Most active commenters
  • AnotherGoodName(4)

←back to thread

Ventoy: Create bootable USB drive for ISO/WIM/IMG/VHD(x)/EFI Files

(github.com)
284 points wilsonfiifi | 26 comments | 30 Oct 25 14:23 UTC | HN request time: 1.465s | source | bottom
1. mkesper ◴[30 Oct 25 15:04 UTC] No.45760844[source]
The lot of (partially scary) binary blobs is still an unsolved issue: https://github.com/ventoy/Ventoy/issues/3224
replies(5): >>45760882 #>>45760933 #>>45761425 #>>45761632 #>>45761980 #
2. hddherman ◴[30 Oct 25 15:07 UTC] No.45760882[source]
If anyone is wondering, then there are Ventoy alternatives like IODD [0], but they are not perfect. Usable, but annoying in some aspects.

[0]: https://ounapuu.ee/posts/2025/02/14/iodd-st400-review/

replies(1): >>45763922 #
3. seemaze ◴[30 Oct 25 15:13 UTC] No.45760933[source]
An alternative was offered here: https://news.ycombinator.com/item?id=41959908

https://github.com/thias/glim

replies(1): >>45761194 #
4. 867-5309 ◴[30 Oct 25 15:35 UTC] No.45761194[source]
does not support Windows
replies(1): >>45761424 #
5. Sammi ◴[30 Oct 25 15:52 UTC] No.45761424{3}[source]
https://github.com/eugenesan/glim
6. zettabomb ◴[30 Oct 25 16:02 UTC] No.45761515[source]
I don't see the linked issue as a valid reason to stop using Ventoy, especially since the repo you linked is for a different piece of software made by the same people. Do we have any evidence of Ventoy itself being in any way malicious?
replies(1): >>45761792 #
7. junon ◴[30 Oct 25 16:02 UTC] No.45761520[source]
The rationale for needing a random driver makes some sense. The statement that they found a random build that was signed by some randy is a horrifying prospect.
replies(1): >>45762457 #
8. AnotherGoodName ◴[30 Oct 25 16:11 UTC] No.45761632[source]
I am actually happy reading that though. As in it's literally the authors of the tool stating "hey we have a lot of binary blob drivers, what can we do to replace these?". He then audits them and links to build instructions.

As in yeah there's precompiled binaries in this. But it's audited and each binary itself has a link to build instructions. What they are not doing is actually building everything from scratch in their build process. Ok that's a pain to do and i get it. But... i don't see anyone slipping in an unaccounted for binary here right? If every binary itself has a "here's how to build this from scratch" documentation and source it seems ok to me.

replies(2): >>45761837 #>>45762623 #
9. murphyslaw ◴[30 Oct 25 16:13 UTC] No.45761668[source]
All of it is built from source, it's just that the current build process is not easy to audit. The build by definition needs to happen on multiple platforms or cross compiled, a root cert needs to be setup in the windows installer at boot time, and so on.

I agree that this is not an ideal way to boot an ISO, but the general public is unlikely to ever need a multiboot USB stick. I like this project enough to perhaps contribute.

10. protimewaster ◴[30 Oct 25 16:24 UTC] No.45761792{3}[source]
I think it's a valid reason unless you view "this person can't be trusted follow safe practices on Project A so it makes sense to assume they also won't follow safe practices on Project B" as invalid logic.
replies(1): >>45761941 #
11. mort96 ◴[30 Oct 25 16:27 UTC] No.45761837[source]
And crucially, since each blob is from an open source project with build instructions, it seems like you can build Ventoy completely from source if you really want.
12. AnotherGoodName ◴[30 Oct 25 16:35 UTC] No.45761941{4}[source]
From the linked thread

"I have updated a new 1.0.21 release and removed the unused sig driver file. And I also add a README document about the httpdisk driver https://github.com/ventoy/PXE/tree/master"

As in the author responded and removed this and explained why it was in there in the first place.

So Ventoy has all it's code audited and documents every case of a binary blob with the source code and instructions to build the binary blob. iVentoy above did have an issue which was promptly resolved.

It seems to be an extremely trustworthy project. If you want to blacklist them because they once had an issue since corrected fine but it seems waaaaaay over the top to me.

replies(1): >>45762211 #
13. AnotherGoodName ◴[30 Oct 25 16:36 UTC] No.45761959[source]
From the linked thread

"I have updated a new 1.0.21 release and removed the unused sig driver file. And I also add a README document about the httpdisk driver https://github.com/ventoy/PXE/tree/master"

So he fixed the issue, noted the use of WKDTestCert and links to it and he also has a post explaining why this happened.

