ventoy / Ventoy

A new bootable USB solution.
https://www.ventoy.net
GNU General Public License v3.0
63.18k stars 4.11k forks source link

[issue]: Remove BLOBs from the source tree #2795

Open FairyTail2000 opened 8 months ago

FairyTail2000 commented 8 months ago

What happened?

Due to the recent XZ-Utils drama I checked the code and I'm appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/cryptsetup https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/Unix/ventoy_unix https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/DMSETUP

There is no reason to have those not be build in the release process. Of course it's convenient, they are prebuild, it's fast and nobody has a problem with it.

Recent events however showed that these BLOBs can contain everything and nothing. The build instructions would not produce the exact same executable for everyone. It's better to have GitHub build it on-push and use them out of the build cache.

I would do it myself, but unfortunately I'm not familiar enough with the Ventoy build process to actually do it. I understand that removing BLOBs isn't a priority over new and shiny features. But due to recent events, this should be rethought.

Thank you for reading this and I hope for a productive conversation

REALERvolker1 commented 8 months ago

Hear hear!

FairyTail2000 commented 8 months ago

For those that are not familiar with the xz-utils backdoor, here is the original email send by Andres Freund who discovered the backdoor:

https://www.openwall.com/lists/oss-security/2024/03/29/4

elypter2 commented 8 months ago

Ventoy is in a quite unique position to be the target of state and non-state adversaries as malware and exploits could not only target certain installations or distros but the whole user base. In the face of headlines about linux desktop percentages ventoy could attract focus in search for new vectors.

jeekkd commented 7 months ago

Ventoy is in a quite unique position to be the target of state and non-state adversaries as malware and exploits could not only target certain installations or distros but the whole user base. In the face of headlines about linux desktop percentages ventoy could attract focus in search for new vectors.

I fully agree, I use this not just at home but work too!

exalented commented 7 months ago

Don't get your hopes up this has been an issue for a very long time. Use something else! https://github.com/ventoy/Ventoy/issues/132

digitalspaceport commented 7 months ago

Regardless of recent events, this should be addressed. Ventoy is an excellent concept and pretty solid execution, but security should be a critical focus. If the developer does or does not want to address this, hopefully some community members can contribute to alleviate this as a concern. For now I think it is a good idea to not use Ventoy myself.

catherinedoyel commented 7 months ago

An XZ style attack is a once every few years worst case. You can do harmless things with blobs and harmful things with source.

I would do it myself, but unfortunately I'm not familiar enough with the Ventoy build process to actually do it.

Do you want Jia Tan to come in and save us from these blobs?

The main maintainer has been on vacation for a while has only just gotten back online a few days ago.

Regarding the specifically attached binaries. Nearby in these folders (that were last modified years ago) they show how they were built in plain text. The build process already takes 15 to 20 minutes.

There are certainly security considerations when using Ventoy. #135 But becoming Richard Stallman and demanding no binaries at any cost is not very useful.

OboTheHobo commented 7 months ago

An XZ style attack is a once every few years worst case. You can do harmless things with blobs and harmful things with source.

You're missing the point. No there's nothing inheritly more dangerous about the blobs themselves. The issue is that one can't verify if it's safe or not. Source code can be audited, vulnerabilities discovered. You can't really do that with binary blobs. That's a major part of the open-source ethos.

escape0707 commented 7 months ago

It's been a month. I think the developer should have enough time to respond to both the xz attack and this issue. I really hope to hear some official response.

从 XZ 的攻击到现在已经过了一个月了,我想开发者应该有足够的时间就这个 issue 所谈及的问题做出回应了。我真诚希望能够看到开发者官方的回应。

Thanks for developing this useful software.

感谢你开发这个软件的时间精力。

bernardgut commented 5 months ago

SO how is this coming ?

simon1tan commented 5 months ago

An XZ style attack is a once every few years worst case. You can do harmless things with blobs and harmful things with source.

I would do it myself, but unfortunately I'm not familiar enough with the Ventoy build process to actually do it.

Do you want Jia Tan to come in and save us from these blobs?

The main maintainer has been on vacation for a while has only just gotten back online a few days ago.

Regarding the specifically attached binaries. Nearby in these folders (that were last modified years ago) they show how they were built in plain text. The build process already takes 15 to 20 minutes.

There are certainly security considerations when using Ventoy. #135 But becoming Richard Stallman and demanding no binaries at any cost is not very useful.

I found Jia Tan ^^

sneurlax commented 5 months ago

I would like to volunteer to help. I guess I should get to a-forking, eh?

What's a good place to start?

code959437957 commented 5 months ago
  1. develop software make cost
  2. you cannot blame an OSS developer for such much security reason
  3. we can set up an OSS foundation to support that software development and growth。
  4. Hire more author to contribute this project。 pay for their jobs。
no-usernames-left commented 5 months ago

Regarding the specifically attached binaries. Nearby in these folders (that were last modified years ago) they show how they were built in plain text. The build process already takes 15 to 20 minutes.

Does following the documented process result in blobs which are byte-for-byte identical?

If not, then the directions serve no purpose.

escape0707 commented 5 months ago
  1. develop software make cost
  2. you cannot blame an OSS developer for such much security reason
  3. we can set up an OSS foundation to support that software development and growth。
  4. Hire more author to contribute this project。 pay for their jobs。

You didn't understand it. OP literally said they would like to "do it myself". It's just the developer has a better understanding of their own project and it's better for them to explain the reason why these blobs exist first so that others can contribute. It's not that the community is blaming the developer for not developing a perfect program. It's because the community wants an explanation, and the fact that it never comes after months is frustrating.

catherinedoyel commented 5 months ago

It's because the community wants an explanation, and the fact that it never comes after months is frustrating.

The three files explicitly mentioned on the original message opening the thread. They have either direct source code / notes referencing where the source code came from in the same folder.

Cryptsetup: https://github.com/ventoy/Ventoy/tree/v1.0.99/cryptsetup BSD: https://github.com/ventoy/Ventoy/tree/v1.0.99/Unix Dmsetup: https://github.com/ventoy/Ventoy/tree/v1.0.99/DMSETUP

Until you can point out a binary that has no source/readme next to it there isn't a point in yapping in this thread any more about blobs.

Regarding

  1. develop software make cost
  2. you cannot blame an OSS developer for such much security reason
  3. we can set up an OSS foundation to support that software development and growth。
  4. Hire more author to contribute this project。 pay for their jobs。

I agree, and incentivized funding as been tried. It seemed like very few took up the offer of the "Ventoy Subcription". So it was removed. https://web.archive.org/web/20230930033229/https://www.ventoy.net/en/doc_subscription.html https://github.com/ventoy/Ventoy/commit/2be340d2e8db0fa70fb4f132a99dfe8824ede6c8

Now all that remains is generic donation pages. Looking at the publicly viewable Bitcoin donations in total 0.0273 BTC had been received over 3 years. At the current price that equates to $600 a year. (Which has never been spent.) I would have to guess similar amounts have been donated through PayPal, Liberapay, & WeChat. This isn't enough income to quit job and focus on Ventoy development.

