[issue]: Remove BLOBs from the source tree #2795
Comments
|
Hear hear! |
|
For those that are not familiar with the xz-utils backdoor, here is the original email send by Andres Freund who discovered the backdoor: |
|
Ventoy is in a quite unique position to be the target of state and non-state adversaries as malware and exploits could not only target certain installations or distros but the whole user base. In the face of headlines about linux desktop percentages ventoy could attract focus in search for new vectors. |
I fully agree, I use this not just at home but work too! |
|
Don't get your hopes up this has been an issue for a very long time. Use something else! |
|
Regardless of recent events, this should be addressed. Ventoy is an excellent concept and pretty solid execution, but security should be a critical focus. If the developer does or does not want to address this, hopefully some community members can contribute to alleviate this as a concern. For now I think it is a good idea to not use Ventoy myself. |
|
An XZ style attack is a once every few years worst case.
Do you want Jia Tan to come in and save us from these blobs? The main maintainer has been on vacation for a while has only just gotten back online a few days ago. Regarding the specifically attached binaries. There are certainly security considerations when using Ventoy. #135 |
You're missing the point. No there's nothing inheritly more dangerous about the blobs themselves. The issue is that one can't verify if it's safe or not. Source code can be audited, vulnerabilities discovered. You can't really do that with binary blobs. That's a major part of the open-source ethos. |
|
It's been a month. I think the developer should have enough time to respond to both the xz attack and this issue. I really hope to hear some official response. 从 XZ 的攻击到现在已经过了一个月了,我想开发者应该有足够的时间就这个 issue 所谈及的问题做出回应了。我真诚希望能够看到开发者官方的回应。 Thanks for developing this useful software. 感谢你开发这个软件的时间精力。 |
|
SO how is this coming ? |
I found Jia Tan ^^ |
|
I would like to volunteer to help. I guess I should get to a-forking, eh? What's a good place to start? |
|
Does following the documented process result in blobs which are byte-for-byte identical? If not, then the directions serve no purpose. |
You didn't understand it. OP literally said they would like to "do it myself". It's just the developer has a better understanding of their own project and it's better for them to explain the reason why these blobs exist first so that others can contribute. It's not that the community is blaming the developer for not developing a perfect program. It's because the community wants an explanation, and the fact that it never comes after months is frustrating. |
The three files explicitly mentioned on the original message opening the thread. Cryptsetup: https://github.com/ventoy/Ventoy/tree/v1.0.99/cryptsetup Until you can point out a binary that has no source/readme next to it there isn't a point in yapping in this thread any more about blobs. Regarding
I agree, and incentivized funding as been tried. It seemed like very few took up the offer of the "Ventoy Subcription". So it was removed. Now all that remains is generic donation pages. The way most of these post are written it sounds like you are accusing Longpanda is like Jia Tan. |
If you look at the linked #132 and rerun the same commands (with added "grep -v script" to remove executable scripts which are not binary blobs) you get this: find . -type f -print0 | xargs -0 file | grep -v "ASCII" | grep "executable" | grep -v "script"
Ventoy/BUSYBOX/chmod/vtchmod32: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=6064638b7e9c2cd083dd3ab9282f2c93f635c70b, not stripped
Ventoy/BUSYBOX/chmod/vtchmod64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=b6dc6b695c263ea8417515131d184a33f1777987, not stripped
Ventoy/BUSYBOX/chmod/vtchmod64_musl: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/BUSYBOX/chmod/vtchmodaa64: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/BUSYBOX/chmod/vtchmodm64e: ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/DMSETUP/dmsetup32: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=6d3f888cec25c6c09092a8968d9244021978ab97, stripped
