- cross-posted to:
- opensource@lemmy.ml
- cross-posted to:
- opensource@lemmy.ml
The author addresses the issue.
You must log in or # to comment.
Perhaps I’m too skeptical and/or have trust issues, but isn’t this too little too late? This issue had been ignored for so long, but -suddenly- within 24 hours of this very peculiar find[1], Ventoys maintainer goes into full damage-control mode. Should we just accept that?
Sorry, at least for now, I simply don’t buy it.
Spoiler alert: Ventoy’s sister software -called iVentoy- employs a trick that has been utilized for installing compromised kernel drivers. ↩︎
Quoting directly from the author:
For a long time, I devoted my limited spare time to adding new features and fixing bugs and didn’t get around to considering this.
I hate to break it to you, but it appears the author don’t even have the bandwidth to worry about your trust.
The fact remains though: why did they literally go radio silence on this issue for over a year? Like, a simple, “I would like to notify everyone that I’m working on this.” would have been sufficient. Was that too much to ask?
Maybe they weren’t working on it.
If with “it” you refer to Ventoy, then I’d like to inform you that they’ve been doing a good job at maintaining it. They’ve even had multiple releases[1] since the (original) issue was opened.
Those being 1.0.98, 1.0.99, 1.1.00, 1.1.01, 1.1.02, 1.1.03, 1.1.04 and 1.1.05. The most recent of these was released at the 24th of February of this year. ↩︎
I mean the specific issue about the binary blobs. Something that might set off alarm bells for you or a security-focused group may not do so for some dude working on a passion project in his free time.
Thanks for clarifying.
The example sentence could also be something like “I would like to notify everyone that I’m aware of this issue and I intend to start tackling it from <insert date> onwards. Allow me to explain the status quo for … (etc. etc.).”. Or whatever sentence you like. The point is not what the exact message is, but an alternative to the absolute radio silence we’ve met.
As for them working on it or not. Clearly, they haven’t worked on it until now. But I don’t understand what was so crucial in the last 8 releases that they couldn’t address this issue instead. Especially, in the aftermath of the XZ utils backdoor. But that’s not the issue I was trying to address with my previous comment. The issue is radio silence. It doesn’t have to set off alarm bells for themselves in order to acknowledge (timely) the concern a chunk of its user base experiences.
meh