That doesn't seem lackluster or negligent to me?

replies(1): >>45763394 #
14. dataflow ◴[30 Oct 25 16:37 UTC] No.45761980[source]
I don't see the problem with grabbing binary blobs from other trusted projects. Isn't it sufficient just to be able to prove the hashes match what you'd get directly from the origin? If you got your blob from (say) Debian, and their blobs were backdoored, the world has... much bigger problems to worry about. Feels like trying to verify that your pharmacy is making your medication from scratch, lest their supplier had contaminated it.
15. protimewaster ◴[30 Oct 25 16:57 UTC] No.45762211{5}[source]
My concern is that they grabbed some random driver signed by a random person and just assumed it was trustworthy enough to be included in a project. That's not the behavior I associate with how "extremely trustworthy" projects should be run. I understand others may not agree, though. I also understand that this is a different project, but that behavior kinda makes me feel like any project with those people involved shouldn't be viewed as extremely trustworthy. Are they also running randomly grabbed code on the build machines and assuming it's safe to do so?
16. fukka42 ◴[30 Oct 25 17:17 UTC] No.45762457{3}[source]
Someone compared hashes of the sectors of both drivers and they are identical except for the signature.

You don't know what due diligence was done.

replies(1): >>45762732 #
17. graton ◴[30 Oct 25 17:28 UTC] No.45762623[source]
The binary blob issue has been brought up since back in 2020. And since then very little real progress has happened from what I can tell.

I am not willing to use the software due to that issue. It just seems suspicious.

replies(1): >>45762844 #
18. junon ◴[30 Oct 25 17:36 UTC] No.45762732{4}[source]
I don't, no, but why should I trust the maintainer, and why should the maintainer trust Randy from some random site?
replies(2): >>45763211 #>>45763326 #
19. AnotherGoodName ◴[30 Oct 25 17:46 UTC] No.45762844{3}[source]
Just to be clear do you understand that all of these are built from source with documentation so you can recreate the binaries yourself?

As in it's completely source buildable with no unknown binaries. They just don't have a single 'build' that pulls all of these in and builds them at once. Instead you're following the build instructions for each part, creating libraries that you then link together at the end. This is due to the pain in the ass of cross-compiling Linux/Windows/UEFI binaries all in the one project. It's pretty reasonable.

replies(1): >>45763856 #
20. fukka42 ◴[30 Oct 25 18:15 UTC] No.45763211{5}[source]
Because you intend to run their software? And don't try to tell me you've never ran any proprietary software.
21. i4qpLmoptUph3fZ ◴[30 Oct 25 18:23 UTC] No.45763326{5}[source]
To sibling comment: I don't understand your line of reasoning. How does using someone's software make you trust them? Don't you need trust to run someone's software first?
22. i4qpLmoptUph3fZ ◴[30 Oct 25 18:26 UTC] No.45763394{3}[source]
Echoing similar comments on this thread. The action in itself is mildly concerning, but the lack of foresight to see this as an issue people would want to know about, and ultimately be able to make their own decision on if they want to accept that risk or not.

"So I thought that maybe user don't want to care about this intermediate process"

Choosing to include an unverified build from a third party in a project like this introduces significant risk.

Also.. anyone know why my original comment got flagged?

23. graton ◴[30 Oct 25 18:57 UTC] No.45763856{4}[source]
Have you done this? How do you know this is true? Are there reports of trusted 3rd parties who have verified this?
replies(1): >>45767199 #
24. theodric ◴[30 Oct 25 19:01 UTC] No.45763922[source]
So far I am 0/2 on buying IODD devices and having them fail within a couple of weeks. I gave it a good 5 years between purchases and bought a different version of the unit. Perhaps I just have extremely bad luck, but my experience is that basically anything is more perfect than an IODD.
25. altairprime ◴[31 Oct 25 00:50 UTC] No.45767199{5}[source]
As someone who isn’t afraid of reproducible binary blobs but would absolutely pay attention to a failure-to-reproduce report from an advocate otherwise, I’m disappointed to see you failing to do so here. If you’re afraid and not willing to prove or disprove your fears yourself, then that negates your arguments to reject binary blobs categorically, rather than conditionally as I and others in this thread are accepting. So.. of this isn’t an argument about whether this project is safely using binary blobs, it’s about propagating the belief that binary blobs are never acceptable; then while normally I would dig up proof like you seek or make it myself, proof has no bearing on beliefs and I’d best not.
replies(1): >>45768700 #
26. nixosbestos ◴[31 Oct 25 05:27 UTC] No.45768700{6}[source]
I wonder how far a clanker would go if you toss if at a pile of Ventoy / "build instructions" and Nix. This is a pretty ideal place for Nix to shine.