Ventoy/DMSETUP/dmsetup64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/DMSETUP/dmsetupaa64: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/DMSETUP/dmsetupm64e: ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/FUSEISO/vtoy_fuse_iso_32: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Ventoy/FUSEISO/vtoy_fuse_iso_64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/FUSEISO/vtoy_fuse_iso_aa64: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_arm64/ventoy/busybox/a64: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_arm64/ventoy/busybox/vtchmodaa64: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_arm64/ventoy/busybox/xzminidecaa64: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_arm64/ventoy/tool/lz4cataa64: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_arm64/ventoy/tool/zstdcataa64: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_mips64/ventoy/busybox/m64: ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_mips64/ventoy/busybox/vtchmodm64e: ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_mips64/ventoy/busybox/xzminidecm64e: ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_mips64/ventoy/tool/lz4catm64e: ELF 64-bit LSB executable, MIPS, MIPS-III version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_x86/ventoy/busybox/64h: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_x86/ventoy/busybox/ash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_x86/ventoy/busybox/vtchmod32: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=6064638b7e9c2cd083dd3ab9282f2c93f635c70b, not stripped
Ventoy/IMG/cpio_x86/ventoy/busybox/vtchmod64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=b6dc6b695c263ea8417515131d184a33f1777987, not stripped
Ventoy/IMG/cpio_x86/ventoy/busybox/vtchmod64_musl: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_x86/ventoy/busybox/xzminidec32: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=23b67ba67cdb35d22addd9d0c5a544c8c540e15e, stripped
Ventoy/IMG/cpio_x86/ventoy/busybox/xzminidec64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=e7ee6503212fbcbb75c73caa726f8123f1b04282, stripped
Ventoy/IMG/cpio_x86/ventoy/busybox/xzminidec64_musl: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_x86/ventoy/tool/ar: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_x86/ventoy/tool/inotifyd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_x86/ventoy/tool/lz4cat: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_x86/ventoy/tool/lz4cat64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/IMG/cpio_x86/ventoy/tool/zstdcat: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=c35922b16c95c17cf28c85d014256fab67aa54ca, stripped
Ventoy/IMG/cpio_x86/ventoy/tool/zstdcat64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=86d8285467856e17f7837cf6a6302ac5c54b1801, stripped
Ventoy/INSTALL/EFI/BOOT/BOOTAA64.EFI: PE32+ executable (EFI application) Aarch64 (stripped to external PDB), for MS Windows, 4 sections
Ventoy/INSTALL/EFI/BOOT/BOOTIA32.EFI: PE32 executable (EFI application) Intel 80386 (stripped to external PDB), for MS Windows, 8 sections
Ventoy/INSTALL/EFI/BOOT/BOOTMIPS.EFI: PE32+ executable (EFI application) MIPS R4000 (stripped to external PDB), for MS Windows, 4 sections
Ventoy/INSTALL/EFI/BOOT/BOOTX64.EFI: PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows, 10 sections
Ventoy/INSTALL/EFI/BOOT/MokManager.efi: PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows, 7 sections
Ventoy/INSTALL/EFI/BOOT/grub.efi: PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows, 7 sections
Ventoy/INSTALL/EFI/BOOT/grubia32.efi: PE32 executable (EFI application) Intel 80386 (stripped to external PDB), for MS Windows, 7 sections
Ventoy/INSTALL/EFI/BOOT/grubia32_real.efi: PE32 executable (EFI application) Intel 80386 (stripped to external PDB), for MS Windows, 4 sections
Ventoy/INSTALL/EFI/BOOT/grubx64_real.efi: PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows, 4 sections
Ventoy/INSTALL/EFI/BOOT/mmia32.efi: PE32 executable (EFI application) Intel 80386 (stripped to external PDB), for MS Windows, 6 sections
Ventoy/INSTALL/Ventoy2Disk.exe: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
Ventoy/INSTALL/Ventoy2Disk_ARM.exe: PE32 executable (GUI) ARMv7 Thumb, for MS Windows, 6 sections
Ventoy/INSTALL/Ventoy2Disk_ARM64.exe: PE32+ executable (GUI) Aarch64, for MS Windows, 6 sections
Ventoy/INSTALL/Ventoy2Disk_X64.exe: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
Ventoy/INSTALL/VentoyGUI.aarch64: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=755ca11d96d5c472021afff32268dd3d75c3c95f, with debug_info, not stripped
Ventoy/INSTALL/VentoyGUI.i386: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=981b66653589b35c3f966b1d93eff892d75a0d92, not stripped
Ventoy/INSTALL/VentoyGUI.mips64el: ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib64/ld.so.1, for GNU/Linux 3.2.0, with debug_info, not stripped
Ventoy/INSTALL/VentoyGUI.x86_64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=79025f55cc0c88ab787a1596389c0e652f7697ea, not stripped