The way most of these post are written it sounds like you are accusing Longpanda is like Jia Tan. If anything they are closer to Lasse Collin.

KucharczykL commented 4 months ago

Until you can point out a binary that has no source/readme next to it there isn't a point in yapping in this thread any more about blobs.

If you look at the linked https://github.com/ventoy/Ventoy/issues/132 and rerun the same commands (with added "grep -v script" to remove executable scripts which are not binary blobs) you get this:

find . -type f -print0 | xargs -0 file | grep -v "ASCII" | grep "executable" | grep -v "script"
Ventoy/BUSYBOX/chmod/vtchmod32:                                                                       ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=6064638b7e9c2cd083dd3ab9282f2c93f635c70b, not stripped
Ventoy/BUSYBOX/chmod/vtchmod64:                                                                       ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=b6dc6b695c263ea8417515131d184a33f1777987, not stripped
Ventoy/BUSYBOX/chmod/vtchmod64_musl:                                                                  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/BUSYBOX/chmod/vtchmodaa64:                                                                     ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/BUSYBOX/chmod/vtchmodm64e:                                                                     ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/DMSETUP/dmsetup32:                                                                             ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=6d3f888cec25c6c09092a8968d9244021978ab97, stripped
Ventoy/DMSETUP/dmsetup64:                                                                             ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/DMSETUP/dmsetupaa64:                                                                           ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/DMSETUP/dmsetupm64e:                                                                           ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/FUSEISO/vtoy_fuse_iso_32:                                                                      ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Ventoy/FUSEISO/vtoy_fuse_iso_64:                                                                      ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/FUSEISO/vtoy_fuse_iso_aa64:                                                                    ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_arm64/ventoy/busybox/a64:                                                             ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_arm64/ventoy/busybox/vtchmodaa64:                                                     ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_arm64/ventoy/busybox/xzminidecaa64:                                                   ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_arm64/ventoy/tool/lz4cataa64:                                                         ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_arm64/ventoy/tool/zstdcataa64:                                                        ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_mips64/ventoy/busybox/m64:                                                            ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_mips64/ventoy/busybox/vtchmodm64e:                                                    ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_mips64/ventoy/busybox/xzminidecm64e:                                                  ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_mips64/ventoy/tool/lz4catm64e:                                                        ELF 64-bit LSB executable, MIPS, MIPS-III version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_x86/ventoy/busybox/64h:                                                               ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_x86/ventoy/busybox/ash:                                                               ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_x86/ventoy/busybox/vtchmod32:                                                         ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=6064638b7e9c2cd083dd3ab9282f2c93f635c70b, not stripped
Ventoy/IMG/cpio_x86/ventoy/busybox/vtchmod64:                                                         ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=b6dc6b695c263ea8417515131d184a33f1777987, not stripped
Ventoy/IMG/cpio_x86/ventoy/busybox/vtchmod64_musl:                                                    ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_x86/ventoy/busybox/xzminidec32:                                                       ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=23b67ba67cdb35d22addd9d0c5a544c8c540e15e, stripped
Ventoy/IMG/cpio_x86/ventoy/busybox/xzminidec64:                                                       ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=e7ee6503212fbcbb75c73caa726f8123f1b04282, stripped
Ventoy/IMG/cpio_x86/ventoy/busybox/xzminidec64_musl:                                                  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_x86/ventoy/tool/ar:                                                                   ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_x86/ventoy/tool/inotifyd:                                                             ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_x86/ventoy/tool/lz4cat:                                                               ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_x86/ventoy/tool/lz4cat64:                                                             ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_x86/ventoy/tool/zstdcat:                                                              ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=c35922b16c95c17cf28c85d014256fab67aa54ca, stripped
Ventoy/IMG/cpio_x86/ventoy/tool/zstdcat64:                                                            ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=86d8285467856e17f7837cf6a6302ac5c54b1801, stripped
Ventoy/INSTALL/EFI/BOOT/BOOTAA64.EFI:                                                                 PE32+ executable (EFI application) Aarch64 (stripped to external PDB), for MS Windows, 4 sections
Ventoy/INSTALL/EFI/BOOT/BOOTIA32.EFI:                                                                 PE32 executable (EFI application) Intel 80386 (stripped to external PDB), for MS Windows, 8 sections
Ventoy/INSTALL/EFI/BOOT/BOOTMIPS.EFI:                                                                 PE32+ executable (EFI application) MIPS R4000 (stripped to external PDB), for MS Windows, 4 sections
Ventoy/INSTALL/EFI/BOOT/BOOTX64.EFI:                                                                  PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows, 10 sections
Ventoy/INSTALL/EFI/BOOT/MokManager.efi:                                                               PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows, 7 sections
Ventoy/INSTALL/EFI/BOOT/grub.efi:                                                                     PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows, 7 sections
Ventoy/INSTALL/EFI/BOOT/grubia32.efi:                                                                 PE32 executable (EFI application) Intel 80386 (stripped to external PDB), for MS Windows, 7 sections
Ventoy/INSTALL/EFI/BOOT/grubia32_real.efi:                                                            PE32 executable (EFI application) Intel 80386 (stripped to external PDB), for MS Windows, 4 sections
Ventoy/INSTALL/EFI/BOOT/grubx64_real.efi:                                                             PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows, 4 sections
Ventoy/INSTALL/EFI/BOOT/mmia32.efi:                                                                   PE32 executable (EFI application) Intel 80386 (stripped to external PDB), for MS Windows, 6 sections
Ventoy/INSTALL/Ventoy2Disk.exe:                                                                       PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
Ventoy/INSTALL/Ventoy2Disk_ARM.exe:                                                                   PE32 executable (GUI) ARMv7 Thumb, for MS Windows, 6 sections
Ventoy/INSTALL/Ventoy2Disk_ARM64.exe:                                                                 PE32+ executable (GUI) Aarch64, for MS Windows, 6 sections
Ventoy/INSTALL/Ventoy2Disk_X64.exe:                                                                   PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
Ventoy/INSTALL/VentoyGUI.aarch64:                                                                     ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=755ca11d96d5c472021afff32268dd3d75c3c95f, with debug_info, not stripped
Ventoy/INSTALL/VentoyGUI.i386:                                                                        ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=981b66653589b35c3f966b1d93eff892d75a0d92, not stripped
