this post was submitted on 17 Sep 2024
432 points (99.1% liked)

Open Source

30302 readers
2124 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
Cloak@lemmy.ml
kevincox@lemmy.ml
CrypticCoffee@lemmy.ml
Lettuceeatlettuce@lemmy.ml
432
Ventoy source code contains some unknown BLOBs, still no word on the issue from the dev after months (github.com)
submitted 2 days ago by SatyrSack@lemmy.one to c/opensource@lemmy.ml
131 comments fedilink hide all child comments
 

I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.

you are viewing a single comment's thread
view the rest of the comments
[–] n2burns@lemmy.ca 78 points 2 days ago (5 children)

I too wish the developer would respond, but I don't think this is the catastrophe people are making it out to be. One comment seems to explain why these binaries are included:

Because ventoy supports shim, and by extension secure boot, these files needs to come from a signed Linux distro. In this case they are taken from Fedora releases, and OpenSUSE apparently, as they publish shim binaries and grub binaries signed by their certificate.

[–] stickmanmeyhem@lemmy.world 29 points 2 days ago (1 children)

If the hashes match the files from the Fedora or OpenSUSE releases, then does this really matter?

[–] Quail4789@lemmy.ml 18 points 2 days ago (2 children)

It matters because nobody is going to check the hashes for all of the files match whenever there's a change so the maintainer can just replace them with whatever he wants.

[–] pupbiru@aussie.zone 20 points 1 day ago (1 children)

that’s what automation is for - nobody is going to manually check them, but anyone is able to automatically set something up to check their hashes in change… the fact that it’s possible that anyone is doing that now that it’s a known issue perhaps makes it less problematic as an attack vector

[–] refalo@programming.dev 2 points 22 hours ago (1 children)

That is true, but also nobody is doing it. Just like nobody is verifying Signal's "reproducible builds".

[–] pupbiru@aussie.zone 3 points 14 hours ago (1 children)

are you sure?

there could be thousands just waiting for a failure to come out and say “HEY THIS IS DODGY”

[–] refalo@programming.dev 1 points 10 hours ago* (last edited 10 hours ago)

Yea because I tested it myself. Nobody else seems to care, and if they did, I would think there would be a public way to see regular test results regardless.

I know this exists for some projects, but somehow nothing privacy-sensitive

[–] MangoPenguin@lemmy.blahaj.zone 16 points 2 days ago (1 children)

Is that any different from no one checking the code every update?

[–] Quail4789@lemmy.ml 11 points 1 day ago* (last edited 1 day ago) (1 children)

The amount of malware you can cram in a source-code patch without drawing attention vs. in a binary is vastly different.

There's also the fact that if you want to ship binaries, you can just wget them from source during the build process. Not a perfect solution but much better than what's ventoy doing. The source code updates works the same in every project because it has to. That's why this is drawing more attention.

[–] Ferk@lemmy.ml 3 points 1 day ago* (last edited 1 day ago) (1 children)

That's ok if we are talking about malware publicly shown in the published source code.. but there's also the possibility of a private source-code patch with malware that it's secretly being applied when building the binaries for distribution. Having clean source code in the repo is not a guarantee that the source code is the same that was used to produce the binaries.

This is why it's important for builds to be reproducible, any third party should be able to build their own binary from clean source code and be able to obtain the exact same binary with the same hash. If the hashes match, then you have a proof of the binary being clean. You have this same problem with every single binary distribution, even the ones that don't include pre-compiled binaries in their repo.

[–] refalo@programming.dev 1 points 10 hours ago

The problem is not near enough projects support reproducible builds, and many that do aren't being regularly verified, at least publicly.

[–] grue@lemmy.world 23 points 2 days ago

On the contrary: that just goes to show what a fucking catastrophe for software freedom "Secure[sic] Boot" is.

[–] nialv7@lemmy.world 16 points 1 day ago (1 children)

While this is true, it only requires the shim and grub to be copied for another distro.

From other comments there are a lot more blobs than just these two.

[–] davad@lemmy.world 3 points 1 day ago (1 children)

It sounds like most, if not all, come from upstream projects.

[–] nialv7@lemmy.world 3 points 20 hours ago

Would be nice if the dev can respond and confirm that...

[–] infeeeee@lemm.ee 9 points 2 days ago

It sounds to me as a documentation issue, as the next comment says, simply including a wget script should solve this.

[–] ReversalHatchery@beehaw.org 4 points 1 day ago (1 children)

that's only a few files out of the 153

[–] refalo@programming.dev 1 points 22 hours ago

153 binaries? where?