Ventoy/INSTALL/tool/aarch64/Plugson: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=21915a75b711b542f38c0df00c14a8fa1a199e1c, stripped
Ventoy/INSTALL/tool/aarch64/V2DServer: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=9f966188d6690d114d3fe930f7999a1d485d6b8c, stripped
Ventoy/INSTALL/tool/aarch64/Ventoy2Disk.gtk3: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=76bb90bca2cd372655aba81d79c78b2003938359, stripped
Ventoy/INSTALL/tool/aarch64/Ventoy2Disk.qt5: ELF 64-bit LSB executable, ARM aarch64, version 1 (GNU/Linux), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=d387dbb5e1a70f6c7e44d1925e4d069dc53ec379, with debug_info, not stripped
Ventoy/INSTALL/tool/aarch64/ash: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/aarch64/hexdump: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/aarch64/mkexfatfs: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=369804983c3e61db317cafaa846193f1c9d36496, stripped
Ventoy/INSTALL/tool/aarch64/mount.exfat-fuse: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=89c87cfdb74b75aac11ff1c30c7fb6bfd65185b1, stripped
Ventoy/INSTALL/tool/aarch64/vlnk: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/aarch64/vtoycli: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/aarch64/xzcat: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/i386/Plugson: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=dde0dccb89cf362e46d6e140e2776face2804691, stripped
Ventoy/INSTALL/tool/i386/V2DServer: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=0063887c7d75403133837397bb56b080a557bf20, stripped
Ventoy/INSTALL/tool/i386/Ventoy2Disk.gtk2: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=488292276e5880270a4a3d44e55a120e2355bfb7, stripped
Ventoy/INSTALL/tool/i386/Ventoy2Disk.gtk3: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=b26dc7c057b35b724138cd60a022adfa9b768b18, stripped
Ventoy/INSTALL/tool/i386/Ventoy2Disk.qt5: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1059f8c9d096164d3686144e9cff2d9933a2d28c, not stripped
Ventoy/INSTALL/tool/i386/ash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/i386/hexdump: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/i386/mkexfatfs: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=453067475dcb3ebfbe9118fd9ab6d0310e920aaf, stripped
Ventoy/INSTALL/tool/i386/mount.exfat-fuse: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=2abc015964733cd9fb96c552fde04bd2777db3f3, stripped
Ventoy/INSTALL/tool/i386/vlnk: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=3f099a86afbaa096d56bea6dd9d56a8981889378, stripped
Ventoy/INSTALL/tool/i386/vtoycli: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=6c6908c9a1f6a0f6b487b4eb3ea1b26191f5b362, stripped
Ventoy/INSTALL/tool/i386/xzcat: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/mips64el/Plugson: ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib64/ld.so.1, for GNU/Linux 3.2.0, stripped
Ventoy/INSTALL/tool/mips64el/V2DServer: ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib64/ld.so.1, for GNU/Linux 3.2.0, stripped
Ventoy/INSTALL/tool/mips64el/Ventoy2Disk.gtk3: ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib64/ld.so.1, for GNU/Linux 3.2.0, stripped
Ventoy/INSTALL/tool/mips64el/Ventoy2Disk.qt5: ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib64/ld.so.1, for GNU/Linux 3.2.0, with debug_info, not stripped
Ventoy/INSTALL/tool/mips64el/ash: ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/mips64el/hexdump: ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/mips64el/mkexfatfs: ELF 64-bit LSB pie executable, MIPS, MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib64/ld.so.1, BuildID[sha1]=508fab5369120a3c4707454df5c516ea962c1647, for GNU/Linux 3.2.0, stripped
Ventoy/INSTALL/tool/mips64el/mount.exfat-fuse: ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib64/ld.so.1, BuildID[sha1]=450dde6154b74dff444503e150a7ac1f85f709c0, for GNU/Linux 3.2.0, stripped
Ventoy/INSTALL/tool/mips64el/vlnk: ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/mips64el/vtoycli: ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/mips64el/xzcat: ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/x86_64/Plugson: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=9665da3616f8ad132a625d4004ba674ab6d0ef76, stripped
Ventoy/INSTALL/tool/x86_64/V2DServer: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=e2a94f53bbe0274ba2a5285e5bf3e5720c4c00cc, stripped
Ventoy/INSTALL/tool/x86_64/Ventoy2Disk.gtk2: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a77656e9f7fe8fb5ba8978388d99113ed0fd1a20, stripped
