TEST

[Radiump123]

Summary by Sourcery

Replace most external CLI dependencies with internal Python implementations for block device, ISO, and system operations, and integrate Windows tweak application, bad-block checking, and locale/theme/language handling more tightly into the GUI and flashing workflows.

New Features:

• Add pure-Python block device utility module for mounting, partitioning, wiping, and imaging devices.
• Introduce a pure-Python ISO9660 reader for listing ISO contents and detection logic.
• Add Windows tweaks application against a known mount point during flashing, with GUI dialog integration and automated application.
• Implement non-root-safe URL opening helper used by GUI windows and dialogs.
• Detect and persist UI language based on system locale with per-user configuration and startup loading.
• Add GUI confirmation dialog before destructive flash operations and improved bad-block check configuration.

Bug Fixes:

• Ensure Windows tweaks are applied while the target partition is still mounted instead of rediscovering USB mounts after unmount.
• Wait for kernel device nodes after writing GPT so formatting does not race partition creation.
• Guard against successful completion when Windows media files were not actually copied to the target.
• Handle write failures from device imaging as False instead of raising exceptions in flash_usb.
• Avoid crashing or returning empty results when sysfs-based USB size/label queries fail, falling back to sensible defaults.
• Fix GPT header CRC calculation to cover only the header size so Linux accepts the partition table.
• Ensure ISO mounting prefers UDF over ISO9660 on Windows ISOs to see the full payload.
• Prevent subprocess-based tools like lsof, fuser, stty, 7z, isoinfo, lsblk, parted, and dd from causing failures by replacing them with safer Python equivalents or dedicated helpers.

Enhancements:

• Refactor Windows flashing pipeline to use shared block_ops helpers for mounting, wiping, partitioning, and syncing, reducing reliance on shell commands.
• Make Windows tweak functions mount-aware, return success flags, and operate directly on boot.wim and autounattend.xml via structured helpers.
• Improve drive unmount/remount and formatting logic to use lazy unmounts, sysfs geometry, and internal partition writers instead of generic tools.
• Persist selected language to disk and reload it on startup/elevation alongside theme, and adjust About/log dialogs for better layout and translations.
• Tighten GUI flow around WinTweaks dialog, verification, progress reporting, and terminal reset handling with additional logging and state use.
• Update project metadata, GitHub links, and About/Update dialogs to the new organization and central URL helper.
• Bundle required system binaries into the AppImage at build time to match standalone behavior.

Build:

• Update AppImage build script to clean PyInstaller output and bundle required external tools into the AppDir binary payload.

Tests:

• Extend and add tests covering Windows tweak mount handling, GPT CRC correctness, partition node waiting, copy verification, ISO mount order, bad-block pass selection, new block_ops utilities, sysfs-backed USB info, ISO detection via pure Python, and browse_freely behavior.
• Adjust existing tests to match new signatures and behaviors for unmount/remount, partition scheme application, flash_usb imaging, find_usb label retrieval, and state annotations.

[sourcery-ai]

Reviewer's Guide

Refactors low-level device, filesystem, and ISO handling to use new pure‑Python helpers instead of external utilities, tightens Windows flashing/tweaks behavior and bad‑block checking, improves GUI UX (language/theme persistence, safer flashing flow, better URL opening), and updates build metadata and tests for the new architecture.

Sequence diagram for updated flashing, bad-block check, and Windows tweaks

sequenceDiagram
    actor User
    participant GUI as LufusWindow
    participant Verify as VerifyWorker
    participant Flash as FlashWorker
    participant Format as formatting.check_device_bad_blocks
    participant WinFlash as windows.flash.flash_windows
    participant Tweaks as windows.tweaks.apply_windows_tweaks

    User ->> GUI: click btn_start
    GUI ->> GUI: start_process()
    alt verify_hash enabled
        GUI ->> Verify: start()
        Verify -->> GUI: int_progress(0..100)
        Verify -->> GUI: verify_done(success)
        GUI ->> GUI: on_verify_finished(success)
    end

    GUI ->> GUI: perform_flash()
    GUI ->> User: QMessageBox (Rufus-style warning)
    alt user cancels
        GUI ->> GUI: abort flash
        GUI -->> User: flash cancelled
    else user confirms
        GUI ->> Flash: start()
    end

