Skip Navigation

Ventoy source code contains some unknown BLOBs, still no word on the issue from the dev after months

github.com [issue]: Remove BLOBs from the source tree · Issue #2795 · ventoy/Ventoy

What happened? Due to the recent XZ-Utils drama I checked the code and I'm appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f8946...

[issue]: Remove BLOBs from the source tree · Issue #2795 · ventoy/Ventoy

I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.

128

You're viewing a single thread.

128 comments
  • Anyone who wants to fix this can help fix it, but people are just making demands of an unpaid maintainer. The devs can run this project the way they want to. If you don't like it, don't use Ventoy.

    The people comparing this to the xz exploit are out of line. xz was a library that was deeply embedded in a lot of software. Ventoy is an IT tool used to boot live OSes. Not even remotely the same attack surface.

    Blobs in the source tree are not ideal, but people need to pick their battles.

    • From what others have said: The blobs violate GPL because they are taken from other FOSS project but the changes Ventoy makes are not viewable.

    • If you don't like it, don't use fork Ventoy.

You've viewed 128 comments.