Ventoy: Create bootable USB drive for ISO/WIM/IMG/VHD(x)/EFI Files

I don't see the linked issue as a valid reason to stop using Ventoy, especially since the repo you linked is for a different piece of software made by the same people. Do we have any evidence of Ventoy itself being in any way malicious?

The rationale for needing a random driver makes some sense. The statement that they found a random build that was signed by some randy is a horrifying prospect.

All of it is built from source, it's just that the current build process is not easy to audit. The build by definition needs to happen on multiple platforms or cross compiled, a root cert needs to be setup in the windows installer at boot time, and so on.

I agree that this is not an ideal way to boot an ISO, but the general public is unlikely to ever need a multiboot USB stick. I like this project enough to perhaps contribute.

I think it's a valid reason unless you view "this person can't be trusted follow safe practices on Project A so it makes sense to assume they also won't follow safe practices on Project B" as invalid logic.

From the linked thread

"I have updated a new 1.0.21 release and removed the unused sig driver file. And I also add a README document about the httpdisk driver https://github.com/ventoy/PXE/tree/master"

As in the author responded and removed this and explained why it was in there in the first place.

So Ventoy has all it's code audited and documents every case of a binary blob with the source code and instructions to build the binary blob. iVentoy above did have an issue which was promptly resolved.

It seems to be an extremely trustworthy project. If you want to blacklist them because they once had an issue since corrected fine but it seems waaaaaay over the top to me.

From the linked thread

"I have updated a new 1.0.21 release and removed the unused sig driver file. And I also add a README document about the httpdisk driver https://github.com/ventoy/PXE/tree/master"

So he fixed the issue, noted the use of WKDTestCert and links to it and he also has a post explaining why this happened.

That doesn't seem lackluster or negligent to me?

My concern is that they grabbed some random driver signed by a random person and just assumed it was trustworthy enough to be included in a project. That's not the behavior I associate with how "extremely trustworthy" projects should be run. I understand others may not agree, though. I also understand that this is a different project, but that behavior kinda makes me feel like any project with those people involved shouldn't be viewed as extremely trustworthy. Are they also running randomly grabbed code on the build machines and assuming it's safe to do so?

Someone compared hashes of the sectors of both drivers and they are identical except for the signature.

You don't know what due diligence was done.

I don't, no, but why should I trust the maintainer, and why should the maintainer trust Randy from some random site?

Because you intend to run their software? And don't try to tell me you've never ran any proprietary software.

To sibling comment: I don't understand your line of reasoning. How does using someone's software make you trust them? Don't you need trust to run someone's software first?

Echoing similar comments on this thread. The action in itself is mildly concerning, but the lack of foresight to see this as an issue people would want to know about, and ultimately be able to make their own decision on if they want to accept that risk or not.

"So I thought that maybe user don't want to care about this intermediate process"

Choosing to include an unverified build from a third party in a project like this introduces significant risk.

Also.. anyone know why my original comment got flagged?