original builds from whence they came.

      Searching for some of those binaries looks like it would require comparing the hash against a large set of candidates which would need to first be unpacked from releases (fedora mostly???) and hashed unless the hashes already exist somewhere.

  • @just_another_person
    link
    211 month ago

    I understand the concern raised, but unless I’m reading this wrong there is an assumption that Ventoy may be doing something untoward, but I’m not sure how at this level. It can’t inject anything into the ISO files at rest without bricking then, and I don’t know if an OS that doesn’t verify it’s own image before booting.

    Just sounds like super lazy project administration. Maybe I’m missing something?

    • AatubeOP
      link
      fedilink
      271 month ago
      1. Around April, there was this big thing where a maintainer for XZ Compression included an SSH backdoor in binaries that were only built on release. If a freaking piece of compression software can backdoor SSH, who knows what else is possible.
      2. The response to the blob concern is nonsensical, made without their previously-known accounts, and coincides with someone’s claim that they are a close friend and was on vacation to China, the country where the XZ maintainer was from.
      • @just_another_person
        link
        171 month ago

        The xz issue is something totally different though. That was a software library running and executing against flat files. I’m just not sure there’s a way to alter an ISO image before boot, undetected in the case of Ventoy.

        If the goal is to alter files to provide access to something, this must be some sort of ingenious way that bypasses checksums, and targets something universal, which doesn’t seem quite possible in the case of a substitute bootloader.

        • AatubeOP
          link
          fedilink
          51 month ago

          Yeah, it would be really big. I wouldn’t have posted about this if it weren’t for the radio silence and blabbering statement.

    • @[email protected]
      link
      fedilink
      51 month ago

      It can’t inject anything into the ISO files at rest without bricking then, and I don’t know if an OS that doesn’t verify it’s own image before booting.

      As far as I can tell, this is not talking about ISOs installed using Ventoy, but precompiled blobs of things like Busybox that are included in the Ventoy install package. It’s an important distinction. The developer could bundle a tampered blob, include in the documentation the checksum that matches that blob, and then if someone checks with the upstream project and calls them out, say something along the lines of, “Oh, they must have withdrawn that release,” and replace it with an untampered blob. If they don’t fight to preserve the tampered blob, they might even get away with it.

      • AatubeOP
        link
        fedilink
        31 month ago

        The claim of the person you’re replying to is that even if the binaries were tampered, Ventoy wouldn’t be able to do anything.

        • @[email protected]
          link
          fedilink
          21 month ago

          Even if the original issue had anything to do with ISOs, he’s way overestimating the level of protection on many install ISOs, in my experience—they’re just disk images, and presumably all the files read off them are passing through Ventoy itself. Even if you find one that performs some kind of verification, easy enough to change a jump instruction to a no-op somewhere in the machine code guts of a file as it passes through Ventoy, and prevent the verification from executing. (The difficult part is figuring out which instruction to change, but people have done it before.)

          • @just_another_person
            link
            31 month ago

            No, I’m saying the way ISOs are written, you couldn’t just, say, inject changes via text tools or whatever like the xz attack.

            I’m not aware of HOW a binary blob not knowing specifically what it was going to attack COULD attack anything in a resting and isolated state like it would be with Ventoy.

    • AatubeOP
      link
      fedilink
      91 month ago

      On second sight, that specific response seems like a troll

      • Dessalines
        link
        fedilink
        101 month ago

        I banned that one now too.

        Some common threads I’m seeing with these troll accounts:

        • lemmings.world
        • new account
        • claim to be or know the creators
        • make claims about the insecurity of an open source app
        • blame china in some way
    • AatubeOP
      link
      fedilink
      41 month ago

      Oh hell naw, I was rooting for rustdesk…

  • @[email protected]
    link
    fedilink
    7
    edit-2
    1 month ago

    Interesting context to bring up Lemmy

    Edit: from the thread, it’s pretty clear those people were not the creator?

  • @[email protected]
    link
    fedilink
    -141 month ago

    I heard people raving about ventoy, i checked it out online, but blobs and chinese maintainer made it seem fishy. Even if a maintainer was legit it only takes CCP thteatening their family to get a backdoor inserted

    • @[email protected]
      link
      fedilink
      241 month ago

      This is ridiculous. You don’t trust “Chinese maintainers” (“even if legit” lol), because the “CCP” might threaten “their family to get a backdoor inserted”.