Ventoy/INSTALL/VentoyGUI.mips64el:                                                                    ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib64/ld.so.1, for GNU/Linux 3.2.0, with debug_info, not stripped
Ventoy/INSTALL/VentoyGUI.x86_64:                                                                      ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=79025f55cc0c88ab787a1596389c0e652f7697ea, not stripped
Ventoy/INSTALL/tool/aarch64/Plugson:                                                                  ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=21915a75b711b542f38c0df00c14a8fa1a199e1c, stripped
Ventoy/INSTALL/tool/aarch64/V2DServer:                                                                ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=9f966188d6690d114d3fe930f7999a1d485d6b8c, stripped
Ventoy/INSTALL/tool/aarch64/Ventoy2Disk.gtk3:                                                         ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=76bb90bca2cd372655aba81d79c78b2003938359, stripped
Ventoy/INSTALL/tool/aarch64/Ventoy2Disk.qt5:                                                          ELF 64-bit LSB executable, ARM aarch64, version 1 (GNU/Linux), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=d387dbb5e1a70f6c7e44d1925e4d069dc53ec379, with debug_info, not stripped
Ventoy/INSTALL/tool/aarch64/ash:                                                                      ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/aarch64/hexdump:                                                                  ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/aarch64/mkexfatfs:                                                                ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=369804983c3e61db317cafaa846193f1c9d36496, stripped
Ventoy/INSTALL/tool/aarch64/mount.exfat-fuse:                                                         ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=89c87cfdb74b75aac11ff1c30c7fb6bfd65185b1, stripped
Ventoy/INSTALL/tool/aarch64/vlnk:                                                                     ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/aarch64/vtoycli:                                                                  ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/aarch64/xzcat:                                                                    ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/i386/Plugson:                                                                     ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=dde0dccb89cf362e46d6e140e2776face2804691, stripped
Ventoy/INSTALL/tool/i386/V2DServer:                                                                   ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=0063887c7d75403133837397bb56b080a557bf20, stripped
Ventoy/INSTALL/tool/i386/Ventoy2Disk.gtk2:                                                            ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=488292276e5880270a4a3d44e55a120e2355bfb7, stripped
Ventoy/INSTALL/tool/i386/Ventoy2Disk.gtk3:                                                            ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=b26dc7c057b35b724138cd60a022adfa9b768b18, stripped
Ventoy/INSTALL/tool/i386/Ventoy2Disk.qt5:                                                             ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1059f8c9d096164d3686144e9cff2d9933a2d28c, not stripped
Ventoy/INSTALL/tool/i386/ash:                                                                         ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/i386/hexdump:                                                                     ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/i386/mkexfatfs:                                                                   ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=453067475dcb3ebfbe9118fd9ab6d0310e920aaf, stripped
Ventoy/INSTALL/tool/i386/mount.exfat-fuse:                                                            ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=2abc015964733cd9fb96c552fde04bd2777db3f3, stripped
Ventoy/INSTALL/tool/i386/vlnk:                                                                        ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=3f099a86afbaa096d56bea6dd9d56a8981889378, stripped
Ventoy/INSTALL/tool/i386/vtoycli:                                                                     ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=6c6908c9a1f6a0f6b487b4eb3ea1b26191f5b362, stripped
Ventoy/INSTALL/tool/i386/xzcat:                                                                       ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/mips64el/Plugson:                                                                 ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib64/ld.so.1, for GNU/Linux 3.2.0, stripped
Ventoy/INSTALL/tool/mips64el/V2DServer:                                                               ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib64/ld.so.1, for GNU/Linux 3.2.0, stripped
Ventoy/INSTALL/tool/mips64el/Ventoy2Disk.gtk3:                                                        ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib64/ld.so.1, for GNU/Linux 3.2.0, stripped
Ventoy/INSTALL/tool/mips64el/Ventoy2Disk.qt5:                                                         ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib64/ld.so.1, for GNU/Linux 3.2.0, with debug_info, not stripped
Ventoy/INSTALL/tool/mips64el/ash:                                                                     ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/mips64el/hexdump:                                                                 ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/mips64el/mkexfatfs:                                                               ELF 64-bit LSB pie executable, MIPS, MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib64/ld.so.1, BuildID[sha1]=508fab5369120a3c4707454df5c516ea962c1647, for GNU/Linux 3.2.0, stripped
Ventoy/INSTALL/tool/mips64el/mount.exfat-fuse:                                                        ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib64/ld.so.1, BuildID[sha1]=450dde6154b74dff444503e150a7ac1f85f709c0, for GNU/Linux 3.2.0, stripped
Ventoy/INSTALL/tool/mips64el/vlnk:                                                                    ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/mips64el/vtoycli:                                                                 ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/mips64el/xzcat:                                                                   ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/x86_64/Plugson:                                                                   ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=9665da3616f8ad132a625d4004ba674ab6d0ef76, stripped
Ventoy/INSTALL/tool/x86_64/V2DServer:                                                                 ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=e2a94f53bbe0274ba2a5285e5bf3e5720c4c00cc, stripped
Ventoy/INSTALL/tool/x86_64/Ventoy2Disk.gtk2:                                                          ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a77656e9f7fe8fb5ba8978388d99113ed0fd1a20, stripped
Ventoy/INSTALL/tool/x86_64/Ventoy2Disk.gtk3:                                                          ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d3ab1d1d67b2d41b7d878e7147e30188e9244e5e, stripped
Ventoy/INSTALL/tool/x86_64/Ventoy2Disk.qt5:                                                           ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=935364d813327806214b8d2edd194496a7dde69d, not stripped
Ventoy/INSTALL/tool/x86_64/ash:                                                                       ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/x86_64/hexdump:                                                                   ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/x86_64/mkexfatfs:                                                                 ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=de003a5ae097b4004e6b77e6cd71d2410df7b310, stripped
Ventoy/INSTALL/tool/x86_64/mount.exfat-fuse:                                                          ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=02eed644b421446629c592b31da15b94d9f5c0de, stripped
Ventoy/INSTALL/tool/x86_64/vlnk:                                                                      ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/x86_64/vtoycli:                                                                   ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/x86_64/xzcat:                                                                     ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/ventoy/imdisk/32/imdisk.cpl:                                                           PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, 4 sections
Ventoy/INSTALL/ventoy/imdisk/32/imdisk.exe:                                                           PE32 executable (console) Intel 80386, for MS Windows, 4 sections
Ventoy/INSTALL/ventoy/imdisk/32/imdisk.sys:                                                           PE32 executable (native) Intel 80386, for MS Windows, 7 sections