    Flash ->> Flash: run()
    alt states.check_bad
        Flash ->> Format: check_device_bad_blocks(passes=states.bad_blocks_passes)
        Format -->> Flash: bool
        alt bad block check failed
            Flash -->> GUI: flash_done(False)
            GUI -->> User: show failure
            note over Flash,GUI: return
        end
    end

    alt Windows ISO and flash mode ISO
        Flash ->> WinFlash: flash_windows(device, iso, scheme,...)
        WinFlash ->> Tweaks: apply_windows_tweaks(mount_data)
        Tweaks -->> WinFlash: bool
        WinFlash -->> Flash: bool
    else DD image mode
        Flash ->> WinFlash: (not called)
    end

    Flash -->> GUI: flash_done(success)
    GUI ->> GUI: on_flash_finished(success)
    GUI -->> User: show result

Loading

File-Level Changes

Change	Details	Files
Introduce pure-Python block and ISO helpers and rewire flashing/formatting/detection code away from external tools (dd, mount/umount, sfdisk/parted, lsblk, 7z/isoinfo).	Add lufus.block_ops with sysfs-based device info, ctypes-based mount/umount and loop handling, GPT/MBR writers, partition reread, superblock wiping, and buffered device imaging with progress callbacks. Add lufus.iso9660 with a pure-Python ISO-9660 directory walker and marker search used for ISO type detection. Update Windows flashing (flash_windows) to use block_ops for mounting, wiping, GPT partitioning, partition-node waiting, device imaging, and syncing, and to verify that Windows media was actually copied before reporting success. Update generic USB flashing (flash_usb) to use write_device_image instead of spawning dd and to return a boolean success indicator on write errors instead of propagating subprocess exceptions. Refactor drive formatting, drive repair, install_ventoy, USB discovery (find_usb), and USB info (get_usb_info) to use block_ops for device size/label, (un)mount, partition table creation, and bad-block geometry probing instead of lsblk, mount/umount, parted/sfdisk, and blockdev.	src/lufus/block_ops.py src/lufus/iso9660.py src/lufus/writing/windows/flash.py src/lufus/writing/flash_usb.py src/lufus/drives/formatting.py src/lufus/drives/find_usb.py src/lufus/drives/get_usb_info.py src/lufus/writing/install_ventoy.py src/lufus/writing/windows/detect.py
Tighten Windows tweaks, bad-block checks, and flashing safety semantics, and adjust application state accordingly.	Refactor Windows tweaks helpers to operate on an explicit mount path, reusing a common boot.wim registry-edit helper with proper success/failure reporting, and add apply_windows_tweaks(mount) to run all selected tweaks against the live target before unmounting. Change flash_windows to call apply_windows_tweaks while the data partition is still mounted and to guard mounting/unmounting via explicit efi_mounted/data_mounted flags. Rework bad-block checking so AppState.check_bad is a bool and AppState.bad_blocks_passes is an explicit int; propagate this through the GUI (checkbox + combo), formatting.check_device_bad_blocks(passes), and the FlashWorker flow including status messaging and re-unmounting. Add verification helpers like _mount_or_raise and _verify_windows_media_copy to avoid silently copying into temp dirs when mounts fail and to ensure Windows markers exist on the target. Fix GPT header CRC computation to respect HeaderSize and add tests to verify Linux-acceptable GPT headers and the new partition-node-waiting behavior after writing GPT tables.	src/lufus/writing/windows/flash.py src/lufus/writing/windows/tweaks.py src/lufus/gui/gui.py src/lufus/gui/workers.py src/lufus/drives/formatting.py src/lufus/state.py tests/test_flash_windows_and_install_ventoy_fixes.py tests/test_formatting.py tests/test_states_and_autodetect_fixes.py
Improve GUI behavior for URL opening, terminal/device cleanup, language/theme persistence, dialogs, and Windows flashing UX.	Add lufus.browse_freely.open_url_non_root and use it in the main window and About dialog to open GitHub/Discord URLs as the original non-root user when running elevated, with fallbacks to webbrowser.open; cover this with unit tests. Add helpers in gui.py to scan /proc for processes using a device, kill them, and reset the terminal using termios instead of external tools (lsof, fuser, stty); integrate these into cancel_process and capture baseline termios at window construction. Persist language changes to a config file, add startup language autodetection based on environment/locale, and ensure both theme and language are loaded before/after elevation while preserving them via environment variables when elevating. Refine dialogs and labels: add a Close button to the log dialog, enlarge and reflow the About dialog with smaller content font and localized OK/Cancel labels for WinTweaks, and add a Rufus-style destructive flash confirmation dialog in perform_flash before starting the flash worker. Fix hash verification UI so progress reaches 100% on completion, clear custom progress text before flashing, and adjust various log messages and state references (flash_mode instead of currentflash, state.* instead of states.*).	src/lufus/browse_freely.py src/lufus/gui/gui.py src/lufus/gui/dialogs.py src/lufus/gui/start_gui.py src/lufus/gui/i18n.py src/lufus/gui/workers.py src/lufus/utils.py tests/test_browse_freely.py
Switch ISO detection and USB info logic to the new helpers and harden error handling.	Reimplement Windows/Linux ISO detection to use the pure-Python ISO-9660 list_files/has_any_file helpers instead of calling 7z/isoinfo, adjusting tests to stub list_files rather than subprocess.run. Change USB info and discovery to rely on block_ops.get_device_size/get_device_label instead of lsblk, and ensure failures in sysfs probing yield sensible defaults (mount basename labels, non-crashing fallbacks) rather than exceptions or empty results. Update tests for get_usb_info, find_usb, and ISO detection to match the new semantics and assert that sysfs failures and list_files(None) paths are handled gracefully.	src/lufus/writing/windows/detect.py src/lufus/drives/get_usb_info.py src/lufus/drives/find_usb.py tests/test_get_usb_info.py tests/test_get_usb_info_and_detect_windows_fixes.py tests/test_find_usb.py tests/test_linux_iso_detection.py
Update build tooling, project metadata, and docs to point to the new GitHub organization and bundle required binaries.	Extend the AppImage build script to run PyInstaller with --clean and bundle external system binaries (mkfs.*, badblocks, wimlib-imagex, chntpw, udevadm, xdg-open) alongside the app. Update pyproject and Briefcase metadata (URLs, bundle ID, author) and all in-app GitHub links to use the Hogjects/Lufus organization. Adjust README badges/links and language CSVs as needed for the new repo and localization keys referenced by the updated GUI.	scripts/build-appimage.sh pyproject.toml README.md src/lufus/gui/gui.py src/lufus/gui/dialogs.py src/lufus/gui/languages/*.csv

