[HN Gopher] Ventoy: Remove BLOBs from the Source Tree
___________________________________________________________________
Ventoy: Remove BLOBs from the Source Tree
Author : 6581
Score : 79 points
Date : 2024-06-15 13:20 UTC (9 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| graton wrote:
| From the very beginning I've been reluctant to use Ventoy. In the
| beginning there were no instructions on how to build from source.
| Then after that there were binary blobs that were used in the
| build.
|
| So far I've never used Ventoy due to these issues. The concept
| sounds great though.
| ungamedplayer wrote:
| The attitude in the comments regarding the "look you can see
| how it's built" is concerning.
|
| A simple virus could easily backdoor every binary on the system
| which built the file, rince and repeat.
|
| Before anyone says that Linux virus do not exist, I have
| written a handful, as I'm sure many others have. Do not assume
| lack of observation to be confirmation of your view.
| isoprophlex wrote:
| Fascinating. If you feel like sharing, what was your motive?
| Profit, research, the lulz?
| worthless-trash wrote:
| I have always been interested in how these things work, and
| based an early one on Silvio Cesares paper (
| https://www.win.tue.nl/~aeb/linux/hh/virus/unix-viruses.txt
| ) as I was associates with him while at university. This
| virus was to confirm what was written in the paper.
|
| The second I wrote was attempting to exploit the trust that
| erlang VM's have with each other. I have rewritten a few in
| various BEAM based languages, this was to give evidence to
| management that security/protections should be put in place
| for erlang clustering (rabbitmq, HA erlang, etc).
|
| Another was for working for a large north american linux
| vendors product security group, In an effort to know ones
| enemy and the effort involved in some of the 'in-the-field'
| backdoors that were found. In this case, I was reproducing
| the "virus/RAT" (I use that term loosely) that contained
| dirtycow exploit primitive in the wild. I also
| reversed/reproduced/(exploited ?) their exploitable C&C
| infrastructure. This information was handed over to the law
| enforcement and I've never heard any more about it.
|
| Each virus had its own reason, none of them escaped my
| demonstrations.
| fastily wrote:
| Yeah that part has always been weird. I will say that it works
| wonderfully, especially if you need to install windows from a
| usb but only have computers running Linux/Mac available
| brunoqc wrote:
| 177 thumbs up on the issue and 0 replies from the maintainer in
| those 2 months.
|
| "concerning"
| jauntywundrkind wrote:
| What alternatives are there?
|
| No where near the ergonomics as far as I can tell, but with
| containers, there's been an effort to make bootable containers. I
| seem to remember there being some other options (I wanna say like
| Wyvern or something like that was one but not finding it), but
| the big obvious effort is bootc.
| https://containers.github.io/bootable/projects.html . 38d old
| thread: https://news.ycombinator.com/item?id=40289120
| kotaKat wrote:
| The physical one, which is more reliable to boot because it's
| emulating the actual USB-DVD/USB-HD/USB-flash interfaces when
| you use it.
|
| https://www.iodd.shop/IODD-ST400-USB-30-External-Encrypted-H...
|
| I love using my IODD in "dual-mode" with Clonezilla. It exposes
| a USB-DVD drive with an emulated Clonezilla DVD in it as well
| as its' HDD storage so I can dump an image right to the hard
| drive.
|
| (Bonus points: I can then have Clonezilla bundle me a
| clonezilla-iso package of my captured image, and save it back
| into the ISO folder to boot from later!)
| k8svet wrote:
| I almost want one of these, except I have no use for it
| nowadays. Ventoy didn't even work the one time I tried it,
| probably because it couldn't hook nixos's initrd properly.
|
| But also, I'm insanely frustrated that (1) Google doesn't
| allow USB Gadget mode to do this from stock Android (2) the
| app that appeared to work for LineageOS/rooted devices is
| abandonware.
|
| There's _no good reason_ why your phone can 't serve up ISOs
| with gadget mode.
|
| I already travel with my ancient Pixel 3a as a backup (which
| has come in handy, clumsy me). It would be slick to have that
| as a portable ISO host, _and_ backup phone. (Ignore the USB2
| USB-C port, it 's _fine_.)
| hddherman wrote:
| I remember giving that a go many years ago. Not 100%
| successful, but when it worked, it was fantastic. It would
| be incredibly handy nowadays, especially for
| troubleshooting use cases. OS installation, memtest,
| clonezilla, portable Windows installation, and you'll
| always have them with you since you're already carrying
| your phone!