Ventoy/INSTALL/ventoy/imdisk/64/imdisk.cpl:                                                           PE32+ executable (DLL) (GUI) x86-64, for MS Windows, 5 sections
Ventoy/INSTALL/ventoy/imdisk/64/imdisk.exe:                                                           PE32+ executable (console) x86-64, for MS Windows, 5 sections
Ventoy/INSTALL/ventoy/imdisk/64/imdisk.sys:                                                           PE32+ executable (native) x86-64, for MS Windows, 7 sections
Ventoy/INSTALL/ventoy/ipxe.krn:                                                                       Linux kernel x86 boot executable bzImage, version 1.0.0+, RO-rootFS,
Ventoy/INSTALL/ventoy/iso9660_aa64.efi:                                                               PE32+ executable (EFI boot service driver) Aarch64, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/iso9660_ia32.efi:                                                               PE32 executable (EFI boot service driver) Intel 80386, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/iso9660_x64.efi:                                                                PE32+ executable (EFI boot service driver) x86-64, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/memdisk:                                                                        Linux kernel x86 boot executable bzImage, version MEMDISK 6.03 2014-10-06, RW-rootFS,
Ventoy/INSTALL/ventoy/udf_aa64.efi:                                                                   PE32+ executable (EFI boot service driver) Aarch64, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/udf_ia32.efi:                                                                   PE32 executable (EFI boot service driver) Intel 80386, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/udf_x64.efi:                                                                    PE32+ executable (EFI boot service driver) x86-64, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/ventoy_aa64.efi:                                                                PE32+ executable (EFI application) Aarch64, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/ventoy_ia32.efi:                                                                PE32 executable (EFI application) Intel 80386, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/ventoy_x64.efi:                                                                 PE32+ executable (EFI application) x86-64, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/vtoyjump32.exe:                                                                 PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
Ventoy/INSTALL/ventoy/vtoyjump64.exe:                                                                 PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
Ventoy/INSTALL/ventoy/vtoyutil_aa64.efi:                                                              PE32+ executable (EFI application) Aarch64, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/vtoyutil_ia32.efi:                                                              PE32 executable (EFI application) Intel 80386, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/vtoyutil_x64.efi:                                                               PE32+ executable (EFI application) x86-64, for MS Windows, 3 sections
Ventoy/LZIP/lunzip32:                                                                                 ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=2c1b3b97e7aed54fb0b2872412ba9fc32c0d48c8, stripped
Ventoy/LZIP/lunzip64:                                                                                 ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=0333382234408c1840421dd6a017b4e30acc203e, stripped
Ventoy/LZIP/lunzipaa64:                                                                               ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/LZIP/lz4cat64:                                                                                 ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/LZIP/lz4cataa64:                                                                               ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/LZIP/lz4catm64e:                                                                               ELF 64-bit LSB executable, MIPS, MIPS-III version 1 (SYSV), statically linked, stripped
Ventoy/LiveCD/GRUB/bootx64.efi:                                                                       PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows, 4 sections
Ventoy/LiveCD/ISO/EFI/boot/vmlinuz64:                                                                 Linux kernel x86 boot executable bzImage, version 5.4.3-tinycore64 (tc@box) #2020 SMP Tue Dec 17 17:38:30 UTC 2019, RO-rootFS, swap_dev 0X4, Normal VGA
Ventoy/LiveCDGUI/EXT/busybox-x86_64:                                                                  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/LiveCDGUI/GRUB/bootx64.efi:                                                                    PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows, 4 sections
Ventoy/Plugson/vs/VentoyPlugson/Release/VentoyPlugson.exe:                                            PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
Ventoy/Plugson/vs/VentoyPlugson/x64/Release/VentoyPlugson_X64.exe:                                    PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
Ventoy/SQUASHFS/unsquashfs_32:                                                                        ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=5fa2bcbb051368534632e48651b9c94d165e3fc6, stripped
Ventoy/SQUASHFS/unsquashfs_64:                                                                        ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=f47ea4abd04c876baa97a11c70638b2c9241df49, stripped
Ventoy/SQUASHFS/unsquashfs_aa64:                                                                      ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=80a99c6f5078bf1b9f3c891c595000f7029c78cd, stripped
Ventoy/Unix/ventoy_unix/DragonFly/sbin/dmsetup:                                                       ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for DragonFly 5.0.800, stripped
Ventoy/Unix/ventoy_unix/DragonFly/sbin/init:                                                          ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for DragonFly 6.0.0, stripped
Ventoy/VBLADE/vblade-master/vblade_32:                                                                ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ec92688e679ddda4e17f259b39ab2b69fb30a8ec, not stripped
Ventoy/VBLADE/vblade-master/vblade_64:                                                                ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=2144e0cfa04c8d177ab0b205248d0b2bc9661c8b, not stripped
Ventoy/VBLADE/vblade-master/vblade_aa64:                                                              ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, with debug_info, not stripped
Ventoy/Vlnk/vs/VentoyVlnk/Release/VentoyVlnk.exe:                                                     PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
Ventoy/VtoyTool/vtoytool/00/vtoytool_32:                                                              ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=bcec63a1a3d56a44a3d432665332d237bf4a8197, not stripped
Ventoy/VtoyTool/vtoytool/00/vtoytool_64:                                                              ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=31d8eb60136f024ee1a845cc27fda394438711be, not stripped
Ventoy/VtoyTool/vtoytool/00/vtoytool_aa64:                                                            ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/VtoyTool/vtoytool/00/vtoytool_m64e:                                                            ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/VtoyTool/vtoytool/01/vtoytool_64:                                                              ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
Ventoy/VtoyTool/vtoytool/02/vtoytool_64:                                                              ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
Ventoy/ZSTD/zstdcat:                                                                                  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=c35922b16c95c17cf28c85d014256fab67aa54ca, stripped
Ventoy/ZSTD/zstdcat64:                                                                                ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=86d8285467856e17f7837cf6a6302ac5c54b1801, stripped
Ventoy/ZSTD/zstdcataa64:                                                                              ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/cryptsetup/veritysetup32:                                                                      ELF 32-bit LSB pie executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=cc8595decd2f37155cf641acbae56c114d439d7f, with debug_info, not stripped
Ventoy/cryptsetup/veritysetup64:                                                                      ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c7cfb96e5880b721dc22ca821676d33941d011eb, stripped

Compare that to this:

find . -type f -iname 'build.txt'
Ventoy/BUSYBOX/build.txt
Ventoy/DMSETUP/build.txt
Ventoy/SQUASHFS/build.txt
Ventoy/ZSTD/build.txt

Not only has the number of binary blobs grown from 39 to 153 but there aren't build instructions for even the original 39 blobs, not to mention today's 153. But even if there was a build.txt for each blob, I daresay nobody is going to manually check 153 individual files once, not to mention regularly and automatically.

bernardgut commented 4 months ago

Yeah this is extremely suspicious. I will recommend any IT companies that I work with to avoid Ventoy until this is cleared. There is a reason why RMS was demanding no binaries at any cost 20 years ago and we have seen why with XZ attack. Given the current climate "Just Send me More Money And Trust Me Bro" is not an acceptable answer to the person who raised this very valid issue.

Good luck with your project.

xcpn commented 3 months ago

Looks like I'm moving back to Etcher, even for home use.

It's been a long time since this came up, and devs are absent.

TechnologyClassroom commented 3 months ago

I have been following this issue for some time. There is a lot of negativity here in the comments, but not a lot of people volunteering to work on this issue. Passive aggressive comments on GitHub issues are not helpful, do not help to get what you want, and make you look bad in the process. File the pull request you want to see in the world.

KucharczykL commented 3 months ago

How are we supposed to file pull requests to replace closed source blobs when we don't even know how are they built?

TechnologyClassroom commented 3 months ago

How are we supposed to file pull requests to replace closed source blobs when we don't even know how are they built?

Try building one and see if the new binary works as a replacement. If it does, you just updated a dependency. A pull request for building one dependency would be helpful. A list can be found in this above comment and many of those are easy to find.

If the source of one binary cannot be found, create a new issue with a more narrow scope to figure out that piece.

KucharczykL commented 3 months ago

I think you're failing to understand the scope and nature of the problem, and you're mistakenly putting the onus of providing the necessary information on volunteers whereas it should the author.

Not to mention some of the binaries are things like kernel builds. Good luck trying to guess which options did the author enable.

catherinedoyel commented 3 months ago

How are we supposed to file pull requests to replace closed source blobs when we don't even know how are they built?

In your other post you only searched for build.txt, Some of theme have .sh files nearby as well. I was going to list them all a few weeks ago but didn't have the time.

I think you're failing to understand the scope and nature of the problem, and you're mistakenly putting the onus of providing the necessary information on volunteers whereas it should the author.

Would you like to give it a try? I work more than full time in computer repair, I know a bit of scripting but C & build systems go over my head.

Given the current climate "Just Send me More Money And Trust Me Bro" is not an acceptable answer to the person who raised this very valid issue.

You are not understanding what I meant by that, they attempted to fund raise, very few took them up on the offer. Therefore the maintainer was not incentivized to put huge amounts of time and effort into the project. They attempted to make it more than a hobbyist project.

Since I have been mostly only working on UEFI computers where I work I don't use Ventoy as much as I used to. I have been using the generous partition count provided by GPT partitioning to have, memory test, live Linux images, WinPE, & Windows installers all on the same flash drive. The way I do that is that I'd have majority of the drive for the NTFS partition for Windows installer & any programs or drivers I may need to install. Then unallocate 8GB from the end, put on UEFI:NTFS from Rufus onto a 16MB partition since some motherboards do not have or have broken NTFS drivers, use another 16MB for memory test, put on Linux Mint on a 4GB partition, Win10 PE on 3GB partition. This would be a real alternative to saying "I'm just going to use Etcher" since the main draw of Ventoy has always been multiple environments on the same drive.

TechnologyClassroom commented 3 months ago

I think you're failing to understand the scope and nature of the problem, and you're mistakenly putting the onus of providing the necessary information on volunteers whereas it should the author.

I understand the issue and that is why I was watching the issue for developments. The issue matters. What I found in my inbox was an anti-pattern of people who also think the issue is important passive aggressively demanding free labor without contributing. That behavior is toxic and unhelpful. Help if you want to help. Ask questions if you get stuck. Donate if you can't help with your time.

Edit: Saying you'll donate only if someone does what you want is toxic too. When this issue is closed, there is not a check on whether you followed through. Donate or not, but don't be a jerk to people doing good things on the Internet. I donated $25 today. Here is a link to ways to donate.

Long0x0 commented 3 months ago

I took a quick look at the repo and found most (142/153) of the blobs were built by scripts or documented:

