Nice that the community is addressing this. I was never able to trust Ventoy in the past, and as such still have a wide array of USB sticks to install Linux flavors with.
For installation I have had to drop back to a normal single-image USB stick before now because the installer became confused by the EFI partition presented by the unpacked ISO and anything found/not on the target drives.
Ventoy is very handy for running things live though, and not all installers/situations are affected by this (and there they are, it isn't really ventoy's fault).
I have a bunch of network-bootable installers set up on my DHCP server. If I want to install a new machine I simply set it to boot from the network. From there I can just select whichever distro I want. I also added some utils like Memtest86
I tried to set up netboot a few times, it seems like this should be very easy to do, especially that I self host many things, but I get lost in the technical details every time. I think I succeeded once, with the dhcp server running on a laptop running Debian…
Turns out doing some speleology to find a USB key and burning an ISO on it using cat or pv ends up being radically easier…
(OTOH it's been a while since I last tried and now I have root on my router running OpenWrt so I guess it would be a tad easier…)
That was both it's charm,and it's notoriousness. I was using it, but when the blob thing became a concern, me and the guy who recommended it, stopped using it,and now it's more of a curiosity, but no longer used. EFI is basically crippleware now,and two dev friends of mine just bought macs, leaving me their Lenovo collections. Two X1 carbons and three T590s.
If[0] the maintainer is entirely honest and well-intentioned, they are clearly a vulnerable target lacking the capabilities to reliably detect if their supply chain would be compromised. Using Ventoy is a huge risk regardless of what you think of maintainer credibility at this point.
The cynical take is that what's on display in this issue is feigned ignorance/incompetence constructing plausible deniability.
Their security posture has not evolved with the times, the threat-landscape, and the growth of the project.
[0]: Very doubtful if you have been following this saga or dig around enough
https://github.com/fnr1r is currently working on a reproducible open build system. If you wish to help the process, direct your attention there! You can see progress on the issues of their repos, as well as in this now (appropriately) locked issue: https://github.com/ventoy/Ventoy/issues/2795
FWIW "blob" isn't an acronym. It refers metaphorically to an amorphous ball of goop. In databases only, it has been backronymed to "binary large object".
As far as I am aware, BLOB is an acronym for "Binary Large Object" [1], but it is part of the pun that, as you wrote, a blob is (also) an amorphous ball of goop.
Or where the LOB types could actually be text ([N]NVARCHAR(MAX) in SQL Server, or the deprecated [N]TEXT in the same), I refer to them as Bloody Large OBject.
Or if you don't like blobs but do like recursive acronyms: Bloody Large Odious BLOB.
I used Ventoy for a long time with various distros and even Windows, but for some reason it didn’t work with Arch (btw). I had to use a separate USB thumbdrive just for it.
In fact there's no suspicion or allegation of malicious activity. This all started as a "hey it's not oss and i can't stand things that aren't oss." With all the security scare theater being used to justify the "it needs to be oss" demands.
I'll believe it when it happens. The maintainer hasn't done much regarding this for over 5 years. There are issues raised about this back in 2020 and not much has changed. It just seems suspicious to me. But I might be paranoid.
The primary reason why I use Ventoy is because of its ability to use multiple ISO's, which I can select from when booting. I don't think that's possible with dd.
It's also possible to use the usb stick for regular files, Ventoy will just ignore them. Pretty useful when you need it.
Nice that the community is addressing this. I was never able to trust Ventoy in the past, and as such still have a wide array of USB sticks to install Linux flavors with.
For installation I have had to drop back to a normal single-image USB stick before now because the installer became confused by the EFI partition presented by the unpacked ISO and anything found/not on the target drives.
Ventoy is very handy for running things live though, and not all installers/situations are affected by this (and there they are, it isn't really ventoy's fault).
I have a bunch of network-bootable installers set up on my DHCP server. If I want to install a new machine I simply set it to boot from the network. From there I can just select whichever distro I want. I also added some utils like Memtest86
Do you have this documented somewhere?
I tried to set up netboot a few times, it seems like this should be very easy to do, especially that I self host many things, but I get lost in the technical details every time. I think I succeeded once, with the dhcp server running on a laptop running Debian…
Turns out doing some speleology to find a USB key and burning an ISO on it using cat or pv ends up being radically easier…
(OTOH it's been a while since I last tried and now I have root on my router running OpenWrt so I guess it would be a tad easier…)
5 replies →
I just use an enclosure that emulates a dvd-drive. Put a cheap SATA ssd in there and you can stop worrying about incompatibilities.
How do you image the SSD? Isn't it kind of the same issue as with imaging a USB stick?
13 replies →
iODD 2531 is the cheapest and simplest such example.
doesn't it have firmware? :)
NB mainly iVentoy seems to be suspicious, relying on Windows exploits to bypass certification needs.
