←back to thread

Ventoy: Create bootable USB drive for ISO/WIM/IMG/VHD(x)/EFI Files

(github.com)
284 points wilsonfiifi | 1 comments | 30 Oct 25 14:23 UTC | HN request time: 0s | source
Show context
mkesper ◴[30 Oct 25 15:04 UTC] No.45760844[source]
The lot of (partially scary) binary blobs is still an unsolved issue: https://github.com/ventoy/Ventoy/issues/3224
replies(5): >>45760882 #>>45760933 #>>45761425 #>>45761632 #>>45761980 #
AnotherGoodName ◴[30 Oct 25 16:11 UTC] No.45761632[source]
I am actually happy reading that though. As in it's literally the authors of the tool stating "hey we have a lot of binary blob drivers, what can we do to replace these?". He then audits them and links to build instructions.

As in yeah there's precompiled binaries in this. But it's audited and each binary itself has a link to build instructions. What they are not doing is actually building everything from scratch in their build process. Ok that's a pain to do and i get it. But... i don't see anyone slipping in an unaccounted for binary here right? If every binary itself has a "here's how to build this from scratch" documentation and source it seems ok to me.

replies(2): >>45761837 #>>45762623 #
graton ◴[30 Oct 25 17:28 UTC] No.45762623[source]
The binary blob issue has been brought up since back in 2020. And since then very little real progress has happened from what I can tell.

I am not willing to use the software due to that issue. It just seems suspicious.

replies(1): >>45762844 #
AnotherGoodName ◴[30 Oct 25 17:46 UTC] No.45762844{3}[source]
Just to be clear do you understand that all of these are built from source with documentation so you can recreate the binaries yourself?

As in it's completely source buildable with no unknown binaries. They just don't have a single 'build' that pulls all of these in and builds them at once. Instead you're following the build instructions for each part, creating libraries that you then link together at the end. This is due to the pain in the ass of cross-compiling Linux/Windows/UEFI binaries all in the one project. It's pretty reasonable.

replies(1): >>45763856 #
graton ◴[30 Oct 25 18:57 UTC] No.45763856{4}[source]
Have you done this? How do you know this is true? Are there reports of trusted 3rd parties who have verified this?
replies(1): >>45767199 #
altairprime ◴[31 Oct 25 00:50 UTC] No.45767199{5}[source]
As someone who isn’t afraid of reproducible binary blobs but would absolutely pay attention to a failure-to-reproduce report from an advocate otherwise, I’m disappointed to see you failing to do so here. If you’re afraid and not willing to prove or disprove your fears yourself, then that negates your arguments to reject binary blobs categorically, rather than conditionally as I and others in this thread are accepting. So.. of this isn’t an argument about whether this project is safely using binary blobs, it’s about propagating the belief that binary blobs are never acceptable; then while normally I would dig up proof like you seek or make it myself, proof has no bearing on beliefs and I’d best not.
replies(1): >>45768700 #
1. nixosbestos ◴[31 Oct 25 05:27 UTC] No.45768700{6}[source]
I wonder how far a clanker would go if you toss if at a pile of Ventoy / "build instructions" and Nix. This is a pretty ideal place for Nix to shine.