BUSYBOX/chmod/vtchmod32:                        1=BUSYBOX/chmod/build.sh
BUSYBOX/chmod/vtchmod64:                        1
BUSYBOX/chmod/vtchmod64_musl:                   1
BUSYBOX/chmod/vtchmodaa64:                      1
BUSYBOX/chmod/vtchmodm64e:                      1
cryptsetup/veritysetup32:                       2=cryptsetup/cryptsetup-build.txt
cryptsetup/veritysetup64:                       2
DMSETUP/dmsetup32:                              3=DMSETUP/build.txt
DMSETUP/dmsetup64:                              3
DMSETUP/dmsetupaa64:                            3
DMSETUP/dmsetupm64e:                            3
FUSEISO/vtoy_fuse_iso_32:                       4=DOC/BuildVentoyFromSource.txt#4.10
FUSEISO/vtoy_fuse_iso_64:                       4
FUSEISO/vtoy_fuse_iso_aa64:                     5=FUSEISO/build_aarch64.sh
IMG/cpio_arm64/ventoy/busybox/vtchmodaa64:      1
IMG/cpio_arm64/ventoy/busybox/xzminidecaa64:    4#4.15
IMG/cpio_arm64/ventoy/tool/lz4cataa64:          4#5.1
IMG/cpio_arm64/ventoy/tool/zstdcataa64:         6=ZSTD/build.txt
IMG/cpio_mips64/ventoy/busybox/vtchmodm64e:     1
IMG/cpio_mips64/ventoy/busybox/xzminidecm64e:   4#4.15
IMG/cpio_mips64/ventoy/tool/lz4catm64e:         4#5.1
IMG/cpio_x86/ventoy/busybox/64h:                4#4.18
IMG/cpio_x86/ventoy/busybox/ash:                4#5.4
IMG/cpio_x86/ventoy/busybox/vtchmod32:          1
IMG/cpio_x86/ventoy/busybox/vtchmod64:          1
IMG/cpio_x86/ventoy/busybox/vtchmod64_musl:     1
IMG/cpio_x86/ventoy/busybox/xzminidec32:        4#4.15
IMG/cpio_x86/ventoy/busybox/xzminidec64:        4#4.15
IMG/cpio_x86/ventoy/busybox/xzminidec64_musl:   4#4.15
IMG/cpio_x86/ventoy/tool/ar:                    4#5.2
IMG/cpio_x86/ventoy/tool/inotifyd:              4#5.3
IMG/cpio_x86/ventoy/tool/lz4cat:                4#5.1
IMG/cpio_x86/ventoy/tool/lz4cat64:              4#5.1
IMG/cpio_x86/ventoy/tool/zstdcat:               6
IMG/cpio_x86/ventoy/tool/zstdcat64:             6
INSTALL/EFI/BOOT/BOOTAA64.EFI:                  15=GRUB2/buildgrub.sh
INSTALL/EFI/BOOT/BOOTIA32.EFI:                  4#5.10
INSTALL/EFI/BOOT/BOOTMIPS.EFI:                  15
INSTALL/EFI/BOOT/BOOTX64.EFI:                   4#5.10
INSTALL/EFI/BOOT/grubia32_real.efi:             15
INSTALL/EFI/BOOT/grubx64_real.efi:              15
INSTALL/EFI/BOOT/MokManager.efi:                4#5.10
INSTALL/tool/aarch64/ash:                       4#5.4
INSTALL/tool/aarch64/hexdump:                   4#5.7
INSTALL/tool/aarch64/mkexfatfs:                 4#4.9
INSTALL/tool/aarch64/mount.exfat-fuse:          4#4.9
INSTALL/tool/aarch64/Plugson:                   7=Plugson/build.sh
INSTALL/tool/aarch64/V2DServer:                 8=LinuxGUI/build.sh
INSTALL/tool/aarch64/Ventoy2Disk.gtk3:          9=LinuxGUI/build_gtk.sh
INSTALL/tool/aarch64/Ventoy2Disk.qt5:           4#4.3
INSTALL/tool/aarch64/vlnk:                      10=Vlnk/build.sh
INSTALL/tool/aarch64/vtoycli:                   4#4.8
INSTALL/tool/aarch64/xzcat:                     4#5.6
INSTALL/tool/i386/ash:                          4#5.4
INSTALL/tool/i386/hexdump:                      4#5.7
INSTALL/tool/i386/mkexfatfs:                    4#4.9
INSTALL/tool/i386/mount.exfat-fuse:             4#4.9
INSTALL/tool/i386/Plugson:                      7
INSTALL/tool/i386/V2DServer:                    8
INSTALL/tool/i386/Ventoy2Disk.gtk2:             9
INSTALL/tool/i386/Ventoy2Disk.gtk3:             9
INSTALL/tool/i386/Ventoy2Disk.qt5:              11=LinuxGUI/build_qt.sh
INSTALL/tool/i386/vlnk:                         10
INSTALL/tool/i386/vtoycli:                      4#4.8
INSTALL/tool/i386/xzcat:                        4#5.6
INSTALL/tool/mips64el/ash:                      4#5.4
INSTALL/tool/mips64el/hexdump:                  4#5.7
INSTALL/tool/mips64el/mkexfatfs:                4#4.9
INSTALL/tool/mips64el/mount.exfat-fuse:         4#4.9
INSTALL/tool/mips64el/Plugson:                  7
INSTALL/tool/mips64el/V2DServer:                8
INSTALL/tool/mips64el/Ventoy2Disk.gtk3:         9
INSTALL/tool/mips64el/Ventoy2Disk.qt5:          11
INSTALL/tool/mips64el/vlnk:                     10
INSTALL/tool/mips64el/vtoycli:                  4#4.8
INSTALL/tool/mips64el/xzcat:                    4#5.6
INSTALL/tool/x86_64/ash:                        4#5.4
INSTALL/tool/x86_64/hexdump:                    4#5.7
INSTALL/tool/x86_64/mkexfatfs:                  4#4.9
INSTALL/tool/x86_64/mount.exfat-fuse:           4#4.9
INSTALL/tool/x86_64/Plugson:                    7
INSTALL/tool/x86_64/V2DServer:                  8
INSTALL/tool/x86_64/Ventoy2Disk.gtk2:           9
INSTALL/tool/x86_64/Ventoy2Disk.gtk3:           9
INSTALL/tool/x86_64/Ventoy2Disk.qt5:            11
INSTALL/tool/x86_64/vlnk:                       10
INSTALL/tool/x86_64/vtoycli:                    4#4.8
INSTALL/tool/x86_64/xzcat:                      4#5.6
INSTALL/ventoy/imdisk/32/imdisk.cpl:            4#5.8
INSTALL/ventoy/imdisk/32/imdisk.exe:            4#5.8
INSTALL/ventoy/imdisk/32/imdisk.sys:            4#5.8
INSTALL/ventoy/imdisk/64/imdisk.cpl:            4#5.8
INSTALL/ventoy/imdisk/64/imdisk.exe:            4#5.8
INSTALL/ventoy/imdisk/64/imdisk.sys:            4#5.8
INSTALL/ventoy/ipxe.krn:                        4#4.2
INSTALL/ventoy/iso9660_aa64.efi:                4#4.17
INSTALL/ventoy/iso9660_ia32.efi:                4#4.17
INSTALL/ventoy/iso9660_x64.efi:                 4#4.17
INSTALL/ventoy/memdisk:                         4#5.9
INSTALL/ventoy/udf_aa64.efi:                    4#4.17
INSTALL/ventoy/udf_ia32.efi:                    4#4.17
INSTALL/ventoy/udf_x64.efi:                     4#4.17
INSTALL/ventoy/ventoy_aa64.efi:                 4#4.6
INSTALL/ventoy/ventoy_ia32.efi:                 4#4.6
INSTALL/ventoy/ventoy_x64.efi:                  4#4.6
INSTALL/ventoy/vtoyjump32.exe:                  4#4.4
INSTALL/ventoy/vtoyjump64.exe:                  4#4.4
INSTALL/ventoy/vtoyutil_aa64.efi:               4#4.6
INSTALL/ventoy/vtoyutil_ia32.efi:               4#4.6
INSTALL/ventoy/vtoyutil_x64.efi:                4#4.6
INSTALL/Ventoy2Disk.exe:                        4#4.3
INSTALL/Ventoy2Disk_ARM.exe:                    4#4.3
INSTALL/Ventoy2Disk_ARM64.exe:                  4#4.3
INSTALL/Ventoy2Disk_X64.exe:                    4#4.3
INSTALL/VentoyGUI.aarch64:                      9
INSTALL/VentoyGUI.i386:                         9
INSTALL/VentoyGUI.mips64el:                     9
INSTALL/VentoyGUI.x86_64:                       9
LiveCD/ISO/EFI/boot/vmlinuz64:                  12=LiveCD/livecd.sh
LiveCDGUI/EXT/busybox-x86_64:                   13=LiveCDGUI/EXT/README.txt
LZIP/lunzip32:                                  4#5.1
LZIP/lunzip64:                                  4#5.1
LZIP/lunzipaa64:                                4#5.1
LZIP/lz4cat64:                                  4#5.1
LZIP/lz4cataa64:                                4#5.1
LZIP/lz4catm64e:                                4#5.1
Plugson/vs/VentoyPlugson/Release/VentoyPlugson.exe:                 7
Plugson/vs/VentoyPlugson/x64/Release/VentoyPlugson_X64.exe:         7
SQUASHFS/unsquashfs_32:                         4#4.11
SQUASHFS/unsquashfs_64:                         4#4.11
SQUASHFS/unsquashfs_aa64:                       4#4.11
VBLADE/vblade-master/vblade_32:                 4#4.12
VBLADE/vblade-master/vblade_64:                 4#4.12
VBLADE/vblade-master/vblade_aa64:               4#4.12
Vlnk/vs/VentoyVlnk/Release/VentoyVlnk.exe:      14=Vlnk/pack.sh
VtoyTool/vtoytool/00/vtoytool_32:               4#4.7
VtoyTool/vtoytool/00/vtoytool_64:               4#4.7
VtoyTool/vtoytool/00/vtoytool_aa64:             4#4.7
VtoyTool/vtoytool/00/vtoytool_m64e:             4#4.7
ZSTD/zstdcat:                                   6
ZSTD/zstdcat64:                                 6
ZSTD/zstdcataa64:                               6

and these ones were not (11/153):