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• In launch_gui_with_usb_data, _load_initial_language() is called both before and after elevate_privileges(), which means the post-elevation call may read the root user’s config and overwrite the intended user language; consider only initializing language in the non-root context or guarding the second call appropriately.
• In open_url_non_root, when only SUDO_USER is set you never derive a UID, so XDG_RUNTIME_DIR is left empty; consider resolving the UID for sudo_user (e.g. via pwd.getpwnam) to populate a more accurate environment for GUI apps.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `launch_gui_with_usb_data`, `_load_initial_language()` is called both before and after `elevate_privileges()`, which means the post-elevation call may read the root user’s config and overwrite the intended user language; consider only initializing language in the non-root context or guarding the second call appropriately.
- In `open_url_non_root`, when only `SUDO_USER` is set you never derive a UID, so `XDG_RUNTIME_DIR` is left empty; consider resolving the UID for `sudo_user` (e.g. via `pwd.getpwnam`) to populate a more accurate environment for GUI apps.

## Individual Comments

### Comment 1
<location path="src/lufus/browse_freely.py" line_range="39" />
<code_context>
+
+                # Method 1: Use runuser which is specifically designed for this
+                # We need to preserve the environment for the GUI session
+                env = {
+                    "DISPLAY": os.environ.get("DISPLAY", ":0"),
+                    "XAUTHORITY": os.environ.get("XAUTHORITY", ""),
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Environment for the spawned browser process does not set HOME, which may cause profile or permission issues.

Since many GUI apps depend on `HOME` for profiles and config, relying only on `DISPLAY`, `XAUTHORITY`, `XDG_RUNTIME_DIR`, `WAYLAND_DISPLAY`, and `PATH` risks using root’s home (or none) when running as another user, especially in the `sudo_user` case without `target_uid`. Please also set `HOME` to the target user’s home directory (e.g. `pwd.getpwnam(target_user).pw_dir`) and add it to `env` when available.

