I too wish the developer would respond, but I don't think this is the catastrophe people are making it out to be. One comment seems to explain why these binaries are included:

Because ventoy supports shim, and by extension secure boot, these files needs to come from a signed Linux distro. In this case they are taken from Fedora releases, and OpenSUSE apparently, as they publish shim binaries and grub binaries signed by their certificate.

[–] stickmanmeyhem@lemmy.world 35 points 1 year ago (1 children)

If the hashes match the files from the Fedora or OpenSUSE releases, then does this really matter?

[+] Quail4789@lemmy.ml 24 points 1 year ago* (last edited 10 months ago) (2 children)

[deleted]

[–] pupbiru@aussie.zone 25 points 1 year ago (1 children)

that’s what automation is for - nobody is going to manually check them, but anyone is able to automatically set something up to check their hashes in change… the fact that it’s possible that anyone is doing that now that it’s a known issue perhaps makes it less problematic as an attack vector

[–] refalo@programming.dev 3 points 1 year ago (1 children)

That is true, but also nobody is doing it. Just like nobody is verifying Signal's "reproducible builds".

[–] pupbiru@aussie.zone 5 points 1 year ago (1 children)

are you sure?

there could be thousands just waiting for a failure to come out and say “HEY THIS IS DODGY”

[–] refalo@programming.dev 1 points 1 year ago* (last edited 1 year ago)

Yea because I tested it myself. Nobody else seems to care, and if they did, I would think there would be a public way to see regular test results regardless.

I know this exists for some projects, but somehow nothing privacy-sensitive

[–] MangoPenguin@lemmy.blahaj.zone 17 points 1 year ago (1 children)

Is that any different from no one checking the code every update?

[+] Quail4789@lemmy.ml 12 points 1 year ago* (last edited 10 months ago) (1 children)

[deleted]

[–] Ferk@lemmy.ml 3 points 1 year ago* (last edited 1 year ago) (1 children)

That's ok if we are talking about malware publicly shown in the published source code.. but there's also the possibility of a private source-code patch with malware that it's secretly being applied when building the binaries for distribution. Having clean source code in the repo is not a guarantee that the source code is the same that was used to produce the binaries.

This is why it's important for builds to be reproducible, any third party should be able to build their own binary from clean source code and be able to obtain the exact same binary with the same hash. If the hashes match, then you have a proof of the binary being clean. You have this same problem with every single binary distribution, even the ones that don't include pre-compiled binaries in their repo.

[–] refalo@programming.dev 3 points 1 year ago (1 children)

The problem is not near enough projects support reproducible builds, and many that do aren't being regularly verified, at least publicly.

[–] Ferk@lemmy.ml 1 points 1 year ago* (last edited 1 year ago)

Yes, that's why im saying that this kind of problem isn't something particular about this project.

In fact I'm not sure if it's the case that the builds aren't reproducible/verifiable for these binaries in ventoy. And if they aren't, then I think it's in the upstream projects where it should be fixed.

Of course ventoy should try to provide traceability for the specific versions they are using, but in principle I don't think it should be a problem to rely on those binaries if they are verifiable.. just the same way as we rely on binaries for many dynamic libraries in a lot of distributions. After all, Ventoy is closer to being an OS/distribution than a particular program.

[–] grue@lemmy.world 26 points 1 year ago

On the contrary: that just goes to show what a fucking catastrophe for software freedom "Secure[sic] Boot" is.

[–] nialv7@lemmy.world 18 points 1 year ago (1 children)

While this is true, it only requires the shim and grub to be copied for another distro.

From other comments there are a lot more blobs than just these two.

[–] davad@lemmy.world 3 points 1 year ago (1 children)

It sounds like most, if not all, come from upstream projects.

[–] nialv7@lemmy.world 5 points 1 year ago (1 children)

Would be nice if the dev can respond and confirm that...

[–] davad@lemmy.world 4 points 11 months ago

I think they did say that in the older thread. But for proper security, you shouldn't have to trust them. You should have build tools that will re-fetch everything to create an identical build. That gives a clear chain of custody, which proves that morning has been tampered with.

[–] infeeeee@lemm.ee 11 points 1 year ago

It sounds to me as a documentation issue, as the next comment says, simply including a wget script should solve this.

[–] ReversalHatchery@beehaw.org 4 points 1 year ago (1 children)

that's only a few files out of the 153

[–] refalo@programming.dev 1 points 1 year ago

153 binaries? where?