454
submitted 1 month ago by SatyrSack@lemmy.one to c/opensource@lemmy.ml

I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.

you are viewing a single comment's thread
view the rest of the comments
[-] n2burns@lemmy.ca 82 points 1 month ago

I too wish the developer would respond, but I don't think this is the catastrophe people are making it out to be. One comment seems to explain why these binaries are included:

Because ventoy supports shim, and by extension secure boot, these files needs to come from a signed Linux distro. In this case they are taken from Fedora releases, and OpenSUSE apparently, as they publish shim binaries and grub binaries signed by their certificate.

[-] stickmanmeyhem@lemmy.world 35 points 1 month ago

If the hashes match the files from the Fedora or OpenSUSE releases, then does this really matter?

[-] grue@lemmy.world 26 points 1 month ago

On the contrary: that just goes to show what a fucking catastrophe for software freedom "Secure[sic] Boot" is.

[-] nialv7@lemmy.world 17 points 1 month ago

While this is true, it only requires the shim and grub to be copied for another distro.

From other comments there are a lot more blobs than just these two.

[-] davad@lemmy.world 3 points 1 month ago

It sounds like most, if not all, come from upstream projects.

[-] nialv7@lemmy.world 4 points 1 month ago

Would be nice if the dev can respond and confirm that...

[-] davad@lemmy.world 3 points 1 month ago

I think they did say that in the older thread. But for proper security, you shouldn't have to trust them. You should have build tools that will re-fetch everything to create an identical build. That gives a clear chain of custody, which proves that morning has been tampered with.

[-] infeeeee@lemm.ee 11 points 1 month ago

It sounds to me as a documentation issue, as the next comment says, simply including a wget script should solve this.

[-] ReversalHatchery@beehaw.org 4 points 1 month ago

that's only a few files out of the 153

[-] refalo@programming.dev 1 points 1 month ago

153 binaries? where?

this post was submitted on 17 Sep 2024
454 points (98.9% liked)

Open Source

31223 readers
354 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS