community/ventoy: compile from source

Compile instructions have just been added to Ventoy.

EDIT: Currently, it is not the case. The build is harvested from release pages.

2 Likes

I took a look, but his repo and instructions are a mess. I've been fiddling around when I've had time. Also, the AUR maintainer of ventoy has said he will give it a shot as well.

@Yochanan I think it would be appropriate to open an issue upstream for better compliance with Open Source standards, such as reproducible build instruction with a makefile, don't you?

Moreover, I personally had security concerns about this software, mainly because of the build reproduction issue, but also a bundle of other clues (quote from the AUR thread):

Also, I have security concerns about this program. It pops out of nowhere, the authors are unknown (the Github user has no prior activity, no info in the website either), no build instructions, the .exe binary has been spotted as malware by different anti-viruses (take a look at multiple reports in their issue tracker), the git repository is a mess with a lot of shipped / modified binaries.

I would recommend the community to wait for a transparency endeavor on the developers side, and even better a security audit from an independent team. Don't install untrusted code on a USB key!

But I'm not an expert. Did you raise any concerns in the team before integrating the package to community?

The concerns are valid, though the malware flags have been identified as false positives as far as I read.

I didn't add it, @linux-aarhus did. I believe he added it because it's a very useful tool is all. It can be removed for now if the community has issues with it.

I think it is a good idea to remove it from the repository, when I read a positive user feedback about it and found it in the repository I just installed it, many people will do the same because they consider the repository as having a better reliability compared to AUR.

No one should shout wolf unless you have actually seen one.

I consider this topic FUD - I don't like such thing.

I have had no issues - the code don't misbehave or do weird things.

There is no one who have pointed to places in the code. I have gone over the code - to the best of my ability - and I did not find anything suspisios - but I am no C expert.

The addition is by my decision - and I stand by it - as it is extremely useful utility.

I will temporarily remove the package - and go over the code again.

The comment - don't install any to your usb - so we should not create any bootable flash drives using grub - or other things?

Please don't spread fear, uncertainty and doubt.


Update: 2020-05-31T17:13:00Z

I have been over the source one more time. I have been a developer for many years - although I have no experience with C - I can read code - I have found no reasons for concern - there is no obfuscated code - the code is doing what it claims to do.

In my opinion - the @longpanda developer - is very skilled - and for the final release packages - take a look at the License folder - and note that most of it is unaltered code from various projects.

So - until there is something verifiable - not false positives garnered with rumors and FUD - the package stays.

Using upstream release packages is quite normal - e.g. ipscan among others - are build from upstream releases. Just because it is a new project doesn't mean it should be iced.

5 Likes

You are right, a new project from an unknown developer should not be considered dangerous just because it is very hard to build and analyze.
But I did not see any clear answer to this issue yet: Trojan detected for Ventoy2Disk.exe

Of course you can decide to trust the project, but there is also no need to hurry, the first commit was less than three months ago and it is still evolving at a fast pace, hopefully addressing some of the concerns.

1 Like

I confide conclusions to those with expertise, and I do trust your code review @linux-aarhus . At the same time, I think it's a little unfair to dismiss the concerns just as “shouting the wolf”, when there is an antivirus flag involved. At the time of my AUR comment and this community packaging, there were no build instructions which is utterly unusual for OS projects. Concerns are no proof, and we're talking about being cautious, not accusing anyone. I second @Cubanpit argument with such regard that there is “no need to hurry”.

Malware detection are per definition a risky business. False positives are the norm.

The source code for the Windows tool set is available on Github - and it does not contain malicious code. People - a lot smarter than me - would have found it.

I have been developing software for years for Windows - and still do albeit not the same scale - and I used a tool with an algorithm which at the same time created routines for me to verify the license of the applications.

This specific tool made my code look like malware - obviously my code contained a distinctive pattern which had at some point in time been included in a malware database.

I have had many support issues due to that.

This is one of the reasons why this malware thing does not concern me.

Thank you for explaining your rationale, very helpful. I do agree the ventoy tool is amazing and its author must be extremely talented!

I agree - and the project was not created yesterday :grin: - it was neither released in a rush.

The code is carefully crafted to provide the minimal required binaries to achieve the designated task

  • boot the USB using a modified version of GRUB
  • listing the content of the USB
  • using a tiny virtual machine to boot the ISO
  • even a capability of booting a Windows Image

This is the work of very skilled developer.

1 Like

Just an FYI and a great tut for ventoy, Looks like for at least some Parted Magic and GParted live iso won't boot properly. I just updated my key to 1.0.12 and updated the ISO's I keep on it. Now in the below tut where it reads " Some caution is advised:" I'd take it with a grain of salt, meaning I have not seen anything to warrant the warning.

The number of malware detections in VirtusTotal shrank from 19 to 2 in the latest release.

FYI, the author has removed the caution notice.

OK I personally wasn't worried about the caution notice, but thanks.

Forum kindly sponsored by