Suggested implementation:

```python
import os
import pwd

```

```python
        if target_user:
            try:
                log.info(f"Attempting to open URL as user {target_user} (UID {target_uid}): {url}")

                # Determine the target user's home directory so GUI apps use the correct profile/config
                home_dir = None
                try:
                    home_dir = pwd.getpwnam(target_user).pw_dir
                except KeyError:
                    log.warning("Could not determine home directory for user %s", target_user)

                # Method 1: Use runuser which is specifically designed for this
                # We need to preserve the environment for the GUI session
                env = {
                    "DISPLAY": os.environ.get("DISPLAY", ":0"),
                    "XAUTHORITY": os.environ.get("XAUTHORITY", ""),
                    "XDG_RUNTIME_DIR": os.environ.get(
                        "XDG_RUNTIME_DIR", f"/run/user/{target_uid}" if target_uid else ""
                    ),
                    "WAYLAND_DISPLAY": os.environ.get("WAYLAND_DISPLAY", ""),
                    "PATH": "/usr/local/bin:/usr/bin:/bin",
                    # Ensure HOME is set so GUI apps use the target user's profile and config
                    "HOME": home_dir or os.environ.get("HOME", ""),
                }

                # Filter out empty values
                env = {k: v for k, v in env.items() if v}

```

If `pwd` is already imported elsewhere in this file, adjust the import edit accordingly to avoid duplicate imports (e.g. by adding it to an existing import line instead of introducing a new one).
</issue_to_address>

### Comment 2
<location path="tests/test_browse_freely.py" line_range="11-20" />
<code_context>
+        self.assertEqual(env.get("DISPLAY"), ":0")
+        self.assertEqual(env.get("XDG_RUNTIME_DIR"), "/run/user/1000")
+
+    @patch("os.geteuid")
+    @patch("os.environ.get")
+    @patch("subprocess.Popen")
+    def test_open_url_as_root_via_sudo(self, mock_popen, mock_env_get, mock_geteuid):
+        # Simulate root (UID 0)
+        mock_geteuid.return_value = 0
</code_context>
<issue_to_address>
**suggestion (testing):** Consider using `patch.dict(os.environ, ...)` instead of patching `os.environ.get` to make the tests more realistic and resilient.

Patching `os.environ.get` with a `side_effect` intercepts every env lookup (e.g. `DISPLAY`, `XAUTHORITY`, `XDG_RUNTIME_DIR`), which couples the tests to the exact way `open_url_non_root` reads the environment. Instead, patching `os.environ` via `patch.dict(os.environ, {"PKEXEC_UID": "1000", ...}, clear=False)` (and similarly for the sudo case) more accurately reflects real usage and keeps the tests resilient to internal changes in environment access.

Suggested implementation:

```python
    @patch("os.geteuid")
    @patch("subprocess.Popen")
    @patch("pwd.getpwuid")
    def test_open_url_as_root_via_pkexec(self, mock_getpwuid, mock_popen, mock_geteuid):

```

```python
        # Mock environment variables
        env_overrides = {
            "PKEXEC_UID": "1000",
            "DISPLAY": ":0",
            "XDG_RUNTIME_DIR": "/run/user/1000",
        }

        with patch.dict(os.environ, env_overrides, clear=False):
            open_url_non_root(self.url)

        # Mock pwd info

```

1. Apply a similar refactor to the `test_open_url_as_root_via_sudo` test: remove any `@patch("os.environ.get")` decorator and associated `mock_env_get` parameter, and replace any `side_effect`-based environment mocking with a `with patch.dict(os.environ, {...}, clear=False):` block that sets the sudo-related variables your production code expects (e.g. `SUDO_USER`, `DISPLAY`, `XDG_RUNTIME_DIR`, etc.), wrapping the `open_url_non_root(self.url)` call in that context.
2. If there are other tests in this file that also patch `os.environ.get`, consider converting them to `patch.dict` in the same way to keep the test suite consistent and resilient to internal environment access changes.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion (testing): Consider using patch.dict(os.environ, ...) instead of patching os.environ.get to make the tests more realistic and resilient.

Patching os.environ.get with a side_effect intercepts every env lookup (e.g. DISPLAY, XAUTHORITY, XDG_RUNTIME_DIR), which couples the tests to the exact way open_url_non_root reads the environment. Instead, patching os.environ via patch.dict(os.environ, {"PKEXEC_UID": "1000", ...}, clear=False) (and similarly for the sudo case) more accurately reflects real usage and keeps the tests resilient to internal changes in environment access.

