Discussed yesterday in !opensource@lemmy.ml:

Ventoy source code contains some unknown BLOBs, still no word on the issue from the dev after months

The amount of advertising for this tool in recent times is starting to look a lot like astroturfing.

Not my post btw, just sharing the link :)

Sorry for the reddit link, I don’t know of a mirror. This was posted just today, running on an EeePC:

https://www.reddit.com/r/unixporn/comments/1fitgri/labwc_pimp_your_10_inches_laptop_with_alpine_linux/

https://github.com/thias/glim

The binaries in question are various GNU and FOSS tools from elsewhere, not part of the Ventoy project itself. So no, the Ventoy author does not own the copyright of the tools in question.

So your approach to security is that you cross your fingers and hope?

Ventoy has a lot of work to do if they want to earn our trust:

Remove BLOBs from the source tree #2795

This ticket has been open now for 5 months with no engagement from the maintainer.

Your install media and anything that modifies your EFI partition or UEFI firmware settings needs to be the most trusted part of your system. And here is Ventoy, a tool that looks open source and then includes a large number of binary blobs in its repository, with no indication of how they were compiled. This is horrible security practice and for me that’s enough for me to never use it.

You can also see a discussion on the subject on HN here: https://news.ycombinator.com/item?id=40689629

A much better alternative, if you want a multi-boot USB, is GLIM: https://github.com/thias/glim

It’s just a collection of Grub configs, so very simple and easy to audit.

I used Ubuntu from version 8.04 to 18.04 and not once did I have a successful upgrade between major versions. There is always something that gets broken to the point that a reinstall is necessary.

(Federated) email didn’t survive. It got completely subsumed by the major providers who now have control over everything email related. It’s now impossible to run your own email server since none of the major providers will deliver your email without your mail server having first built a reputation.

The fediverse analogy would be if 99.9999% of users were on Threads and you couldn’t interact with any of those users from any of the small independent fediverse servers. Frankly, that’s exactly what it looks like is happening.

It’s not reading the contents of RAM via EM emanations, it’s using the EM emanations caused by certain memory access patterns as a side channel to exfiltrate data. Of course, that data could be anything, including whatever is in RAM, but the point is that you need to be running the code that generates the necessary memory access patterns to transmit the bits of data. This is not like TEMPEST where you can reconstruct a video display just using the emanations.

If it was plausible this would be bigger news. There’s a claim like this every couple of months and none have held up to scrutiny so far.

7

!esolangs@programming.dev

I know my real age, I have a birth certificate.

Are you using the Import/Export Settings buttons in the settings page?

If you can reproducibly crash an instance then you should definitely file this as an urgent security issue in the lemmy repo so it can be fixed: https://github.com/LemmyNet/lemmy/issues

I can see that you’ve taken on a lot of the feedback from previous comments threads. This is great! Thank you.

And thank you for open sourcing it.

Question: I was using Quiblr before without logging in. If I sign up an account now and log in, will it transfer my locally stored data into the account to keep the recommendation (see more/see less) settings?

Are you one of the three proposers mentioned in the git repository?

closest current one I can find is

⛥

or

⬠

I think for now Forgejo is a drop-in replacement. However since they are a hard-fork, at some point in the future they will diverge enough to be mutually incompatible, so the clock is ticking on migrating.