Happened after a partner product in the Ventoy repo was found to have a pretty major vulnerability due to a... you guessed it, pre-compiled supply chain attack.
There is also a new community fork to get rid of the blobs and bad cert loading. The ventroy dev has made a bunch of concerning choices so some people hard forked the code. I forgot where is was though.
I'm going to guess you've never been part of a project with complexity and sheer black magic fuckery comparable to Ventoy. The developer (a singular person) had to make a choice between:
Pandering to a small group of vocal open-source extremists, dedicating a large part of their time to changing the incredibly complex build process to also build the binaries of other open-source projects, potentially at the cost of stability, eventually arriving at a product with the same feature set, pleasing some open-source extremists, but still receiving criticism for "taking a year to respond to a genuine concern"; or
Not doing that and focusing their effort on stability and compatibility fixes to arrive at an improved product.
I've read the original issue thread front to back, and it's a fucking clown show. I can't blame the developer for not wanting to engage with those people. Nobody is entitled to the developer's time or attention. Right now the issue is being worked on, which is more than most of the whiners can say about themselves; if you think that's still insufficient, do better.
Yes, but people have concerns. Ventoy is fully open-source, but the build process pulls binary blobs (compiled executables, think of them like blob chips) from other F/OSS projects, which is an issue for some people. They have legitimate concerns about trusting Ventoy because they have to implicitly trust the projects that Ventoy pulls from but can't verify what is getting pulled. If such a project were to become compromised (the way XZ-Utils was), it would eventually spread to Ventoy.
That being said, the developers (or singular developer, not sure) are taking steps to reduce Ventoy's dependency on external blobs. It's a difficult task and they have limited resources, but they have acknowledged that it is an issue and are working on a solution.
If such a project were to become compromised (the way XZ-Utils was), it would eventually spread to Ventoy.
What a lot of people don't know is that the XZ attack entirely relied on binary blobs: Partially in the repo as binary test files, and partially in only the github release (binary).
If someone actually built it from source, they weren't vulnerable. So contrary to some, it wasn't a vulnerability that was in plain view that somehow passed volunteer review.
This is why allowing binary data in open-source repos should be heavily frowned upon.
I think it's more free in some way? I'm not sure, but I think it means free as in doesn't cost anything. Whereas FOSS means free as in open and modifiable, but the maintainer(s) might still charge for it.
It isn't a "proprietary back end" it is what Stallman calls Service as a Software Substitute. (SaaSS) It wouldn't matter if they claimed it was completely foss. You are still using a foreign service you don't control.
With a package manager that is sort of unavoidable though. In the case of snaps you could always modify the source to have a different repo. The real reason not to use snaps is all the other issues.
Fair point.
Just to be clear: I am NOT a developer, so I may be very wrong on that take.
But from what I understand, the difference from what snaps does to what traditional packages does is that the Canonical repos are hard coded in it, thus making it harder to decentralise, and that's not very in line with what many wish for a FOSS ecosystem.
I'm something of a proprietary blob myself.
You should open sauce!
You can get my source code but good luck compiling it.
9 month compile time?? We've gotta get these numbers down
Just multithread. If you get nine people pregnant you can have a baby in one month, right?
Ayy, not that fast, their blob is licensed under the BSL, get to know them a while first
Ventoy?
From the Ventoy developers: the blobs are getting unblobbed.
oh wow that really put the trust back into Ventoy. Nice! Thanks for the link
Happened after a partner product in the Ventoy repo was found to have a pretty major vulnerability due to a... you guessed it, pre-compiled supply chain attack.
There is also a new community fork to get rid of the blobs and bad cert loading. The ventroy dev has made a bunch of concerning choices so some people hard forked the code. I forgot where is was though.
Is this the one you're talking about? https://github.com/fnr1r/ventoy-cpio
That's the one
I'm going to guess you've never been part of a project with complexity and sheer black magic fuckery comparable to Ventoy. The developer (a singular person) had to make a choice between:
I've read the original issue thread front to back, and it's a fucking clown show. I can't blame the developer for not wanting to engage with those people. Nobody is entitled to the developer's time or attention. Right now the issue is being worked on, which is more than most of the whiners can say about themselves; if you think that's still insufficient, do better.
Mr Ventoy has too many problems
i been waiting for this so long
just started using this for the first time, Is it still ok to use?
Yes, but people have concerns. Ventoy is fully open-source, but the build process pulls binary blobs (compiled executables, think of them like blob chips) from other F/OSS projects, which is an issue for some people. They have legitimate concerns about trusting Ventoy because they have to implicitly trust the projects that Ventoy pulls from but can't verify what is getting pulled. If such a project were to become compromised (the way XZ-Utils was), it would eventually spread to Ventoy.
That being said, the developers (or singular developer, not sure) are taking steps to reduce Ventoy's dependency on external blobs. It's a difficult task and they have limited resources, but they have acknowledged that it is an issue and are working on a solution.
What a lot of people don't know is that the XZ attack entirely relied on binary blobs: Partially in the repo as binary test files, and partially in only the github release (binary).
If someone actually built it from source, they weren't vulnerable. So contrary to some, it wasn't a vulnerability that was in plain view that somehow passed volunteer review.
This is why allowing binary data in open-source repos should be heavily frowned upon.
I don't believe iVentroy (PXE tool) is fully foss but I could be wrong.
Yea it's fine.
From memory the blob everyone was complaining about was related to eufi and came from Fedora.
Except for the part where it completely nullifies secure boot...
Fine if you don't care about that but it caused a lot of security issues in the enterprise
Off topic, but I'd never heard of Ventoy before and looking at it now, holy shit, I wish I'd known about it sooner.
Just open source blobs instead of proprietary blobs
It's good that it's opt in
The NixOS default config has allowUnfree set to false, so it's not always opt-in
That sounds changeable and off by default. So how come you wouldn't say that is opt-in?
Unfree apps are not allowed by default. You have to opt in to allow them.
I'll absolutely take FLOSS if I can get it, but failing that, FOSS is still a nice improvement over closed-source software.
What does the L stand for
Libre, which is synonymous with free.
I think it's more free in some way? I'm not sure, but I think it means free as in doesn't cost anything. Whereas FOSS means free as in open and modifiable, but the maintainer(s) might still charge for it.
Its French for "free", as in freedom. Free is ambiguous and can also mean free of charge.
I think those are backwards
I thought they might be... you're probably right.
Libre means "with little or no restriction," whereas Gratis means “at no monetary cost."
Ah yes, telegram
Unzips my ghidra 😏
nvidia?
something something snap package
Not a proprietary blob unless you install proprietary software
I'm mentioning the "proprietary backend" drama around snaps. Not that I care too much, anyway. I use lots of proprietary software daily
It isn't a "proprietary back end" it is what Stallman calls Service as a Software Substitute. (SaaSS) It wouldn't matter if they claimed it was completely foss. You are still using a foreign service you don't control.
With a package manager that is sort of unavoidable though. In the case of snaps you could always modify the source to have a different repo. The real reason not to use snaps is all the other issues.
Fair point. Just to be clear: I am NOT a developer, so I may be very wrong on that take.
But from what I understand, the difference from what snaps does to what traditional packages does is that the Canonical repos are hard coded in it, thus making it harder to decentralise, and that's not very in line with what many wish for a FOSS ecosystem.
Let's dig deeper
Noice!
I can only recommend Guix system 👍
Linux moment
Or not.
If the working conditions don't change computers will become a ball and chain Then deemed useless.
xz-utils