Suggested implementation:

    @patch("os.geteuid")
    @patch("subprocess.Popen")
    @patch("pwd.getpwuid")
    def test_open_url_as_root_via_pkexec(self, mock_getpwuid, mock_popen, mock_geteuid):

        # Mock environment variables
        env_overrides = {
            "PKEXEC_UID": "1000",
            "DISPLAY": ":0",
            "XDG_RUNTIME_DIR": "/run/user/1000",
        }

        with patch.dict(os.environ, env_overrides, clear=False):
            open_url_non_root(self.url)

        # Mock pwd info

1. Apply a similar refactor to the test_open_url_as_root_via_sudo test: remove any @patch("os.environ.get") decorator and associated mock_env_get parameter, and replace any side_effect-based environment mocking with a with patch.dict(os.environ, {...}, clear=False): block that sets the sudo-related variables your production code expects (e.g. SUDO_USER, DISPLAY, XDG_RUNTIME_DIR, etc.), wrapping the open_url_non_root(self.url) call in that context.
2. If there are other tests in this file that also patch os.environ.get, consider converting them to patch.dict in the same way to keep the test suite consistent and resilient to internal environment access changes.

[Radiump123]

@sourcery-ai review

[sourcery-ai]

Hey - I've found 2 issues

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location path="src/lufus/gui/i18n.py" line_range="29-38" />
<code_context>
+    Falls back to English if detection fails or no match is found.
+    """
+    try:
+        loc = locale.getdefaultlocale()
+    except Exception:
+        loc = (None, None)
</code_context>
<issue_to_address>
**suggestion:** Using `locale.getdefaultlocale()` may be problematic going forward due to deprecation; consider an alternative approach.

`locale.getdefaultlocale()` is deprecated in recent Python versions and may be removed. Since only the language is needed, consider alternatives such as `locale.getlocale()[0]`, `os.environ.get("LANG")`, or `locale.setlocale(locale.LC_CTYPE, "")` followed by `locale.getlocale()` to avoid relying on a deprecated API.

```suggestion
def detect_system_language() -> str:
    """Detect the system locale and return the matching language name.

    Falls back to English if detection fails or no match is found.
    """
    try:
        # Ensure locale is initialized from the environment, then read current locale.
        locale.setlocale(locale.LC_CTYPE, "")
        loc = locale.getlocale()
    except Exception:
        loc = (None, None)

    lang_code = (loc[0] or "") or os.environ.get("LANG", "")
```
</issue_to_address>

### Comment 2
<location path="tests/test_flash_usb_and_find_usb_fixes.py" line_range="148-149" />
<code_context>
                 pass

         class FakePipe:
-            def readline(self):
+            def read(self, n=-1):
                 return b""

</code_context>
<issue_to_address>
**suggestion (testing):** Strengthen the fake stderr pipe to assert that `read` is called with the expected chunk size (4096).

`FakePipe.read` currently ignores `n` and always returns `b""`, so the test doesn’t verify that `process.stderr.read(4096)` is actually called with the intended chunk size. Consider recording the passed-in `n` (e.g., `self.last_n = n`) and asserting it is `4096` (or at least `> 0`) after the call to catch regressions like switching back to `readline()` or changing the chunk size.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion (testing): Strengthen the fake stderr pipe to assert that read is called with the expected chunk size (4096).

FakePipe.read currently ignores n and always returns b"", so the test doesn’t verify that process.stderr.read(4096) is actually called with the intended chunk size. Consider recording the passed-in n (e.g., self.last_n = n) and asserting it is 4096 (or at least > 0) after the call to catch regressions like switching back to readline() or changing the chunk size.

[Radiump123]

@sourcery-ai review

[sourcery-ai]

Hey - I've found 1 issue

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location path="src/lufus/gui/i18n.py" line_range="34-41" />
<code_context>
+    Falls back to English if detection fails or no match is found.
+    """
+    try:
+        # Ensure locale is initialized from the environment, then read current locale.
+        locale.setlocale(locale.LC_CTYPE, "")
+        loc = locale.getlocale()
+    except Exception:
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Calling `locale.setlocale` here mutates global process state and may have unintended side effects.

`locale.setlocale(locale.LC_CTYPE, "")` here mutates the global locale and can unexpectedly impact formatting/parsing and libraries that depend on locale (e.g. Qt). If you only need to detect the system locale, prefer `locale.getdefaultlocale()` or environment variables (e.g. `$LANG`) without changing the active locale, or temporarily change it and immediately restore the original value.

```suggestion
    try:
        # Read the system locale without mutating global locale state.
        loc = locale.getdefaultlocale()
    except Exception:
        loc = (None, None)

    # Fallback to the process locale if the default locale could not be determined.
    if not loc or not loc[0]:
        try:
            loc = locale.getlocale()
        except Exception:
            loc = (None, None)

    lang_code = (loc[0] or "") or os.environ.get("LANG", "")
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Radiump123]

broke smth i think

[Radiump123]

@sourcery-ai review

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• open_url_non_root() unconditionally calls os.geteuid(), which will raise on platforms without that API (e.g. Windows); consider guarding this with hasattr/os.name checks or a try/except and treating such platforms as non-root so the function safely falls back to webbrowser.open.
• _load_initial_language() swallows all exceptions and may leave state.language unset or stale; it would be safer to explicitly default to 'English' (or another known language) when detection/persistence fails so the GUI always has a predictable language value.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- open_url_non_root() unconditionally calls os.geteuid(), which will raise on platforms without that API (e.g. Windows); consider guarding this with hasattr/os.name checks or a try/except and treating such platforms as non-root so the function safely falls back to webbrowser.open.
- _load_initial_language() swallows all exceptions and may leave state.language unset or stale; it would be safer to explicitly default to 'English' (or another known language) when detection/persistence fails so the GUI always has a predictable language value.

## Individual Comments

### Comment 1
<location path="src/lufus/browse_freely.py" line_range="43-55" />
<code_context>
+
+                # Method 1: Use runuser which is specifically designed for this
+                # We need to preserve the environment for the GUI session
+                env = {
+                    "DISPLAY": os.environ.get("DISPLAY", ":0"),
+                    "XAUTHORITY": os.environ.get("XAUTHORITY", ""),
+                    "XDG_RUNTIME_DIR": os.environ.get(
+                        "XDG_RUNTIME_DIR", f"/run/user/{target_uid}" if target_uid else ""
+                    ),
+                    "WAYLAND_DISPLAY": os.environ.get("WAYLAND_DISPLAY", ""),
+                    "PATH": "/usr/local/bin:/usr/bin:/bin",
+                    # Ensure HOME is set so GUI apps use the target user's profile and config
+                    "HOME": home_dir or os.environ.get("HOME", ""),
+                }
+
</code_context>
<issue_to_address>
**suggestion:** Environment for `runuser` may be missing session-related variables needed by some desktop environments.

For `xdg-open` via `runuser`, some DEs (especially under Wayland) also depend on `DBUS_SESSION_BUS_ADDRESS` and similar session vars. Consider propagating it when present, for example:

```python
env = {
    "DISPLAY": os.environ.get("DISPLAY", ":0"),
    "XAUTHORITY": os.environ.get("XAUTHORITY", ""),
    "XDG_RUNTIME_DIR": os.environ.get(
        "XDG_RUNTIME_DIR", f"/run/user/{target_uid}" if target_uid else ""
    ),
    "WAYLAND_DISPLAY": os.environ.get("WAYLAND_DISPLAY", ""),
    "DBUS_SESSION_BUS_ADDRESS": os.environ.get("DBUS_SESSION_BUS_ADDRESS", ""),
    "PATH": "/usr/local/bin:/usr/bin:/bin",
    "HOME": home_dir or os.environ.get("HOME", ""),
}
```
This reduces cases where `xdg-open` fails under certain desktop environments.

```suggestion
                # Method 1: Use runuser which is specifically designed for this
                # We need to preserve the environment for the GUI session
                env = {
                    "DISPLAY": os.environ.get("DISPLAY", ":0"),
                    "XAUTHORITY": os.environ.get("XAUTHORITY", ""),
                    "XDG_RUNTIME_DIR": os.environ.get(
                        "XDG_RUNTIME_DIR", f"/run/user/{target_uid}" if target_uid else ""
                    ),
                    "WAYLAND_DISPLAY": os.environ.get("WAYLAND_DISPLAY", ""),
                    # Propagate DBUS session bus so xdg-open works under more DEs/Wayland sessions
                    "DBUS_SESSION_BUS_ADDRESS": os.environ.get("DBUS_SESSION_BUS_ADDRESS", ""),
                    "PATH": "/usr/local/bin:/usr/bin:/bin",
                    # Ensure HOME is set so GUI apps use the target user's profile and config
                    "HOME": home_dir or os.environ.get("HOME", ""),
                }
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Radiump123]

Dgaf about windows lmao

[Radiump123]

and Hogjects#184, too

[Radiump123]

Gonna test the new DVD stuff later w/ my thinkPad

[Radiump123]

I think I fixed Hogjects#206

[sourcery-ai]

New security issues found

[sourcery-ai]

security (python.lang.security.audit.dangerous-subprocess-use-audit): Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.

Source: opengrep

[Radiump123]

@sourcery-ai review

[sourcery-ai]

Hey - I've found 1 security issue, 1 other issue, and left some high level feedback:

Security issues:

• Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)

General comments:

• The block device wiping logic is now duplicated between block_ops.wipe_superblock and the manual per-partition zeroing in drives/formatting._format_device; consider centralizing this into a single helper in block_ops to avoid divergent behavior and make future changes easier.
• In block_ops.umount, all umount2 failures are logged as warnings; you may want to special-case benign errors such as EINVAL/ENOENT ("not mounted") to avoid noisy logs when unmounting already-unmounted paths.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The block device wiping logic is now duplicated between `block_ops.wipe_superblock` and the manual per-partition zeroing in `drives/formatting._format_device`; consider centralizing this into a single helper in `block_ops` to avoid divergent behavior and make future changes easier.
- In `block_ops.umount`, all `umount2` failures are logged as warnings; you may want to special-case benign errors such as `EINVAL`/`ENOENT` ("not mounted") to avoid noisy logs when unmounting already-unmounted paths.

## Individual Comments

### Comment 1
<location path="src/lufus/drives/formatting.py" line_range="70-75" />
<code_context>
+        if umount_lazy(target):
</code_context>
<issue_to_address>
**issue (bug_risk):** New unmount logic can silently treat real umount failures as benign

Previously, `unmount()` treated exit code 32 as “not mounted” but aborted on other umount failures (e.g. EBUSY, EPERM). Now any `umount_lazy(target)` failure is logged as “already unmounted or not a mount” and processing continues, even when the real error is serious.

This can hide conditions like `EBUSY` or `EPERM`, so later steps (e.g. formatting/partitioning) may run while the device is still mounted. Please have `umount_lazy` expose the underlying error (e.g. via errno or a richer return type) so `unmount()` can still distinguish “not mounted” from real failures and abort or retry as before.
</issue_to_address>

### Comment 2
<location path="src/lufus/writing/windows/flash.py" line_range="37" />
<code_context>
        return subprocess.run(cmd, check=check, shell=False)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.

*Source: opengrep*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): New unmount logic can silently treat real umount failures as benign

Previously, unmount() treated exit code 32 as “not mounted” but aborted on other umount failures (e.g. EBUSY, EPERM). Now any umount_lazy(target) failure is logged as “already unmounted or not a mount” and processing continues, even when the real error is serious.

This can hide conditions like EBUSY or EPERM, so later steps (e.g. formatting/partitioning) may run while the device is still mounted. Please have umount_lazy expose the underlying error (e.g. via errno or a richer return type) so unmount() can still distinguish “not mounted” from real failures and abort or retry as before.

[sourcery-ai]

security (python.lang.security.audit.dangerous-subprocess-use-audit): Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.

Source: opengrep

[Radiump123]

HOLY-

[Radiump123]

and theres a bug when i cancel it crashes

[Radiump123]

@sourcery-ai review

[sourcery-ai]

Sorry @Radiump123, your pull request is larger than the review limit of 150000 diff characters

[SourceryAI]

Sorry @Radiump123, your pull request is larger than the review limit of 150000 diff characters

[Radiump123]

Sorry @Radiump123, your pull request is larger than the review limit of 150000 diff characters

sigh
ok I'll find another way...

[Radiump123]

• P1 src/lufus/writing/install_ventoy.py:183: install_grub() never formats the EFI partition before mounting
  it as vfat, and it does not check whether block_mount() succeeded. A freshly written GPT partition at
  efi_part has no FAT filesystem, so GRUB installation either fails later or writes into the temporary
  directory instead of the USB. Add mkfs.vfat for efi_part and use a checked mount helper before setting
  efi_mounted = True.
• P1 src/lufus/block_ops.py:654: write_device_image() assumes os.write() writes the entire chunk. Short
  writes are allowed, and the current code increments written by len(chunk) while discarding any unwritten
  tail, so image flashing can silently corrupt the target and still return success. Loop on os.write() until
  the whole chunk is written, counting the actual returned byte count.
• P2 src/lufus/drives/formatting.py:346: partition cleanup uses glob(f"{raw_device}[0-9]*"), which misses
  NVMe/MMC partition names like /dev/nvme0n1p1 and /dev/mmcblk0p1. That leaves signatures/mounts behind for
  those USB devices and can make formatting fail or race udev. Use the same partition-path handling as
  elsewhere, or glob both numeric and p[0-9] suffixes.
• P2 src/lufus/writing/windows/flash.py:340: _verify_windows_media_copy() checks sources case-sensitively,
  while the rest of the Windows ISO handling is case-insensitive. A valid ISO copied as SOURCES would be
  reported as failed after the copy. Use _find_path_case_insensitive(mount_data, "sources").

