Nice that the community is addressing this. I was never able to trust Ventoy in the past, and as such still have a wide array of USB sticks to install Linux flavors with.
For installation I have had to drop back to a normal single-image USB stick before now because the installer became confused by the EFI partition presented by the unpacked ISO and anything found/not on the target drives.
Ventoy is very handy for running things live though, and not all installers/situations are affected by this (and there they are, it isn't really ventoy's fault).
I have a bunch of network-bootable installers set up on my DHCP server. If I want to install a new machine I simply set it to boot from the network. From there I can just select whichever distro I want. I also added some utils like Memtest86
I tried to set up netboot a few times, it seems like this should be very easy to do, especially that I self host many things, but I get lost in the technical details every time. I think I succeeded once, with the dhcp server running on a laptop running Debian…
Turns out doing some speleology to find a USB key and burning an ISO on it using cat or pv ends up being radically easier…
(OTOH it's been a while since I last tried and now I have root on my router running OpenWrt so I guess it would be a tad easier…)
That was both it's charm,and it's notoriousness. I was using it, but when the blob thing became a concern, me and the guy who recommended it, stopped using it,and now it's more of a curiosity, but no longer used. EFI is basically crippleware now,and two dev friends of mine just bought macs, leaving me their Lenovo collections. Two X1 carbons and three T590s.
If[0] the maintainer is entirely honest and well-intentioned, they are clearly a vulnerable target lacking the capabilities to reliably detect if their supply chain would be compromised. Using Ventoy is a huge risk regardless of what you think of maintainer credibility at this point.
The cynical take is that what's on display in this issue is feigned ignorance/incompetence constructing plausible deniability.
Their security posture has not evolved with the times, the threat-landscape, and the growth of the project.
[0]: Very doubtful if you have been following this saga or dig around enough
https://github.com/fnr1r is currently working on a reproducible open build system. If you wish to help the process, direct your attention there! You can see progress on the issues of their repos, as well as in this now (appropriately) locked issue: https://github.com/ventoy/Ventoy/issues/2795
FWIW "blob" isn't an acronym. It refers metaphorically to an amorphous ball of goop. In databases only, it has been backronymed to "binary large object".
As far as I am aware, BLOB is an acronym for "Binary Large Object" [1], but it is part of the pun that, as you wrote, a blob is (also) an amorphous ball of goop.
Or where the LOB types could actually be text ([N]NVARCHAR(MAX) in SQL Server, or the deprecated [N]TEXT in the same), I refer to them as Bloody Large OBject.
Or if you don't like blobs but do like recursive acronyms: Bloody Large Odious BLOB.
I used Ventoy for a long time with various distros and even Windows, but for some reason it didn’t work with Arch (btw). I had to use a separate USB thumbdrive just for it.
In fact there's no suspicion or allegation of malicious activity. This all started as a "hey it's not oss and i can't stand things that aren't oss." With all the security scare theater being used to justify the "it needs to be oss" demands.
I'll believe it when it happens. The maintainer hasn't done much regarding this for over 5 years. There are issues raised about this back in 2020 and not much has changed. It just seems suspicious to me. But I might be paranoid.
Readit News
Ventoy is very handy for running things live though, and not all installers/situations are affected by this (and there they are, it isn't really ventoy's fault).
I tried to set up netboot a few times, it seems like this should be very easy to do, especially that I self host many things, but I get lost in the technical details every time. I think I succeeded once, with the dhcp server running on a laptop running Debian…
Turns out doing some speleology to find a USB key and burning an ISO on it using cat or pv ends up being radically easier…
(OTOH it's been a while since I last tried and now I have root on my router running OpenWrt so I guess it would be a tad easier…)
The cynical take is that what's on display in this issue is feigned ignorance/incompetence constructing plausible deniability.
Their security posture has not evolved with the times, the threat-landscape, and the growth of the project.
[0]: Very doubtful if you have been following this saga or dig around enough
This is the first I'm hearing of any of this drama. Any links to relevant information indicating that the maintainer is being disingenuous?
https://nixsanctuary.com/ventoy-718-shades-of-open-source/
https://news.ycombinator.com/item?id=40689629 (See also: Sus behavior from Deepin which recently got the project removed from Suse)
https://feddit.org/post/12078124
https://linuxmom.net/@vkc/112906968594601449
It just works really well.
As far as I am aware, BLOB is an acronym for "Binary Large Object" [1], but it is part of the pun that, as you wrote, a blob is (also) an amorphous ball of goop.
[1] At least according to the German Wikipedia: https://de.wikipedia.org/wiki/Binary_Large_Object
https://web.archive.org/web/20231108173312/https://www.ibpho...
Or if you don't like blobs but do like recursive acronyms: Bloody Large Odious BLOB.
[1]: https://en.wiktionary.org/wiki/blob
[2]: https://en.wikipedia.org/wiki/Mr_Blobby_(fish)
https://www.etymonline.com/word/blob
https://en.wikipedia.org/wiki/The_Blob
I'm not willing to trust it.
Paraphrasing, but things like: "Ah well, some blobs are ok, it is just for convenience" just smells like trouble.
The project is free and all, but damn. Has nobody, in the last half a decade, thought about automagically building those blobs alongside the project?
In my brain you're just postponing a large build system refactor, one that will get worse over time.