Ventoy/INSTALL/tool/x86_64/Ventoy2Disk.gtk3: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d3ab1d1d67b2d41b7d878e7147e30188e9244e5e, stripped
Ventoy/INSTALL/tool/x86_64/Ventoy2Disk.qt5: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=935364d813327806214b8d2edd194496a7dde69d, not stripped
Ventoy/INSTALL/tool/x86_64/ash: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/x86_64/hexdump: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/x86_64/mkexfatfs: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=de003a5ae097b4004e6b77e6cd71d2410df7b310, stripped
Ventoy/INSTALL/tool/x86_64/mount.exfat-fuse: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=02eed644b421446629c592b31da15b94d9f5c0de, stripped
Ventoy/INSTALL/tool/x86_64/vlnk: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/x86_64/vtoycli: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/tool/x86_64/xzcat: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/INSTALL/ventoy/imdisk/32/imdisk.cpl: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, 4 sections
Ventoy/INSTALL/ventoy/imdisk/32/imdisk.exe: PE32 executable (console) Intel 80386, for MS Windows, 4 sections
Ventoy/INSTALL/ventoy/imdisk/32/imdisk.sys: PE32 executable (native) Intel 80386, for MS Windows, 7 sections
Ventoy/INSTALL/ventoy/imdisk/64/imdisk.cpl: PE32+ executable (DLL) (GUI) x86-64, for MS Windows, 5 sections
Ventoy/INSTALL/ventoy/imdisk/64/imdisk.exe: PE32+ executable (console) x86-64, for MS Windows, 5 sections
Ventoy/INSTALL/ventoy/imdisk/64/imdisk.sys: PE32+ executable (native) x86-64, for MS Windows, 7 sections
Ventoy/INSTALL/ventoy/ipxe.krn: Linux kernel x86 boot executable bzImage, version 1.0.0+, RO-rootFS,
Ventoy/INSTALL/ventoy/iso9660_aa64.efi: PE32+ executable (EFI boot service driver) Aarch64, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/iso9660_ia32.efi: PE32 executable (EFI boot service driver) Intel 80386, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/iso9660_x64.efi: PE32+ executable (EFI boot service driver) x86-64, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/memdisk: Linux kernel x86 boot executable bzImage, version MEMDISK 6.03 2014-10-06, RW-rootFS,
Ventoy/INSTALL/ventoy/udf_aa64.efi: PE32+ executable (EFI boot service driver) Aarch64, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/udf_ia32.efi: PE32 executable (EFI boot service driver) Intel 80386, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/udf_x64.efi: PE32+ executable (EFI boot service driver) x86-64, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/ventoy_aa64.efi: PE32+ executable (EFI application) Aarch64, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/ventoy_ia32.efi: PE32 executable (EFI application) Intel 80386, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/ventoy_x64.efi: PE32+ executable (EFI application) x86-64, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/vtoyjump32.exe: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
Ventoy/INSTALL/ventoy/vtoyjump64.exe: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
Ventoy/INSTALL/ventoy/vtoyutil_aa64.efi: PE32+ executable (EFI application) Aarch64, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/vtoyutil_ia32.efi: PE32 executable (EFI application) Intel 80386, for MS Windows, 3 sections
Ventoy/INSTALL/ventoy/vtoyutil_x64.efi: PE32+ executable (EFI application) x86-64, for MS Windows, 3 sections
Ventoy/LZIP/lunzip32: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=2c1b3b97e7aed54fb0b2872412ba9fc32c0d48c8, stripped
Ventoy/LZIP/lunzip64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=0333382234408c1840421dd6a017b4e30acc203e, stripped
Ventoy/LZIP/lunzipaa64: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/LZIP/lz4cat64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/LZIP/lz4cataa64: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/LZIP/lz4catm64e: ELF 64-bit LSB executable, MIPS, MIPS-III version 1 (SYSV), statically linked, stripped
Ventoy/LiveCD/GRUB/bootx64.efi: PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows, 4 sections
Ventoy/LiveCD/ISO/EFI/boot/vmlinuz64: Linux kernel x86 boot executable bzImage, version 5.4.3-tinycore64 (tc@box) #2020 SMP Tue Dec 17 17:38:30 UTC 2019, RO-rootFS, swap_dev 0X4, Normal VGA
Ventoy/LiveCDGUI/EXT/busybox-x86_64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Ventoy/LiveCDGUI/GRUB/bootx64.efi: PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows, 4 sections
Ventoy/Plugson/vs/VentoyPlugson/Release/VentoyPlugson.exe: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
Ventoy/Plugson/vs/VentoyPlugson/x64/Release/VentoyPlugson_X64.exe: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