| ryukafalz wrote:
| This might not help you that much depending on your use
| case but Ubuntu Touch can do this: https://open-
| store.io/app/me.fredl.isodrive
|
| ...and runs on the Pixel 3a: https://devices.ubuntu-
| touch.io/device/sargo/
| transpute wrote:
| It's more work, but there are sample configs for grub2 to boot
| multiple ISOs, https://news.ycombinator.com/item?id=38663958
| 20after4 wrote:
| This looks promising: https://github.com/tjmnmk/gadget_cdrom
|
| It's using a Raspberry Pi Zero to emulate a USB CD-ROM. A menu
| on the device allows you to choose an ISO to boot from.
| brunoqc wrote:
| That project isn't very active. The last significant commit
| was 3 years ago.
| transpute wrote:
| Why is Deepin the only distro worthy of a "Friendly Link" on the
| Ventoy home page? Are they a sponsor of the project? Code
| contributor? Preferred demo platform?
| https://web.archive.org/web/20240614040917/https://ventoy.ne...
|
| Ventoy developer longpanda offers tools for injection into Linux
| and Windows ISOs, which work with the Ventoy injection plugin,
| https://news.ycombinator.com/item?id=38691857
|
| _> Deepin is a distribution developed in Wuhan, China by Deepin
| Technology. Its homepage proclaims it "the top Linux
| distribution from China" ... The extensive EULA is uncommon for
| the Linux space, and the privacy policy goes into some detail
| about the types of information they collect - not just browser
| history, but information on when you use your computer and the
| applications installed on your system._
| zamadatix wrote:
| What underlying result are you hoping the long term fixation on
| asking this question going to resolve? The developer is Chinese
| and probably doesn't care what someone else's preferred distro
| is or maybe they are associated with it - what difference does
| it make to why it's on the site and why not just ask them
| directly about it instead?
|
| If you mean to just highlight the association with Deepin it
| doesn't need to be guised as a question.
| nazgu1 wrote:
| Are there any real concerns about Ventoy and security? So ig I
| use it to boot installer, the installed OS can be backdoored? Or
| is it just some ,,possibility", but rather unreal?
| Dalewyn wrote:
| You're going to have to weigh the Chinese origins against what
| threats and risks you can not or will not accept.
|
| Personally, I don't and use stuff like Rufus[1] instead.
|
| [1]: https://github.com/pbatard/rufus
| stragies wrote:
| Rufus does not seem to have anywhere near the feature set of
| Ventoy, so not really a replacement.
| hddherman wrote:
| The demand for a Ventoy-like tool is clearly there, but I hope
| that one day we'll have an alternative that we can actually
| trust. Until then it seems that having a small collection of USB
| sticks is still the way to go, the inconvenience is preferable to
| the whole installation getting compromised.
| BobbyTables2 wrote:
| The amount of "marketing" with the corresponding lack of
| technical documentation also greatly disturbs me.
|
| On one hand, it integrates a lot of open source components, but
| there is enough custom stuff going on that I'm concerned.
|
| Look how it boots a Linux live cd... Initramfs injection is
| well used -- perfect for malware.
| catlikesshrimp wrote:
| I use and recommend ventoy for convenience. It is so
| convenient. That is, good for nerds to play with hardware and
| test distros. Not for end users.
|
| For security, I always recommend Burning an ISO into a physical
| optical disc. Check the ISO MD5 before burning. No thumbdrives.
|
| Then pray god your Government only aproves sales of backdoored
| hardware where you live. I recommend at least disabling
| (pulling out) the build-in Network cards (yes, wifi/bt too) and
| buying usb replacements.
| trueismywork wrote:
| What can ventoy do that `cp` cannot?
| cl3misch wrote:
| My reason to use Ventoy is the possibility to have multiple
| ISOs on one single USB stick. Before I would have to dd the new
| ISO to the stick, wiping what was there before. Effectively
| this resulted in more writes to flash and ultimately multiple
| broken USB sticks.
|
| FWIW, I think you mean `dd`.
| aidenscott2016 wrote:
| You can cp the image to a block device and it will work
| teraflop wrote:
| Aside from the security issues, this project is pretty clearly
| violating the GPL by distributing binary versions of other
| people's code without including either the source code or the
| original copyright notices.
| svlasov wrote:
| I wonder if somebody already tried to compare installations made
| via Ventoy and not to spot any differences.
___________________________________________________________________
(page generated 2024-06-15 23:02 UTC)