something something snap package
Not a proprietary blob unless you install proprietary software
I’m mentioning the “proprietary backend” drama around snaps. Not that I care too much, anyway. I use lots of proprietary software daily
It isn’t a “proprietary back end” it is what Stallman calls Service as a Software Substitute. (SaaSS) It wouldn’t matter if they claimed it was completely foss. You are still using a foreign service you don’t control.
With a package manager that is sort of unavoidable though. In the case of snaps you could always modify the source to have a different repo. The real reason not to use snaps is all the other issues.
Fair point. Just to be clear: I am NOT a developer, so I may be very wrong on that take.
But from what I understand, the difference from what snaps does to what traditional packages does is that the Canonical repos are hard coded in it, thus making it harder to decentralise, and that’s not very in line with what many wish for a FOSS ecosystem.
If the working conditions don’t change computers will become a ball and chain Then deemed useless.
Or not.
I’m something of a proprietary blob myself.
You should open sauce!
You can get my source code but good luck compiling it.
9 month compile time?? We’ve gotta get these numbers down
Just multithread. If you get nine people pregnant you can have a baby in one month, right?
Ayy, not that fast, their blob is licensed under the BSL, get to know them a while first
Linux moment
nvidia?
And here I am, marking unfree software as installable as the first thing I do on any distro.
I love OSS but I won’t sacrifice my experience just to go fully libra. Sometimes it just doesn’t make sense. I’m glad it’s an option for people who do want that though
I’ll absolutely take FLOSS if I can get it, but failing that, FOSS is still a nice improvement over closed-source software.
What does the L stand for
Libre, which is synonymous with free.
I think it’s more free in some way? I’m not sure, but I think it means free as in doesn’t cost anything. Whereas FOSS means free as in open and modifiable, but the maintainer(s) might still charge for it.
I think those are backwards
I thought they might be… you’re probably right.
Its French for “free”, as in freedom. Free is ambiguous and can also mean free of charge.
It’s good that it’s opt in
The NixOS default config has allowUnfree set to false, so it’s not always opt-in
Oh, agreed. There are definitely people who can live without unfree software. Me, I can’t do without Steam and Lutris.
Ventoy?
Just open source blobs instead of proprietary blobs
Took them over a year to say anything? I have since just gone back to burning single drives and honestly it’s fine. Ventoy was convenient but taking a year to respond to a genuine concern is crazy.
I’m going to guess you’ve never been part of a project with complexity and sheer black magic fuckery comparable to Ventoy. The developer (a singular person) had to make a choice between:
- Pandering to a small group of vocal open-source extremists, dedicating a large part of their time to changing the incredibly complex build process to also build the binaries of other open-source projects, potentially at the cost of stability, eventually arriving at a product with the same feature set, pleasing some open-source extremists, but still receiving criticism for “taking a year to respond to a genuine concern”; or
- Not doing that and focusing their effort on stability and compatibility fixes to arrive at an improved product.
I’ve read the original issue thread front to back, and it’s a fucking clown show. I can’t blame the developer for not wanting to engage with those people. Nobody is entitled to the developer’s time or attention. Right now the issue is being worked on, which is more than most of the whiners can say about themselves; if you think that’s still insufficient, do better.
taking a year to respond to a genuine concern
I don’t think a simple statement of “I see your concern, I’ll address it when I have time” is really that hard for one person to issue when the alternative is, as you’ve said, letting “a fucking clown show” fester on. It would’ve made my worries go away if the developer had said literally anything instead of radio silence for a year. Sure, no one is entitled to a developers time or attention. That developer is also not entitled to my trust or recommendation to others when a serious issue was swept under the rug for over a year. There’s no doing better when it comes to a matter of personal opinion on how a situation was handled.
There is also a new community fork to get rid of the blobs and bad cert loading. The ventroy dev has made a bunch of concerning choices so some people hard forked the code. I forgot where is was though.
Is this the one you’re talking about? https://github.com/fnr1r/ventoy-cpio
That’s the one
oh wow that really put the trust back into Ventoy. Nice! Thanks for the link
Happened after a partner product in the Ventoy repo was found to have a pretty major vulnerability due to a… you guessed it, pre-compiled supply chain attack.
just started using this for the first time, Is it still ok to use?
Yes, but people have concerns. Ventoy is fully open-source, but the build process pulls binary blobs (compiled executables, think of them like blob chips) from other F/OSS projects, which is an issue for some people. They have legitimate concerns about trusting Ventoy because they have to implicitly trust the projects that Ventoy pulls from but can’t verify what is getting pulled. If such a project were to become compromised (the way XZ-Utils was), it would eventually spread to Ventoy.
That being said, the developers (or singular developer, not sure) are taking steps to reduce Ventoy’s dependency on external blobs. It’s a difficult task and they have limited resources, but they have acknowledged that it is an issue and are working on a solution.
If such a project were to become compromised (the way XZ-Utils was), it would eventually spread to Ventoy.
What a lot of people don’t know is that the XZ attack entirely relied on binary blobs: Partially in the repo as binary test files, and partially in only the github release (binary).
If someone actually built it from source, they weren’t vulnerable. So contrary to some, it wasn’t a vulnerability that was in plain view that somehow passed volunteer review.
This is why allowing binary data in open-source repos should be heavily frowned upon.
I don’t believe iVentroy (PXE tool) is fully foss but I could be wrong.
Yea it’s fine.
From memory the blob everyone was complaining about was related to eufi and came from Fedora.
Except for the part where it completely nullifies secure boot…
Fine if you don’t care about that but it caused a lot of security issues in the enterprise
Off topic, but I’d never heard of Ventoy before and looking at it now, holy shit, I wish I’d known about it sooner.
Ah yes, telegram
Unzips my ghidra 😏
Noice!
I can only recommend Guix system 👍
