I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.
I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.
Is that any different from no one checking the code every update?
The amount of malware you can cram in a source-code patch without drawing attention vs. in a binary is vastly different.
There’s also the fact that if you want to ship binaries, you can just wget them from source during the build process. Not a perfect solution but much better than what’s ventoy doing. The source code updates works the same in every project because it has to. That’s why this is drawing more attention.
That’s ok if we are talking about malware publicly shown in the published source code… but there’s also the possibility of a private source-code patch with malware that it’s secretly being applied when building the binaries for distribution.
This is why it’s important for builds to be reproducible, any third party should be able to build their own binary from clean source code and be able to obtain the exact same binary with the same hash. If the hashes match, then you have a proof of the binary being clean.