←back to thread

Ventoy: Create bootable USB drive for ISO/WIM/IMG/VHD(x)/EFI Files

(github.com)
285 points wilsonfiifi | 1 comments | 30 Oct 25 14:23 UTC | HN request time: 0.207s | source
Show context
mkesper ◴[30 Oct 25 15:04 UTC] No.45760844[source]
The lot of (partially scary) binary blobs is still an unsolved issue: https://github.com/ventoy/Ventoy/issues/3224
replies(5): >>45760882 #>>45760933 #>>45761425 #>>45761632 #>>45761980 #
i4qpLmoptUph3fZ[dead post] ◴[30 Oct 25 15:52 UTC] No.45761425[source]
[flagged]
zettabomb ◴[30 Oct 25 16:02 UTC] No.45761515[source]
I don't see the linked issue as a valid reason to stop using Ventoy, especially since the repo you linked is for a different piece of software made by the same people. Do we have any evidence of Ventoy itself being in any way malicious?
replies(1): >>45761792 #
protimewaster ◴[30 Oct 25 16:24 UTC] No.45761792[source]
I think it's a valid reason unless you view "this person can't be trusted follow safe practices on Project A so it makes sense to assume they also won't follow safe practices on Project B" as invalid logic.
replies(1): >>45761941 #
AnotherGoodName ◴[30 Oct 25 16:35 UTC] No.45761941[source]
From the linked thread

"I have updated a new 1.0.21 release and removed the unused sig driver file. And I also add a README document about the httpdisk driver https://github.com/ventoy/PXE/tree/master"

As in the author responded and removed this and explained why it was in there in the first place.

So Ventoy has all it's code audited and documents every case of a binary blob with the source code and instructions to build the binary blob. iVentoy above did have an issue which was promptly resolved.

It seems to be an extremely trustworthy project. If you want to blacklist them because they once had an issue since corrected fine but it seems waaaaaay over the top to me.

replies(1): >>45762211 #
1. protimewaster ◴[30 Oct 25 16:57 UTC] No.45762211[source]
My concern is that they grabbed some random driver signed by a random person and just assumed it was trustworthy enough to be included in a project. That's not the behavior I associate with how "extremely trustworthy" projects should be run. I understand others may not agree, though. I also understand that this is a different project, but that behavior kinda makes me feel like any project with those people involved shouldn't be viewed as extremely trustworthy. Are they also running randomly grabbed code on the build machines and assuming it's safe to do so?