Ventoy/SQUASHFS/unsquashfs_32: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=5fa2bcbb051368534632e48651b9c94d165e3fc6, stripped
Ventoy/SQUASHFS/unsquashfs_64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=f47ea4abd04c876baa97a11c70638b2c9241df49, stripped
Ventoy/SQUASHFS/unsquashfs_aa64: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=80a99c6f5078bf1b9f3c891c595000f7029c78cd, stripped
Ventoy/Unix/ventoy_unix/DragonFly/sbin/dmsetup: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for DragonFly 5.0.800, stripped
Ventoy/Unix/ventoy_unix/DragonFly/sbin/init: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for DragonFly 6.0.0, stripped
Ventoy/VBLADE/vblade-master/vblade_32: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ec92688e679ddda4e17f259b39ab2b69fb30a8ec, not stripped
Ventoy/VBLADE/vblade-master/vblade_64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=2144e0cfa04c8d177ab0b205248d0b2bc9661c8b, not stripped
Ventoy/VBLADE/vblade-master/vblade_aa64: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, with debug_info, not stripped
Ventoy/Vlnk/vs/VentoyVlnk/Release/VentoyVlnk.exe: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
Ventoy/VtoyTool/vtoytool/00/vtoytool_32: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=bcec63a1a3d56a44a3d432665332d237bf4a8197, not stripped
Ventoy/VtoyTool/vtoytool/00/vtoytool_64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=31d8eb60136f024ee1a845cc27fda394438711be, not stripped
Ventoy/VtoyTool/vtoytool/00/vtoytool_aa64: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/VtoyTool/vtoytool/00/vtoytool_m64e: ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), statically linked, stripped
Ventoy/VtoyTool/vtoytool/01/vtoytool_64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
Ventoy/VtoyTool/vtoytool/02/vtoytool_64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
Ventoy/ZSTD/zstdcat: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=c35922b16c95c17cf28c85d014256fab67aa54ca, stripped
Ventoy/ZSTD/zstdcat64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=86d8285467856e17f7837cf6a6302ac5c54b1801, stripped
Ventoy/ZSTD/zstdcataa64: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
Ventoy/cryptsetup/veritysetup32: ELF 32-bit LSB pie executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=cc8595decd2f37155cf641acbae56c114d439d7f, with debug_info, not stripped
Ventoy/cryptsetup/veritysetup64: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c7cfb96e5880b721dc22ca821676d33941d011eb, strippedCompare that to this: find . -type f -iname 'build.txt'
Ventoy/BUSYBOX/build.txt
Ventoy/DMSETUP/build.txt
Ventoy/SQUASHFS/build.txt
Ventoy/ZSTD/build.txtNot only has the number of binary blobs grown from 39 to 153 but there aren't build instructions for even the original 39 blobs, not to mention today's 153. |
|
Yeah this is extremely suspicious. I will recommend any IT companies that I work with to avoid Ventoy until this is cleared. There is a reason why RMS was demanding no binaries at any cost 20 years ago and we have seen why with XZ attack. Given the current climate "Just Send me More Money And Trust Me Bro" is not an acceptable answer to the person who raised this very valid issue. Good luck with your project. |
|
Looks like I'm moving back to Etcher, even for home use. It's been a long time since this came up, and devs are absent. |
|
I have been following this issue for some time. There is a lot of negativity here in the comments, but not a lot of people volunteering to work on this issue. Passive aggressive comments on GitHub issues are not helpful, do not help to get what you want, and make you look bad in the process. File the pull request you want to see in the world. |
|
How are we supposed to file pull requests to replace closed source blobs when we don't even know how are they built? |
Try building one and see if the new binary works as a replacement. If it does, you just updated a dependency. A pull request for building one dependency would be helpful. A list can be found in this above comment and many of those are easy to find. If the source of one binary cannot be found, create a new issue with a more narrow scope to figure out that piece. |
|
I think you're failing to understand the scope and nature of the problem, and you're mistakenly putting the onus of providing the necessary information on volunteers whereas it should the author. Not to mention some of the binaries are things like kernel builds. Good luck trying to guess which options did the author enable. |
In your other post you only searched for build.txt, Some of theme have .sh files nearby as well.
