Comment by baobun
7 months ago
If[0] the maintainer is entirely honest and well-intentioned, they are clearly a vulnerable target lacking the capabilities to reliably detect if their supply chain would be compromised. Using Ventoy is a huge risk regardless of what you think of maintainer credibility at this point.
The cynical take is that what's on display in this issue is feigned ignorance/incompetence constructing plausible deniability.
Their security posture has not evolved with the times, the threat-landscape, and the growth of the project.
[0]: Very doubtful if you have been following this saga or dig around enough
> Very doubtful if you have been following this saga or dig around enough
This is the first I'm hearing of any of this drama. Any links to relevant information indicating that the maintainer is being disingenuous?
There are probably better links still around if you DYOR but a sample with further pointers:
https://linuxmom.net/@vkc/112906968594601449