That was both it's charm,and it's notoriousness. I was using it, but when the blob thing became a concern, me and the guy who recommended it, stopped using it,and now it's more of a curiosity, but no longer used. EFI is basically crippleware now,and two dev friends of mine just bought macs, leaving me their Lenovo collections. Two X1 carbons and three T590s.
If[0] the maintainer is entirely honest and well-intentioned, they are clearly a vulnerable target lacking the capabilities to reliably detect if their supply chain would be compromised. Using Ventoy is a huge risk regardless of what you think of maintainer credibility at this point.
The cynical take is that what's on display in this issue is feigned ignorance/incompetence constructing plausible deniability.
Their security posture has not evolved with the times, the threat-landscape, and the growth of the project.
[0]: Very doubtful if you have been following this saga or dig around enough
> Very doubtful if you have been following this saga or dig around enough
This is the first I'm hearing of any of this drama. Any links to relevant information indicating that the maintainer is being disingenuous?
There are probably better links still around if you DYOR but a sample with further pointers:
https://linuxmom.net/@vkc/112906968594601449
I really like Ventoy and use it and I’m just not worried about getting attacked with it on my personal homelab.
It just works really well.
https://github.com/fnr1r is currently working on a reproducible open build system. If you wish to help the process, direct your attention there! You can see progress on the issues of their repos, as well as in this now (appropriately) locked issue: https://github.com/ventoy/Ventoy/issues/2795
FWIW "blob" isn't an acronym. It refers metaphorically to an amorphous ball of goop. In databases only, it has been backronymed to "binary large object".
> FWIW "blob" isn't an acronym.
As far as I am aware, BLOB is an acronym for "Binary Large Object" [1], but it is part of the pun that, as you wrote, a blob is (also) an amorphous ball of goop.
[1] At least according to the German Wikipedia: https://de.wikipedia.org/wiki/Binary_Large_Object
The Blob is a movie from 1958 and the blobs in databases were named after the movie. Later, some people felt that blob should be an acronym.
https://web.archive.org/web/20231108173312/https://www.ibpho...
3 replies →
Or where the LOB types could actually be text ([N]NVARCHAR(MAX) in SQL Server, or the deprecated [N]TEXT in the same), I refer to them as Bloody Large OBject.
Or if you don't like blobs but do like recursive acronyms: Bloody Large Odious BLOB.
Good point, [1] is a handy reference on the word. Also used in the compound word "blobfish", of which [2] is a well-known specimen.
[1]: https://en.wiktionary.org/wiki/blob
[2]: https://en.wikipedia.org/wiki/Mr_Blobby_(fish)
Well, hmmm, the word "blob" way predates the 1958 SF horror film of that name:
https://www.etymonline.com/word/blob
https://en.wikipedia.org/wiki/The_Blob
I used Ventoy for a long time with various distros and even Windows, but for some reason it didn’t work with Arch (btw). I had to use a separate USB thumbdrive just for it.
I've had Arch isos work fine from Ventoy, also had Arch isos not able to complete installs without Ventoy.
I’ve never had issues using Ventoy to install Arch.
Arch worked just fine for me
Having just used Ventoy to install Linux on a computer, should I consider it compromised and reinstall? Or technically completely trash it?
That would be quite an overblown reaction. There is currently no proof of malicious activity.
In fact there's no suspicion or allegation of malicious activity. This all started as a "hey it's not oss and i can't stand things that aren't oss." With all the security scare theater being used to justify the "it needs to be oss" demands.
I'll believe it when it happens. The maintainer hasn't done much regarding this for over 5 years. There are issues raised about this back in 2020 and not much has changed. It just seems suspicious to me. But I might be paranoid.
I'm not willing to trust it.
Same. Even the issue presented here seems to not be taken seriously.
Paraphrasing, but things like: "Ah well, some blobs are ok, it is just for convenience" just smells like trouble.
The project is free and all, but damn. Has nobody, in the last half a decade, thought about automagically building those blobs alongside the project?
In my brain you're just postponing a large build system refactor, one that will get worse over time.
So much work because most people can’t manage a simple dd-invocation.
And because Windows don’t allow direct access to the physical layer from a user-space shell.
Such a waste.
The primary reason why I use Ventoy is because of its ability to use multiple ISO's, which I can select from when booting. I don't think that's possible with dd.
It's also possible to use the usb stick for regular files, Ventoy will just ignore them. Pretty useful when you need it.
[dead]
[flagged]
I don't have a dog in the fight, since I don't use Ventoy. Are you referring to this https://github.com/ventoy/Ventoy/issues/3224#issuecomment-29...?
citation needed
care to elaborate on this?
[flagged]
is that Ventoy or IVentoy?