Would you like to give it a try? I work more than full time in computer repair, I know a bit of scripting but C & build systems go over my head.
You are not understanding what I meant by that, they attempted to fund raise, very few took them up on the offer. Therefore the maintainer was not incentivized to put huge amounts of time and effort into the project. They attempted to make it more than a hobbyist project. Since I have been mostly only working on UEFI computers where I work I don't use Ventoy as much as I used to. I have been using the generous partition count provided by GPT partitioning to have, memory test, live Linux images, WinPE, & Windows installers all on the same flash drive. |
I understand the issue and that is why I was watching the issue for developments. The issue matters. What I found in my inbox was an anti-pattern of people who also think the issue is important passive aggressively demanding free labor without contributing. That behavior is toxic and unhelpful. Help if you want to help. Ask questions if you get stuck. Donate if you can't help with your time. Edit: Saying you'll donate only if someone does what you want is toxic too. When this issue is closed, there is not a check on whether you followed through. Donate or not, but don't be a jerk to people doing good things on the Internet. I donated $25 today. Here is a link to ways to donate. |
|
I took a quick look at the repo and found most (142/153) of the blobs were built by scripts or documented: and these ones were not (11/153): |
You are not understanding. You are demanding the author fix a problem you have while giving nothing but hostility. Step back and think how could you help. This is an issue that took time to create and will take time to remediate.
As for build flags, does it matter? If you can come close to recreating them, it would take far less time for the author to hand them over than listen to people whine about how they gave the world Ventoy but it isn't enough. If you do not like it, go else where. Fork the project to remove the binary fines. Shut up or standup and help. |
|
I am just a user of Ventoy who agrees that the binary blobs are making the project look less trustworthy. The author can take that criticism as they see fit. I don't demand anyone does anything so you're shouting at imaginary people. |
You can use an IPXE or netboot.xyz USB stick to kick it off for any machine that doesn't have built-in PXE/netboot support. |
|
Thanks for derailing the topic @purpleidea. It is really not helpful to the issue at hand with Ventoy. This is a poor choice of timing to get into marketing. Before you respond to this, maybe don't and instead consider deleting your posts. Just a suggestion. Thanks for the generous offers of time and skill to help bring Ventoy builds to a verifiable rebuildable state @Toolybird, as an AUR user also I find @onnyyonn findings very interesting. Also thanks to all the many others who are commenting on the issue at hand and offering time and skills to rectify the issue and get Ventoy back to being a tool we can all trust implicitly. |
|
I got windows w/ ventoy and it was very slow for me, then I switched with linux still using ventoy and it was faster, did the malware make my windows install w ventoy bad to force me to use linux? |
|
@RishiSlop this issue does not mean that ventoy contains a virus. It also doesn't mean that it doesn't it means, we don't know and we can't really check for ourself full at the moment. If Windows feels slow that's probably a driver issue. Also we don't know if you used an official Windows image or slimmed down (tiny11 or similiar) which can have issues. Your issue is unlikely to be caused directly by ventoy or the unchecked binaries in the repo. If you believe Ventoy is the cause, burn the image with rufus and try again EDIT: Fixed typo |
|
Windows is the malware. |
|
Can someone outline what exactly needs to be done to eliminate these blobs? My understanding is while there are many precompiled binaries only a few exist with zero source or even so much as brief explanation of their origin/build process. If that understanding is correct after this much time the project should absolutely be treated as malware until someone can at least be bothered to officially explain the origin of these binaries. |
On Linux, use the versions of those blobs that are provided by the distribution's package manager. On Windows, let them eat cake. |
If every binary has a known origin this is a fine solution, but I believe there are still some that just don't have one. Remaining silent on a huge accusation like your project being the next XZ Utils is nothing more than a stall tactic in my eyes. |
|
Since the maintainer doesn't want to do basic open source project management/create tasks tickets so people can contribute and help him. Let me try to spell it out for him:
