Trust questions: Not fully open source and requires root
Opened this issue · 5 comments
Hi,
Just found out about iVentoy which seemed very promising. Until i tried to start it and it said:
$ ./iventoy.sh
Please use sudo or run the script as root
So I've got three major doubts about this program which stopped me from running it for now:
- It is not fully open source.
- It requires to start the program with elevated privileges.
- Ultimately, it is developed from China, which becomes a problem because of the two previous points and the security risks involved with this country known to hack basically anything that can be hacked.
I'm not the only one thinking that way as the most upvoted answer warns about it here: https://www.reddit.com/r/selfhosted/comments/14ifnii/iventoy_is_out_now_ease_of_ventoy_with_just_on_pxe/ and the most upvoted answer to it says "Too many red flags for my self hosted environment. I'll keep an eye on it but I won't install it until a lot of that changes" and has almost as many upvotes.
So I've seen there was a paid version which might explain why it isn't fully open source. However I don't imagine people using such a tool recompiling it or using unofficial sources just to avoid paying a reasonable price of $49 when needing the pro version.
So, why is it not open source?
And why does this need elevated privileges? For example game servers provide listening services that don't require root privileges at all and have been working well for years that way.
And how can we trust this program to not add backdoors or other unwanted scripts/programs to the hosting system or to machines installed using it?
Thank you
I have the same concerns myself. And i run it, containizered and isolated :)
It's good to know the dev also has worked on the ventoy software as well as iventoy.. .and that there is a lot of pre-existing forums and experience with his work around that project perhaps? Obviously that's not a 100% guarantee about this totally different project, but it's nice to have a different angle to get your info perhaps?
I agree with @thestraycat thread cautiously, isolate in Docker, close all the WAN ports iVentoy uses and you should be OK.
+1
Another thing is, i really do not understand why ARM binaries are part of Pro and x86 not.
If I'll take it from business overview.
Every company, where I work and may use this software already have some x86 server, eighter ESXi host or proxmox or xcp-ng, so they do not need pay, because x86 is available for them.
On other side, every home user, like me or friends does not have server room at house, so we mostly using raspberry pi or similar cheap, soc devices,. And for us, as hobby users are binaries not available, even because of lack of source codes, we can not even build them.
So littlebit tricky, company, where 50 usd is 1 hour sallary for programmer is free version available, but for geek for home use it is paid.
i run it on x86 in a container... But i get where your coming from.
You may isolate it but you still have to trust it to install your new OS.