IMG/cpio_arm64/ventoy/busybox/a64
IMG/cpio_mips64/ventoy/busybox/m64
INSTALL/EFI/BOOT/grub.efi
INSTALL/EFI/BOOT/grubia32.efi
INSTALL/EFI/BOOT/mmia32.efi
LiveCD/GRUB/bootx64.efi
LiveCDGUI/GRUB/bootx64.efi
Unix/ventoy_unix/DragonFly/sbin/dmsetup
Unix/ventoy_unix/DragonFly/sbin/init
VtoyTool/vtoytool/01/vtoytool_64
VtoyTool/vtoytool/02/vtoytool_64
Thrilleratplay commented 3 months ago

I think you're failing to understand the scope and nature of the problem, and you're mistakenly putting the onus of providing the necessary information on volunteers whereas it should the author.

Not to mention some of the binaries are things like kernel builds. Good luck trying to guess which options did the author enable.

You are not understanding. You are demanding the author fix a problem you have while giving nothing but hostility. Step back and think how could you help. This is an issue that took time to create and will take time to remediate.

As for build flags, does it matter? If you can come close to recreating them, it would take far less time for the author to hand them over than listen to people whine about how they gave the world Ventoy but it isn't enough. If you do not like it, go else where. Fork the project to remove the binary fines. Shut up or standup and help.

KucharczykL commented 3 months ago

I am just a user of Ventoy who agrees that the binary blobs are making the project look less trustworthy. The author can take that criticism as they see fit. I don't demand anyone does anything so you're shouting at imaginary people.

Thrilleratplay commented 3 months ago

@Long0x0 How did you decide what was built a script or not? Of the list and these ones were not (11/153):

IMG/mkcpio.sh

VtoyTool/build.sh

The DragonFlyBSD repo seems to provide the source for two more:

The remaining are UEFI bootloaders that may come from GRUB but I have not verified this

nroach44 commented 3 months ago

I think you're failing to understand the scope and nature of the problem, and you're mistakenly putting the onus of providing the necessary information on volunteers whereas it should the author. Not to mention some of the binaries are things like kernel builds. Good luck trying to guess which options did the author enable.

You are not understanding. You are demanding the author fix a problem you have while giving nothing but hostility. Step back and think how could you help. This is an issue that took time to create and will take time to remediate.

At the very least GRUB (in LiveCDGUI/GRUB/bootx64.efi, which definitely appears to be at least partially sourceless) is GPL3.

https://github.com/rhboot/grub2/blob/6cac608cbe05b95ec2903897ad19dbd0499ab60d/COPYING#L34

For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.

There is no onus on other people or the upstream developers to provide sources for someone else's distribution.

The perceived hostility is likely a result of being ignored. This exact situation plays out time and time again when GPL requests / reminders are ignored.

If they actually engaged in good faith, we could work towards a resolution.

Foxboron commented 3 months ago

The remaining are UEFI bootloaders that may come from GRUB but I have not verified this

It's fairly trivial to confirm this.

https://github.com/ventoy/Ventoy/commit/b11a4999395253331bb3e128f53fdd7f3de79be7

Because ventoy supports shim, and by extension secure boot, these files needs to come from a signed Linux distro. In this case they are taken from Fedora releases, and OpenSUSE apparently, as they publish shim binaries and grub binaries signed by their certificate.

λ Downloads » objdump -h ./grub.efi

./grub.efi:     file format pei-x86-64

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 .text         00007c60  0000000000004000  0000000000004000  00000400  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .reloc        0000000a  000000000000c000  000000000000c000  00008200  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .data         000028b8  000000000000d000  000000000000d000  00008400  2**4
                  CONTENTS, ALLOC, LOAD, DATA
  3 .dynamic      00000100  0000000000010000  0000000000010000  0000ae00  2**2
                  CONTENTS, ALLOC, LOAD, DATA
  4 .rela         000011d0  0000000000011000  0000000000011000  0000b000  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .dynsym       000005b8  0000000000013000  0000000000013000  0000c200  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .sbat         0000004c  0000000000989680  0000000000989680  0000c800  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
λ Downloads » objcopy --dump-section .sbat=/dev/stdout ./grub.efi
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md

For instance, INSTALL/BOOT/BOOTX64.EFI is taken from OpenSUSE.

λ Downloads » sbverify --list ./BOOTX64.EFI
warning: data remaining[827296 vs 953800]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root
signature 2
image signature issuers:
 - /CN=SUSE Linux Enterprise Secure Boot CA/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de
image signature certificates:
 - subject: /CN=SUSE Linux Enterprise Secure Boot Signkey/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de
   issuer:  /CN=SUSE Linux Enterprise Secure Boot CA/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de

The LiveCD binaries are just small grub binaries with an embedded config to load an grub.cfg. This is validated by just running strings and see the embbed config.

λ Downloads » strings ./bootx64.efi
[SNIP]
search -f /EFI/VentoyLiveCD -s root
configfile ($root)/EFI/boot/grub.cfg
/EFI/boot

Which means they are just trying to load the given grub.cfg found in a parent directory.

It would probably be good to document the origin of the binaries, but you can't remove the bootloader binaries without ruining the Secure Boot support Ventoy relies on as they probably won't get their own bootloaders signed.

antiufo commented 3 months ago

Even just adding a bash script that wgets the prebuilt binaries from reasonably trusted sources (Debian, Microsoft...) would do a lot to improve confidence in this project.

nehemiagurl commented 3 months ago

@ventoy I know FOSS maintenance is hard and thankless work without much funding. and I'm sure this thread has caused you a big headache. I love ventoy and I wouldn't want you to burn out. I'd love to give money to support this project.

but I have to first know I can trust you. I promise that as soon as this gets satisfyingly fixed and the worries come down, I'm becoming a regular financial contributor. and I'm sure many in the thread will dot the same. but please. you have to demonstrate we can trust this project.

sneurlax commented 3 months ago

@ventoy I know FOSS maintenance is hard and thankless work without much funding. and I'm sure this thread has caused you a big headache. I love ventoy and I wouldn't want you to burn out. I'd love to give money to support this project.

but I have to first know I can trust you. I promise that as soon as this gets satisfyingly fixed and the worries come down, I'm becoming a regular financial contributor. and I'm sure many in the thread will dot the same. but please. you have to demonstrate we can trust this project.

but software takes work, therefore it's not

as soon as this gets satisfyingly fixed and the worries come down, I'm becoming a regular financial contributor.

it's

as soon as I become a regular financial contributor, this gets satisfyingly fixed and the worries come down.

as other commenters have pointed out, the author provided a way to fund this project and it failed to be funded, so these promises are empty.

if you're here complaining, make a PR instead

nehemiagurl commented 3 months ago

if you're here complaining, make a PR instead

not a developer, I don't know how to code. I offered what I can give, which is my money, but glad to know that for you the only assistance that counts for you is the one I can't give. I think the maintainer will be glad to know that despite your advice that I give nothing, I will continue with my plan to contribute cash once I can be relatively assured I'm not giving money to Jia Tan.

