Ventoy has never been a secure tool. People are making the argument that it should be, which is just nutty.
If you’re one of those people that grab random fuckin’ ISO’s from all over the internet to test em out, then no. You really shouldn’t use Ventoy. If you run official ISO from recognized sources, then realistically the risk is ever present, but minimal.
Like getting in a wreck on the way to the store to pick up milk. It’s always a possibility, but not many people would stand around and make the argument that you should stay home forever because you might get into an accident, which is basically the argument against Ventoy. It’s “we’ll, it’s a crazy useful tool, but you shouldn’t use it because something might happen.”
It’s just such a bad argument. Fact of the matter is, is that if there were a non-hacky as shit way to do what Ventoy does, it would be available right now. But it’s not… Because it’s really not.
The only way to avoid the issues that Ventoy employs is to not use ISOs and use something like netboot.xyz, which presents its own set of issues. How do you know you’re not being MITM from the iPXE environment? Like, sure. You can technically verify it, but how do you know for sure on the fly?
Like, if you sit down you can pick apart any software for being an insufferable gaping asshole of security vulnerabilities.
I read what sounded like an intelligent follow-up on this subject. But I’m not smart enough to verify for myself, so I still refrain from using ventoy - even though I’d love to start using it again.
It was basically “wacky code from all over the place, poor coding practices, can’t find anything bad, but methods used are sus af”
Was the Ventoy binary blob issue resolved and it’s cool again?
No. But the argument itself is so stupid to me.
Ventoy has never been a secure tool. People are making the argument that it should be, which is just nutty.
If you’re one of those people that grab random fuckin’ ISO’s from all over the internet to test em out, then no. You really shouldn’t use Ventoy. If you run official ISO from recognized sources, then realistically the risk is ever present, but minimal.
Like getting in a wreck on the way to the store to pick up milk. It’s always a possibility, but not many people would stand around and make the argument that you should stay home forever because you might get into an accident, which is basically the argument against Ventoy. It’s “we’ll, it’s a crazy useful tool, but you shouldn’t use it because something might happen.”
It’s just such a bad argument. Fact of the matter is, is that if there were a non-hacky as shit way to do what Ventoy does, it would be available right now. But it’s not… Because it’s really not.
The only way to avoid the issues that Ventoy employs is to not use ISOs and use something like netboot.xyz, which presents its own set of issues. How do you know you’re not being MITM from the iPXE environment? Like, sure. You can technically verify it, but how do you know for sure on the fly?
Like, if you sit down you can pick apart any software for being an insufferable gaping asshole of security vulnerabilities.
I read what sounded like an intelligent follow-up on this subject. But I’m not smart enough to verify for myself, so I still refrain from using ventoy - even though I’d love to start using it again.
It was basically “wacky code from all over the place, poor coding practices, can’t find anything bad, but methods used are sus af”
Says one dude I read on the internet :/
That’s it.
Sounds like a Chinese geek tried to make something useful, did a lot of dirty hacks to get it going.
And couldn’t properly explain because his social skills and English weren’t great.
The blobs weren’t super suspicious, just some gpld tools, basically busybox kind of stuff.
The real problem is what he made was so fucking insanely useful and needed by everyone that the standards for software skyrocketed.
Like you make a cure for cancer and everyone starts screaming at you because one of the side effects is temporary impotence.
Such a great post.
Just have 500 thinkpads and you can avoid security issues all together! A thinkpad for every distro EZEZ