      Absolutely unhinged level of fantasy in the context of this project. A nation of 1.4 billion people and you don’t trust anyone there to write software? You know they made your phone and pretty much everything else right? Also, the idea that “the CCP” is somehow uniquely (among governments) willing and able to coerce or commission backdoors in software is a feverishly deluded attitude.

      Propaganda has put a backdoor in your brain.

      • @[email protected]
        link
        fedilink
        2
        edit-2
        1 month ago

        We have chinese police here in Vancouver (edit Non Canadian force), if residents speak badly about CCP these “Police” show up at the door and try to coherce them back to mainland. I’m not regurgitating the articles, my friend living in vancouver had them show up. I’m not trusting blobs.

      • AatubeOP
        link
        fedilink
        31 month ago

        hey let’s not attribute racism to canadians in an act of ethnicism

      • @[email protected]
        link
        fedilink
        -1
        edit-2
        1 month ago

        Hang on, it’s racist to call out totalitarian dictatorships that put muslims in concentration camps and have secret police in other countries to enforce their draconian laws abroad on other sovereign state’s soil?

        Fuck that, the chinese government is sketchy as hell, and so are you for trying to downplay the distrust said government has earned quite well as “racism.” Do you work directly for them or is it more of a 3rd party contractor situation?

          • @[email protected]
            link
            fedilink
            -3
            edit-2
            1 month ago

            Yeah, sure would be if anyone had done that, but that assumption was an invention of your own not contained within the statement you replied to. “The belief” is that the Chinese government can coerce any citizens within it’s borders (and some outside it’s borders no less), stop putting words in other’s mouths yourself then.

            Mmhmm “canned meme response” yes. Totally not employed to curtail criticisms of the government you’re defending, I can tell by the originality.

        • knightly the Sneptaur
          link
          fedilink
          21 month ago

          The American government is sketchy as hell too, but you aren’t here telling us not to trust American developers…

          • @[email protected]
            link
            fedilink
            -1
            edit-2
            1 month ago

            No, I do that on threads about american devs. You can’t just hand wave any criticisms of a government away with “racism” or “but whatabout this other government you also complain about?!”

            I notice you haven’t told me that homophobia is bad too while you’re calling me racist, I guess that means you like homophobia? No? That’s just as ridiculous as “if you criticise one government you have to criticise them all in the same comment.” This isn’t “did you bring enough criticism for the whole class” time.

            None of this should be news to anyone here, lemmy is highly privacy focused and that doesn’t go away simply because the proprietary blobs in question could be doing sketchy things for the CCP instead of the NSA, either way it’s bad to normal people who aren’t blindly allegiant to the CCP or the NSA.

        • AatubeOP
          link
          fedilink
          21 month ago

          To play devil’s advocate, people often justify their biases with seemingly more reasonable stuff. “only good people should be trusted to breed” is eugenics even if someone made a funny movie about it.

          • @[email protected]
            link
            fedilink
            0
            edit-2
            1 month ago

            Very true, but we can’t just not criticise a government because the people involved checks notes “aren’t white.” What would make them above criticism? In my view the only possible answer is because (and it’s usually applied to children or the mentally disabled,) “they don’t understand what they’re doing.” In my personal opinion “Nonwhite people” are just as capable as “white people” of knowing what they’re doing, as they are not by default children or mentally disabled (though they do also have both categories, and those categories should get a little more leeway). They know spying is wrong whether they’re “chinese” or “american.”

      • @[email protected]
        link
        fedilink
        -2
        edit-2
        1 month ago

        Read my other reply in this thread you will see why/how CCP oversteps boundaries, and why you don’t trust blob code you can’t verify

        • Norah - She/They
          link
          fedilink
          English
          8
          edit-2
          1 month ago
          1. There’s an older comment in this thread that details how you could verify those blobs: https://sh.itjust.works/comment/14458323
          2. You very much implied that you shouldn’t trust all people of Chinese descent. I personally very much dislike the CCP, as a government I think they cause an immeasurable amount* of harm. However, what you are suggesting is on the same level of racism as the US government locking up all Japanese-Americans in internment camps during WWII.
          3. Seriously, calm down.
          • @[email protected]
            link
            fedilink
            11 month ago

            Nope just maintainers that I can’t verify their identity, not asians in general.

            We live in a mixed bag of skin colours here, I have no issue with people…just CCP and their infiltration of their officials into Canada… that are harassing citizens and Permanent residents of chinese descent.