TomaszGasior commented 3 months ago

Stop that discussion. People here are subscribed to get to know about what is happening to fix the issue. Your personal opinions about money and making PRs and FOSS contributions — all of it doesn't matter.

If your don't have anything useful for fixing the issue to add here — don't write comments. Thank you.

Long0x0 commented 3 months ago

@Thrilleratplay

It seems that IMG/mkcpio.sh does not generate a64 and m64 directly. But they are the same files as INSTALL/tool/aarch64/ash and INSTALL/tool/mips64el/ash by comparing the hashes, and come from busybox.

And VtoyTool/build.sh only generates VtoyTool/vtoytool/00/**.

Toolybird commented 3 months ago

Hi folks, I am the author and maintainer of the Arch Linux AUR PKGBUILD which attempts to build most of Ventoy from source. This means I am very well placed to know about the origin of every single file in the package. Inside the PKGBUILD I have documented everything I can to the best of my ability.

Honestly, the amount of FUD (and even racism!) in this thread is really quite disgraceful.

It's true that the build system is a mess. It's basically a bunch of shell scripts all strung together. It's like @ventoy has never heard of a Makefile :)

Anyway, my take on the whole situation is that the Ventoy author is an honourable person. Of course, I cannot be 100% certain, but I firmly believe there are no backdoors or anything dodgy going on here. Everyone needs to chill out a bit.

I'd be willing to help @ventoy try and get a proper build system going. I have proved that we don't need to rely on Centos 7 as a build environment.

sneurlax commented 3 months ago

Feel free to tag me if there are any tasks which would be well-suited to an experienced coder that's nonetheless new to this codebase. Active Ventoy user and programmer looking to contribute back :wave:

onnyyonn commented 3 months ago

@Toolybird AUR user here. Thank you for maintaining it. I skimmed through your PKGBUILD, and made a list of binaries that are not built from source. Please correct me if I made any mistakes or omitted something.

The following binaries are downloaded from 3rd party:

The following binaries are taken from Ventoy repo. Some of them can potentially be downloaded from 3rd party directly. But sources are not known for a few others:

Would you say this is correct?

purpleidea commented 3 months ago

It's a bit of a shameless plug, but I've built an alternative and fully transparent way to provision machines. More distro support patches are needed though, but it's awesome to use. Details here: https://purpleidea.com/blog/2024/03/27/a-new-provisioning-tool/ It's part of the https://github.com/purpleidea/mgmt/ project.

robertkirkman commented 3 months ago

It's a bit of a shameless plug, but I've built an alternative and fully transparent way to provision machines. More distro support patches are needed though, but it's awesome to use. Details here: https://purpleidea.com/blog/2024/03/27/a-new-provisioning-tool/ It's part of the https://github.com/purpleidea/mgmt/ project.

useful idea however it appears that your project has a hard dependency on the device having PXE-over-ethernet boot support which is not guaranteed and is not the target use case for Ventoy.

haha-689 commented 3 months ago

It's a bit of a shameless plug, but I've built an alternative and fully transparent way to provision machines. More distro support patches are needed though, but it's awesome to use. Details here: https://purpleidea.com/blog/2024/03/27/a-new-provisioning-tool/ It's part of the https://github.com/purpleidea/mgmt/ project.

It's still a cool and useful tool, don't take the dislikes personally.

purpleidea commented 3 months ago

It's a bit of a shameless plug, but I've built an alternative and fully transparent way to provision machines. More distro support patches are needed though, but it's awesome to use. Details here: https://purpleidea.com/blog/2024/03/27/a-new-provisioning-tool/ It's part of the https://github.com/purpleidea/mgmt/ project.

useful idea however it appears that your project has a hard dependency on the device having PXE-over-ethernet boot support which is not guaranteed and is not the target use case for Ventoy.

You can use an IPXE or netboot.xyz USB stick to kick it off for any machine that doesn't have built-in PXE/netboot support.

digitalspaceport commented 3 months ago

Thanks for derailing the topic @purpleidea. It is really not helpful to the issue at hand with Ventoy. This is a poor choice of timing to get into marketing. Before you respond to this, maybe don't and instead consider deleting your posts. Just a suggestion.

Thanks for the generous offers of time and skill to help bring Ventoy builds to a verifiable rebuildable state @Toolybird, as an AUR user also I find @onnyyonn findings very interesting. Also thanks to all the many others who are commenting on the issue at hand and offering time and skills to rectify the issue and get Ventoy back to being a tool we can all trust implicitly.

ghost commented 3 months ago

I got windows w/ ventoy and it was very slow for me, then I switched with linux still using ventoy and it was faster, did the malware make my windows install w ventoy bad to force me to use linux?

Lucy-dot-dot commented 3 months ago

@RishiSlop this issue does not mean that ventoy contains a virus. It also doesn't mean that it doesn't it means, we don't know and we can't really check for ourself full at the moment. If Windows feels slow that's probably a driver issue. Also we don't know if you used an official Windows image or slimmed down (tiny11 or similiar) which can have issues. Your issue is unlikely to be caused directly by ventoy or the unchecked binaries in the repo. If you believe Ventoy is the cause, burn the image with rufus and try again

EDIT: Fixed typo

grepwood commented 3 months ago

Windows is the malware.

Joseph-DiGiovanni commented 2 months ago

Can someone outline what exactly needs to be done to eliminate these blobs? My understanding is while there are many precompiled binaries only a few exist with zero source or even so much as brief explanation of their origin/build process.

If that understanding is correct after this much time the project should absolutely be treated as malware until someone can at least be bothered to officially explain the origin of these binaries.

grepwood commented 2 months ago

Can someone outline what exactly needs to be done to eliminate these blobs?

On Linux, use the versions of those blobs that are provided by the distribution's package manager.

On Windows, let them eat cake.