Something along those lines. Did I miss something ? PS: @ the maintainer : man you are really making it HARD to want to help you. NOBODY will ever spend a week creating a PR for it to be discarded because it doesn't meet whatever criteria you have in your head. Maybe if you spend 10 min SPELLING OUT what you want to be done for fixing this issue instead of begging for money, this thread would have been closed last year... Plenty of people know how to fix this issue. Nobody is going to waste their time trying to figure out which solution you deem as acceptable for a PR. Just my 2 cents. |
|
Using the following command: I have found this list of files: We can immediately spot that there's 3 sets of GRUB present:
Further snooping shows that there's in fact, more:
They just escaped this rudimentary method of identification, because they are compressed: So the first thing in our bill of materials is GRUB, for i386-pc, i386-efi, x86_64-efi, arm64-efi, and mips64el-efi. Next we have all kinds of crap in:
First thing I noticed when browsing these directories is a kernel module: I'm not entirely sure why is a kernel module needed... here's the source for it: https://github.com/ventoy/Ventoy/blob/c16e76130bf34fd2e0b749cd7a71789c9115783b/DMPATCH/dmpatch.c Line 33 in c16e761 I'm really unconvinced that this is needed. Moving on, let's see what tools are exactly located in the which brings us to: Some of those commands I recognize:
I'm completely lost wtf is I'm tired. This is an incredible case, but one that I'm not taking a vacation from life over. |
|
Based on a comment above, Or busybox as running linux
|
|
Also, to make it easier for anyone to see which files are the same ones, Czkawka is quite useful. I have attached a text file with duplicates in the repo directory, so that you dont need to use it: |
|
A person seems to be the author replies, but in the wrong place. I can't confirm is he really the author. https://lemmings.world/post/15186261
|
|
This is the first time I see this address. Not a good place to write something that should be read by many people. |
a couple of points:
|
|
His post does not address anything at all (and it looks to be written by AI). |
I appreciate, it's no small feat to build such a thing. But I'll stay away because I generally don't like social platforms. It's a huge time sink. |
|
There is a new response from someone who claims to be the real developer's friend:
Source: https://lemmings.world/comment/11306760 I don't know if what they tell is true, but there are a few things to consider:
|
|
I'd consider both those accounts to be untrustworthy for now. I think the safe assumption is we're still in the dark when it comes to an answer. |
|
Both of those accounts are LARPing. If @ventoy wanted to clarify anything, they'd do it in this thread, not on barely known Reddit clone. |
|
The posts/comments and the account made them are now removed by mods under probable impersonation. https://lemmy.ml/modlog?page=1&actionType=All&userId=14359241 |
|
Hello, I have been following the posts about longpanda and after the original post was taken down, I am heading here. Like everyone here, I am in the dark of what had happened. As I mentioned in my comment, I lost contact with longpanda for sevearl months. I am worried. I have no ideas who wrote that post, who was behind this and what happened to longpanda 🙏🙏 |
|
Thank you, the last time I talked to him was before the labour day. He told me he would travel back home for a few weeks. |
|
It would be best not to discuss @ventoy whereabout here, as this should be focused on the issue itself. Such topics is better suited in the forum, or Discussion tab. |
|
There's been some new @ventoy GitHub activity today, so hopefully he can answer soon! 😊 |
|
@Casered glad to hear! |
and others
What happened?
Due to the recent XZ-Utils drama I checked the code and I'm appalled. There are more BLOBS than source code.
https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/cryptsetup
https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/Unix/ventoy_unix
https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/DMSETUP
There is no reason to have those not be build in the release process. Of course it's convenient, they are prebuild, it's fast and nobody has a problem with it.
Recent events however showed that these BLOBs can contain everything and nothing. The build instructions would not produce the exact same executable for everyone. It's better to have GitHub build it on-push and use them out of the build cache.
I would do it myself, but unfortunately I'm not familiar enough with the Ventoy build process to actually do it. I understand that removing BLOBs isn't a priority over new and shiny features. But due to recent events, this should be rethought.
Thank you for reading this and I hope for a productive conversation
The text was updated successfully, but these errors were encountered: