20 comments

[ 3.4 ms ] story [ 43.4 ms ] thread
Nice that the community is addressing this. I was never able to trust Ventoy in the past, and as such still have a wide array of USB sticks to install Linux flavors with.
For installation I have had to drop back to a normal single-image USB stick before now because the installer became confused by the EFI partition presented by the unpacked ISO and anything found/not on the target drives.

Ventoy is very handy for running things live though, and not all installers/situations are affected by this (and there they are, it isn't really ventoy's fault).

I just use an enclosure that emulates a dvd-drive. Put a cheap SATA ssd in there and you can stop worrying about incompatibilities.
doesn't it have firmware? :)
I have a bunch of network-bootable installers set up on my DHCP server. If I want to install a new machine I simply set it to boot from the network. From there I can just select whichever distro I want. I also added some utils like Memtest86
FWIW "blob" isn't an acronym. It refers metaphorically to an amorphous ball of goop. In databases only, it has been backronymed to "binary large object".
Or where the LOB types could actually be text ([N]NVARCHAR(MAX) in SQL Server, or the deprecated [N]TEXT in the same), I refer to them as Bloody Large OBject.

Or if you don't like blobs but do like recursive acronyms: Bloody Large Odious BLOB.

I really like Ventoy and use it and I’m just not worried about getting attacked with it on my personal homelab.

It just works really well.

I used Ventoy for a long time with various distros and even Windows, but for some reason it didn’t work with Arch (btw). I had to use a separate USB thumbdrive just for it.
I'll believe it when it happens. The maintainer hasn't done much regarding this for over 5 years. There are issues raised about this back in 2020 and not much has changed. It just seems suspicious to me. But I might be paranoid.

I'm not willing to trust it.

If[0] the maintainer is entirely honest and well-intentioned, they are clearly a vulnerable target lacking the capabilities to reliably detect if their supply chain would be compromised. Using Ventoy is a huge risk regardless of what you think of maintainer credibility at this point.

The cynical take is that what's on display in this issue is feigned ignorance/incompetence constructing plausible deniability.

Their security posture has not evolved with the times, the threat-landscape, and the growth of the project.

[0]: Very doubtful if you have been following this saga or dig around enough

Having just used Ventoy to install Linux on a computer, should I consider it compromised and reinstall? Or technically completely trash it?
That would be quite an overblown reaction. There is currently no proof of malicious activity.
So much work because most people can’t manage a simple dd-invocation.

And because Windows don’t allow direct access to the physical layer from a user-space shell.

Such a waste.

The primary reason why I use Ventoy is because of its ability to use multiple ISO's, which I can select from when booting. I don't think that's possible with dd.

It's also possible to use the usb stick for regular files, Ventoy will just ignore them. Pretty useful when you need it.