I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.

  • Quail4789@lemmy.ml
    link
    fedilink
    English
    arrow-up
    27
    arrow-down
    3
    ·
    3 months ago

    It matters because nobody is going to check the hashes for all of the files match whenever there’s a change so the maintainer can just replace them with whatever he wants.

    • Pup Biru@aussie.zone
      link
      fedilink
      English
      arrow-up
      25
      ·
      3 months ago

      that’s what automation is for - nobody is going to manually check them, but anyone is able to automatically set something up to check their hashes in change… the fact that it’s possible that anyone is doing that now that it’s a known issue perhaps makes it less problematic as an attack vector

      • refalo@programming.dev
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        3 months ago

        That is true, but also nobody is doing it. Just like nobody is verifying Signal’s “reproducible builds”.

        • Pup Biru@aussie.zone
          link
          fedilink
          English
          arrow-up
          5
          ·
          3 months ago

          are you sure?

          there could be thousands just waiting for a failure to come out and say “HEY THIS IS DODGY”

          • refalo@programming.dev
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            3 months ago

            Yea because I tested it myself. Nobody else seems to care, and if they did, I would think there would be a public way to see regular test results regardless.

            I know this exists for some projects, but somehow nothing privacy-sensitive

      • Quail4789@lemmy.ml
        link
        fedilink
        English
        arrow-up
        13
        arrow-down
        1
        ·
        edit-2
        3 months ago

        The amount of malware you can cram in a source-code patch without drawing attention vs. in a binary is vastly different.

        There’s also the fact that if you want to ship binaries, you can just wget them from source during the build process. Not a perfect solution but much better than what’s ventoy doing. The source code updates works the same in every project because it has to. That’s why this is drawing more attention.

        • Ferk@lemmy.ml
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          3 months ago

          That’s ok if we are talking about malware publicly shown in the published source code… but there’s also the possibility of a private source-code patch with malware that it’s secretly being applied when building the binaries for distribution. Having clean source code in the repo is not a guarantee that the source code is the same that was used to produce the binaries.

          This is why it’s important for builds to be reproducible, any third party should be able to build their own binary from clean source code and be able to obtain the exact same binary with the same hash. If the hashes match, then you have a proof of the binary being clean. You have this same problem with every single binary distribution, even the ones that don’t include pre-compiled binaries in their repo.

          • refalo@programming.dev
            link
            fedilink
            arrow-up
            3
            ·
            3 months ago

            The problem is not near enough projects support reproducible builds, and many that do aren’t being regularly verified, at least publicly.

            • Ferk@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              edit-2
              3 months ago

              Yes, that’s why im saying that this kind of problem isn’t something particular about this project.

              In fact I’m not sure if it’s the case that the builds aren’t reproducible/verifiable for these binaries in ventoy. And if they aren’t, then I think it’s in the upstream projects where it should be fixed.

              Of course ventoy should try to provide traceability for the specific versions they are using, but in principle I don’t think it should be a problem to rely on those binaries if they are verifiable… just the same way as we rely on binaries for many dynamic libraries in a lot of distributions. After all, Ventoy is closer to being an OS/distribution than a particular program.