this post was submitted on 17 Sep 2024
449 points (99.1% liked)

Open Source

31366 readers
64 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 0 points 2 months ago (4 children)

I haven't read to far into this but the issue is completely devoid of contributors and maintainers. I find the wording of the issue quite concerning:

Due to the recent XZ-Utils drama I checked the code and I'm appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/cryptsetup https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/Unix/ventoy_unix https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/DMSETUP

There is no reason to have those not be build in the release process. Of course it's convenient, they are prebuild, it's fast and nobody has a problem with it.

Recent events however showed that these BLOBs can contain everything and nothing. The build instructions would not produce the exact same executable for everyone. It's better to have GitHub build it on-push and use them out of the build cache.

I would do it myself, but unfortunately I'm not familiar enough with the Ventoy build process to actually do it. I understand that removing BLOBs isn't a priority over new and shiny features. But due to recent events, this should be rethought.

Thank you for reading this and I hope for a productive conversation

This is free software, they don't owe you anything and this kind of language sounds angry and entitled. You can't just Gordon Ramsay on someone else's codebase.

[–] [email protected] 9 points 2 months ago (1 children)

I cannot fathom what in this issue description gives rise to your concern. It’s worded very calmly, clearly explaining why the author thinks these BLOBs shouldn’t be there, expressing an understanding that it’s not a top priority and even closing with a thank you.

[–] [email protected] -1 points 2 months ago* (last edited 2 months ago) (1 children)

Is this not rude:

I checked the code and I’m appalled. There are more BLOBs than source code

And this:

I understand that removing BLOBs isn't a priority over new and shiny features. But due to recent events, this should be rethought.

We didn’t like it when MS made an issue trying to direct ffmpeg

They should have opened with a complement or asked for directions if they didn’t know. In this message “Thank You” means fuck all

[–] [email protected] 1 points 2 months ago (1 children)

Is this not rude:

I checked the code and I’m appalled. There are more BLOBs than source code

No. The commenter is voicing their own feelings and explains why they have them. There is neither blaming nor rudeness here.

And this:

I understand that removing BLOBs isn’t a priority over new and shiny features. But due to recent events, this should be rethought.

It would have been nice if you had explained why you think this is rude. The author expresses understanding that the maintainers’ priorities don’t align with the author’s. This seems to be an uncontroversial statement to me.

Then the author explains (I agree, it’s more a hint than an explanation) why they think the priorities should be changed. In my view their argument is sound. Again, there is no blaming or rudeness here.

They should have opened with a complement

I assume you mean “compliment”.

I’ve often heard of the “sandwich technique” – start with a compliment, then voice criticism, end with another positive thing. I find this is an appropriate procedure when voicing open feedback, that is, good things and bad things. However, this is a Github issue. Its whole point is to point out a perceived problem, not to give the maintainers a pat on the back or thank them.

[–] [email protected] 1 points 2 months ago (1 children)

I don't understand how "appalled" being strong language is so controversial, maybe everyone here is just a rude little shit.

I would have worded it like so:

Hi, I'm concerned about the BLOBs used in this repo as they are a security risk, making the code less auditable. It looks like we could generate these BLOBs in a github action or something so we can keep the fast build process while making it easier to audit the code. I'm not exactly sure how to go about this myself but I've done similar things in other projects, maybe you could point me in the right direction as I am unfamiliar with the ventoy build process? Thanks for the really cool project, and hopefully we can sort this out easily. Looking forward to your response.

I did it with less anger and entitlement and in less words

[–] [email protected] 1 points 2 months ago (1 children)

maybe everyone here is just a rude little shit.

Or maybe you’re just a snowflake that can’t handle criticism.

[–] [email protected] 4 points 2 months ago (1 children)

I mean the author has simply ignored this issue. If you look into it there are a few that people simply do not know how to generate, so without the maintainer it's impossible to make a PR solving this.

[–] [email protected] 2 points 2 months ago (1 children)

Actually you can and should Gordon Ramsey all over it. It is the duty of audience members to express how they feel honestly about the artwork.

Open Source can and do understand that and open source software becomes better for it.

[–] [email protected] 1 points 2 months ago (1 children)

I’m not saying don’t criticise it. It’s about communication. The language isn’t very good. See my other comments

[–] [email protected] 1 points 2 months ago

Yes, that's users for you. A diverse bunch and many lacking in basic politeness. But you just have to listen to whiney users. You just have to... and figure it out if you want to make world class software.