GPT-5.5's review...

Gotta look at that...

[Radiump123]

Will review my changes later.

[Radiump123]

" 1. [Security] MITM Risk: Unverified Binary Download
In src/lufus/writing/windows/flash.py, the function find_uefi_ntfs_img downloads a binary image from a
hardcoded GitHub URL if it is missing from the local environment.

• Vulnerability: The constant _UEFI_NTFS_SHA256 is currently an empty string. This disables SHA-256
  verification, allowing a Man-In-The-Middle (MITM) attacker or a compromised GitHub repository to serve a
  malicious uefi-ntfs.img which the application will then write to the user's EFI partition and execute
  during boot.
• Recommendation: Pin the expected SHA-256 hash in _UEFI_NTFS_SHA256 and never ship the application with an
  empty hash.

2. [Bug] Windows Tweak Conflict: autounattend.xml Overwrite
   In src/lufus/writing/windows/tweaks.py, both win_local_acc_name and win_skip_privacy_questions write to the
   same autounattend.xml file.

• Issue: If a user selects both "Create Local Account" and "Skip Privacy Questions," the
  apply_windows_tweaks function calls win_local_acc_name first, followed by win_skip_privacy_questions. The
  latter completely overwrites the XML file, discarding the local account configuration.
• Recommendation: Refactor these functions to modify an existing XML structure (using
  xml.etree.ElementTree) rather than overwriting the file with hardcoded templates, or ensure only one
  "master" template is used.

3. [Bug] Incomplete Cleanup in FlashWorker
   In src/lufus/gui/workers.py, the FlashWorker.run method unmounts partitions before starting a "Format Only"
   operation (index 3).

• Issue: If the formatting operation (fo.disk_format) fails, the code enters the else block which logs the
  error but does not remount the partitions. This leaves the user's drive in an unmounted state without an
  easy way to restore it through the UI.
• Recommendation: Move the remounting logic to a finally block or ensure it is called in all failure paths
  where the operation was intended to be non-destructive (like a failed format-only).

4. [Bug] Potential Infinite Loop/Crash in ISO9660 Parser
   In src/lufus/iso9660.py, the _walk_dir and _DirRecord classes lack rigorous boundary checks.

• Issue: If a malformed or malicious ISO contains a directory record that claims a length extending beyond
  the current 2048-byte sector buffer, struct.unpack_from or the record offset logic could raise IndexError
  or struct.error, crashing the GUI thread.
• Recommendation: Add checks to ensure offset + dr_len never exceeds the buffer size before attempting to
  parse a record.

5. [Bug] Hardcoded Architecture in Windows Tweaks
   In src/lufus/writing/windows/tweaks.py, the autounattend.xml templates have processorArchitecture="amd64"
   hardcoded.

• Issue: If a user attempts to use these tweaks with a Windows ARM64 ISO, the installation will likely fail
  as the architecture mismatch in autounattend.xml will be rejected by the Windows installer.
• Recommendation: Detect the ISO architecture (e.g., by checking for sources/install.wim contents or
  specific EFI bootloader paths) and inject the correct architecture string.

6. [UX/Logic] Mount Point Path Traversal
   In src/lufus/writing/windows/flash.py, mount_iso constructs a mount path using os.path.join("/mnt/iso",
   iso_name_without_extension).

• Issue: If an ISO is named ..iso, os.path.splitext returns .. as the name. os.path.join("/mnt/iso", "..")
  resolves to /mnt. The application would then attempt to mount the ISO over /mnt, potentially hiding other
  mounted drives or causing system instability.
• Recommendation: Sanitize the ISO filename used for the mount point to prevent directory traversal or
  reserved names.

7. [Risk] Aggressive Process Killing
   The _kill_processes_using_device function in src/lufus/gui/gui.py uses os.kill(pid, 9) (SIGKILL) on any
   process holding the device open.

• Issue: This is extremely aggressive and could kill system-critical daemons (like udisksd or gvfsd) if
  they happen to be probing the device at the moment of cancellation. This can lead to desktop environment
  instability.
• Recommendation: Attempt a SIGTERM first, wait briefly, and only use SIGKILL as a last resort, or better
  yet, use udisks via DBus to request a safe unmount/eject.
  "

Gemini 3.5 Flash this time, gonna look at it.

[Radiump123]

Ok, I again fucking broke WinTweaks, I'm calling Jesus...

[Radiump123]

Tested wintweaks, and they don't actually apply btw, gotta test that.