Ventoy is a tool to make a USB with multiple ISOs bootable, letting you select which ISO to use on boot. Another newly-created account claims to be the dev’s friend and translator and has received no contact from the maintainer.

  • Steamymoomilk@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    38
    ·
    edit-2
    1 month ago

    so ive deep dived into as much information as i can find. the TLDR is the main dev LongPanda supposedly went on a vacation to china (most likely his home country?) to which there is conflicting information on his return. one path is he make a lemmy account 9hours ago and made a message that doesn’t describe the blob and sound like a gpt response. to which his "irl friend made an account 3 hours ago to comment that he hasnt heard from LongPanda in months. both were removed from lemmy.ml because of suspected impersonation. the other side of the coin is the LongPanda is still gone and hasn’t addressed the blobs. after looking thought the documentation, you can build from source. in the instructions it says "5. Binaries

    There some binaries in Ventoy install package. These files are downloaded from other open source project’s website, such as busybox."

    i am not a programer but in the source build it lists the blobs and were there from supposedly from other FOSS projects with sha256’s. so theoretically you should be able to verify the blobs, with the sha256.

    https://github.com/ventoy/Ventoy/blob/master/DOC/BuildVentoyFromSource.txt

    • Random Dent@lemmy.ml
      link
      fedilink
      English
      arrow-up
      14
      ·
      1 month ago

      I like Ventoy, it’s handy but I don’t think it’s indispensable so probably what I’ll do is go back to using Etcher (which is open source AFAIK) until this resolves itself one way or another. I assume either the dev will respond properly with an explanation and everything will be fine, or someone will get fed up enough to fork it. I feel like it’s probably nothing nefarious, but it doesn’t really hurt to be overly cautious in this case IMO.

      • Bizzle@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        1 month ago

        Ventoy’s “killer feature” is the ability to have multiple ISOs in a single drive, can Etcher do that? If so I’ll switch, if not why not just use dd?

    • mvirts@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      1 month ago

      Imho it will be much easier to replace blobs with verifiably correct blobs or add the source to build them than to retroactively find the original builds from whence they came.

      Searching for some of those binaries looks like it would require comparing the hash against a large set of candidates which would need to first be unpacked from releases (fedora mostly???) and hashed unless the hashes already exist somewhere.

  • just_another_person@lemmy.world
    link
    fedilink
    arrow-up
    24
    arrow-down
    3
    ·
    1 month ago

    I understand the concern raised, but unless I’m reading this wrong there is an assumption that Ventoy may be doing something untoward, but I’m not sure how at this level. It can’t inject anything into the ISO files at rest without bricking then, and I don’t know if an OS that doesn’t verify it’s own image before booting.

    Just sounds like super lazy project administration. Maybe I’m missing something?

    • Aatube@kbin.melroy.orgOP
      link
      fedilink
      arrow-up
      27
      ·
      1 month ago
      1. Around April, there was this big thing where a maintainer for XZ Compression included an SSH backdoor in binaries that were only built on release. If a freaking piece of compression software can backdoor SSH, who knows what else is possible.
      2. The response to the blob concern is nonsensical, made without their previously-known accounts, and coincides with someone’s claim that they are a close friend and was on vacation to China, the country where the XZ maintainer was from.
      • just_another_person@lemmy.world
        link
        fedilink
        arrow-up
        19
        arrow-down
        2
        ·
        1 month ago

        The xz issue is something totally different though. That was a software library running and executing against flat files. I’m just not sure there’s a way to alter an ISO image before boot, undetected in the case of Ventoy.

        If the goal is to alter files to provide access to something, this must be some sort of ingenious way that bypasses checksums, and targets something universal, which doesn’t seem quite possible in the case of a substitute bootloader.

        • Aatube@kbin.melroy.orgOP
          link
          fedilink
          arrow-up
          5
          ·
          1 month ago

          Yeah, it would be really big. I wouldn’t have posted about this if it weren’t for the radio silence and blabbering statement.

    • nyan@sh.itjust.works
      link
      fedilink
      arrow-up
      5
      ·
      1 month ago

      It can’t inject anything into the ISO files at rest without bricking then, and I don’t know if an OS that doesn’t verify it’s own image before booting.

      As far as I can tell, this is not talking about ISOs installed using Ventoy, but precompiled blobs of things like Busybox that are included in the Ventoy install package. It’s an important distinction. The developer could bundle a tampered blob, include in the documentation the checksum that matches that blob, and then if someone checks with the upstream project and calls them out, say something along the lines of, “Oh, they must have withdrawn that release,” and replace it with an untampered blob. If they don’t fight to preserve the tampered blob, they might even get away with it.

      • Aatube@kbin.melroy.orgOP
        link
        fedilink
        arrow-up
        3
        ·
        1 month ago

        The claim of the person you’re replying to is that even if the binaries were tampered, Ventoy wouldn’t be able to do anything.

        • nyan@sh.itjust.works
          link
          fedilink
          arrow-up
          2
          ·
          1 month ago

          Even if the original issue had anything to do with ISOs, he’s way overestimating the level of protection on many install ISOs, in my experience—they’re just disk images, and presumably all the files read off them are passing through Ventoy itself. Even if you find one that performs some kind of verification, easy enough to change a jump instruction to a no-op somewhere in the machine code guts of a file as it passes through Ventoy, and prevent the verification from executing. (The difficult part is figuring out which instruction to change, but people have done it before.)

          • just_another_person@lemmy.world
            link
            fedilink
            arrow-up
            3
            ·
            1 month ago

            No, I’m saying the way ISOs are written, you couldn’t just, say, inject changes via text tools or whatever like the xz attack.

            I’m not aware of HOW a binary blob not knowing specifically what it was going to attack COULD attack anything in a resting and isolated state like it would be with Ventoy.

      • Dessalines@lemmy.ml
        link
        fedilink
        arrow-up
        11
        ·
        1 month ago

        I banned that one now too.

        Some common threads I’m seeing with these troll accounts:

        • lemmings.world
        • new account
        • claim to be or know the creators
        • make claims about the insecurity of an open source app
        • blame china in some way
  • thingsiplay@beehaw.org
    link
    fedilink
    arrow-up
    12
    ·
    edit-2
    1 month ago

    There are some random accounts that do not look like the original creator. I highly discourage from such titles like this post, because we don’t know. “Ventoy” (creator) did not respond as far as I can see.

    Edit: Even if it looks legitimate, it can be impersonating to gain trust. Don’t blindly trust random people from new accounts.

      • Virkkunen@fedia.io
        link
        fedilink
        arrow-up
        3
        arrow-down
        1
        ·
        1 month ago

        It is very much actively maintained other than this supposed vacation from the developer. Everything else is purely speculation and what seems to be impersonation of the dev on the fediverse.

        • Aatube@kbin.melroy.orgOP
          link
          fedilink
          arrow-up
          6
          ·
          1 month ago

          This big issue has been open since April, and the dev has not responded, and his last commit was in early June. Yes, most of this is pure speculation, but 4 months is unmaintained.

  • Blaze@lemmy.zip
    link
    fedilink
    arrow-up
    10
    ·
    edit-2
    1 month ago

    Interesting context to bring up Lemmy

    Edit: from the thread, it’s pretty clear those people were not the creator?

  • The Doctor@beehaw.org
    link
    fedilink
    English
    arrow-up
    10
    ·
    1 month ago

    Let’s see… Ventoy is a tool intended for sysadmins to use.

    Something sketchy is going on in a tool sysadmins use when working on the crown jewels.

    What could possibly go wrong? /s

  • BCsven
    link
    fedilink
    arrow-up
    8
    arrow-down
    20
    ·
    1 month ago

    I heard people raving about ventoy, i checked it out online, but blobs and chinese maintainer made it seem fishy. Even if a maintainer was legit it only takes CCP thteatening their family to get a backdoor inserted

    • electric_nan@lemmy.ml
      link
      fedilink
      arrow-up
      32
      arrow-down
      6
      ·
      1 month ago

      This is ridiculous. You don’t trust “Chinese maintainers” (“even if legit” lol), because the “CCP” might threaten “their family to get a backdoor inserted”.

      Absolutely unhinged level of fantasy in the context of this project. A nation of 1.4 billion people and you don’t trust anyone there to write software? You know they made your phone and pretty much everything else right? Also, the idea that “the CCP” is somehow uniquely (among governments) willing and able to coerce or commission backdoors in software is a feverishly deluded attitude.

      Propaganda has put a backdoor in your brain.

      • BCsven
        link
        fedilink
        arrow-up
        11
        arrow-down
        6
        ·
        edit-2
        1 month ago

        We have chinese police here in Vancouver (edit Non Canadian force), if residents speak badly about CCP these “Police” show up at the door and try to coherce them back to mainland. I’m not regurgitating the articles, my friend living in vancouver had them show up. I’m not trusting blobs.

        • The Doctor@beehaw.org
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          4
          ·
          1 month ago

          New York, DC, and LA as well. If one doesn’t want a polite knock, one doesn’t speak ill of the CCP.

            • electric_nan@lemmy.ml
              link
              fedilink
              arrow-up
              5
              arrow-down
              1
              ·
              1 month ago

              Down voting for 2 reasons:

              1. This article is short on factual information that says what you’re implying.
              2. This is wholly irrelevant to Ventoy.
              • BCsven
                link
                fedilink
                arrow-up
                4
                arrow-down
                3
                ·
                1 month ago

                if you search Chinese Police Canada (or USA) there are tons of articles that are way more in depth, and describe encounters, etc.

                I added that link so people don’t think I’m making it up when my friends house is getting door knocked by two CCP police.

                It does not directly relate to Ventoy, it relates to why I would not trust a chinese product as we have first hand witness here in Canada of CCP harassing residents or forcing them back to china. There is that much control, even when they don’t live in China, that if CCP wanted to have widespread spying they would just pick a dev with family in the mainland.

                • electric_nan@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  3
                  ·
                  1 month ago

                  Your phone, computer, TV, and various other electronics in your house were not made in China? You believe that your own country or mine cannot secretly compel backdoors?

      • BCsven
        link
        fedilink
        arrow-up
        4
        arrow-down
        7
        ·
        edit-2
        1 month ago

        Read my other reply in this thread you will see why/how CCP oversteps boundaries, and why you don’t trust blob code you can’t verify

        • Norah - She/They@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          8
          ·
          edit-2
          1 month ago
          1. There’s an older comment in this thread that details how you could verify those blobs: https://sh.itjust.works/comment/14458323
          2. You very much implied that you shouldn’t trust all people of Chinese descent. I personally very much dislike the CCP, as a government I think they cause an immeasurable amount* of harm. However, what you are suggesting is on the same level of racism as the US government locking up all Japanese-Americans in internment camps during WWII.
          3. Seriously, calm down.
          • BCsven
            link
            fedilink
            arrow-up
            2
            arrow-down
            2
            ·
            1 month ago

            Nope just maintainers that I can’t verify their identity, not asians in general.

            We live in a mixed bag of skin colours here, I have no issue with people…just CCP and their infiltration of their officials into Canada… that are harassing citizens and Permanent residents of chinese descent.