Shoutout to Medicat toolkit. Takes ventoy to next level.
Was the Ventoy binary blob issue resolved and it’s cool again?
No. But the argument itself is so stupid to me.
Ventoy has never been a secure tool. People are making the argument that it should be, which is just nutty.
If you’re one of those people that grab random fuckin’ ISO’s from all over the internet to test em out, then no. You really shouldn’t use Ventoy. If you run official ISO from recognized sources, then realistically the risk is ever present, but minimal.
Like getting in a wreck on the way to the store to pick up milk. It’s always a possibility, but not many people would stand around and make the argument that you should stay home forever because you might get into an accident, which is basically the argument against Ventoy. It’s “we’ll, it’s a crazy useful tool, but you shouldn’t use it because something might happen.”
It’s just such a bad argument. Fact of the matter is, is that if there were a non-hacky as shit way to do what Ventoy does, it would be available right now. But it’s not… Because it’s really not.
The only way to avoid the issues that Ventoy employs is to not use ISOs and use something like netboot.xyz, which presents its own set of issues. How do you know you’re not being MITM from the iPXE environment? Like, sure. You can technically verify it, but how do you know for sure on the fly?
Like, if you sit down you can pick apart any software for being an insufferable gaping asshole of security vulnerabilities.
The problem with Ventoy isn’t the ISOs.
The problem is they use binary versions of core tools like
cryptsetupin their source tree, vs compiling them at build time.This leaves the door open to supply-chain attacks. I.E. a PR with a bad
cryptsetupbinary, or an attack on crypt that makes its way downstream with no way to audit. This is how huge software distributions make their way to Wikipedia in a bad way: https://en.m.wikipedia.org/wiki/XZ_Utils_backdoorThe solution is the build those binaries at build time, which a fork is working on.
Interesting! & longpanda*
Explains y’all paranoid and keeps using those binaries? Says “sorry I do this free and that would take forever”?
*
To clarify, asking if there has ever been an official developer response/debate on this.
The advantage of Ventoy is its ability to work in any environment and handle 99% of ISOs. Compiling the binaries at build time requires a mature development environment to be able to build these utilities… Your exponentially increasing the size and complexity of the project to solve a relatively minor security issue.
Ventoy is not the only way to create a bootable drive… If you don’t trust the blobs then don’t run the software.
Forking ventoy to add the complexity of building these utilities is only going to be available for *nix base environments so Windows users are pretty much shit out of luck. Your exponentially increasing the size of the project, it’s complexity, and simultaneously significantly narrowing its usability…
I said it before and I’ll say it again it’s such a bad fucking argument. It’s not mature software. It’s a literal confluence of hacks… And if you’re not comfortable with using it then don’t use it. It really is a huge security risk. But advocating that nobody use it is such stupid fucking thing.
Advocate that people understand the risks of using it but to just run around and scream about how nobody should be using it for any reason whatsoever until the maintainer closes the security hole that makes it run is pretty stupid.
You:
solve a relatively minor security issue.
Wikipedia:
In February 2024, a malicious backdoor was introduced to the Linux build of the xz utility within the liblzma library in versions 5.6.0 and 5.6.1 by an account using the name “Jia Tan”.[b][4] The backdoor gives an attacker who possesses a specific Ed448 private key remote code execution through OpenSSH on the affected Linux system. The issue has been given the Common Vulnerabilities and Exposures number CVE-2024-3094 and has been assigned a CVSS score of 10.0, the highest possible score.[5]
Binary supply-chain attacks are not “minor security issues”. There is a reason many companies will not allow admins to use Ventoy.
I like Ventoy, it’s a fantastic project. I like that the author is transparent about where they won’t be spending their time. You can like a project, and recognize it’s flaws at the same time.
A contributor building a PR to solve the build concerns is not a bad thing, it’s to be celebrated. Even a short-term solution of having the build script pull the binaries from a release and checksum them would alleviate a lot of that concern. And the Windows vs Nix item would be alleviated by the GitHub build ENV. Binary releases isn’t the problem, it’s binary in the source. This is about audits and traceability more than the build itself.
Not having a security first posture on these kinds of attacks is how the
xzevent happened, and I would hate to see that happen to Ventoy. I look forward to contributors helping the author out.
Couldn’t you just compile those dependencies yourself and use your own blobs then?
Yes, but…
The build environment was not clean to start, which is why a contributor is working to correct that.
You could also have the build scripts that run on GitHub pull the binary releases directly from their original release locations at build time, vs a file that an individual can modify in the source tree. This isn’t as good as building from source, but it’s better than nothing.
I read what sounded like an intelligent follow-up on this subject. But I’m not smart enough to verify for myself, so I still refrain from using ventoy - even though I’d love to start using it again.
It was basically “wacky code from all over the place, poor coding practices, can’t find anything bad, but methods used are sus af”
Says one dude I read on the internet :/
That’s it.
Sounds like a Chinese geek tried to make something useful, did a lot of dirty hacks to get it going.
And couldn’t properly explain because his social skills and English weren’t great.
The blobs weren’t super suspicious, just some gpld tools, basically busybox kind of stuff.
The real problem is what he made was so fucking insanely useful and needed by everyone that the standards for software skyrocketed.
Like you make a cure for cancer and everyone starts screaming at you because one of the side effects is temporary impotence.
Just have 500 thinkpads and you can avoid security issues all together! A thinkpad for every distro EZEZ
I’m just going to start pretending I know nothing about computers
They’re square and beepy,
covered with buttons and screens.
It is so easy.
Or so it seems.“Sorry I got rid of windows 10 years ago. I can help you install win 7 but nothing newer than that”
Please at least (or, well, at most) make it 8.1…
A computer? Ahh yes, a person performing mathematical calculations! Likewise. (-)/
I just pretend I can’t speak English.
Me with 40$ 1tb external ssd with ventoy be like
I can’t fit an SSD up my ass. :(
Not with that attitude
Don’t threaten me with a good time
If you’re incapable of figuring out how to install Windows then you’re probably incapable of most things in life.
I think without instructions most people would need help due to not knowing what a partition is. So depending on your interpretation of incapable this seems like a huge exaggeration. The Linux installers with GUIs I’ve seen at least explained how to set them up.
To be fair, Windows wasn’t meant to be installed by the end user that often. It comes preinstalled.
Just saying that it’s brain dead easy to install. You don’t need any technical skill at all.
There are no tricks. Just mouse through a couple of prompts and it’s done.
I’ve installed Linux just as many times as windows and these days Linux is more complicated to set up and install than windows.
Like I get it. Yall have a deep bias for Linux but Jesus Christ can you at least be accurate?
It was just as easy to install linux, it came with a graphical installer
I find you still have to fuss with partitions. There isn’t a simple wipe everything and install option. You have to manually select the partitions on the disk, delete them and create a new one which somehow triggers it to create several partitions.
There is an upgrade option.
And then they tell you they don’t want a Microsoft account and you have to look up what’s the current hack to get around that if possible.
That said, I think the Linux install experience is very clear about what it’s going to do.
You had it right until the “create a new one” bit.
You can choose empty space instead of a partition and the setup will create the partitions for you. I mean even if you were to choose a partition, I believe it’ll delete it and create new ones because it needs more than just one partition. So on a clean disk, you can pretty much just hit next at that bit.
Lolwat. Last time I installed windows it literally created 3 partitions exactly when I told it “this clean disk - here ya go”
That’s exactly what I said, it creates its own partitions if you make free space or already have a clean disk. No need to manually make a partition.
Aand why the hell does it do that? And why the hell count is more than one? And while we are at it, what is so deadly and frightening with Linux installer creating a partition?
You are vastly overestimating the technical ability of the average computer user. I don’t even mean that in an elitist/disparaging way, they just don’t care about this stuff because they don’t need to.
Windows isn’t hard to install but it does require some computer knowledge
I am not incapable, I just don’t want to.
I’m the family computer guy but dad’s probably better at Windows than me.
Dude: “Damn… I really want to be able to see the inside of my computer. Why won’t anyone help me install windows to the case?”
Your father gave me his USB stick in Vietnam, son.
where did you keep it?
I carried this uncomfortable hunk of data up my ass for two years. And now little man, I give it to you.
Installing Linux on your buttplug is a bold move, I say.
I always install openSUSE without removing my buttplug. Or any extra USB cables.
Oh yeah I have that too. Just sit on the PC case while you are installing. (  ̄▽ ̄)
I dare you to use it for bios updates. Better don’t clensh your butt or you’ll brick your board
Two bricks would be made in that case. >!In that PC case.!<
Uhm… Where can I find that? For a friend, of course! (◕ᴗ◕✿)
Well, I only know of one and you’ll need 12 angry men to pull it out.
Meanwhile me with a CD book that has 17 bootable DVDs and CDs plus a separate DVD+RW for more random, less permanent crap and a portable USB DVD drive (the drive is sourced from e-waste and fails to write both DVD+/-RW and CD-RW at 4x, only 2.4x and 10x respectively work).
I like spinny media.
I mean, I also have a Ventoy disk, but I haven’t used it for a looooong time because it’s no fun, but discs are.
I just need a bigger backpack. The WRT54GL is taking up quite some space too.
Much cooler than ventoy, no?
You have all that up your ass!? ( ; ゚Д゚)
I mean, they have a hole in the middle, so if I stack them they let stuff pass.
I- I didn’t think of that…
Not to mention iso booting from a disc…just works. Too many times I’ve tried booting various USB images only to have it fail for unknown reasons, the host machine has this weird quirk of not able to boot from a 3.0 port or…idk
Oh boy, you haven’t met some Dell Optiplexes.
That shit, for whatever reason, can’t boot from internal DVD drive. I tried with 2 of them. Both had functional drives, I tried disabling secure boot, enabling legacy boot and some other settings which seemed related, but nothing worked. Then for shits and giggles I tried a USB DVD drive and that worked just fine.
Ya…some devices are seemingly straight hostile for doing this. Combined with Dells insistence on shipping PCs with a wonky “raid” mode for it’s single drive. Just mess. UEFI/secure boot etc…
Disks are fun, lol are you a masochist?
I bet you never heard its cool sound.
brrrrRRRRR PS PS bRRR PS PS, PS PS, zzzzZZZZZMMMMMMMMM
best thing ever
As someone who loves collecting/hoarding things, major jealous.
Impressive, very nice. Let’s see Paul Allen’s 256GB Ventoy USB with 118 Linux distros and 36 ISO boot tools up his ass
Is that… BoneOS?
When did you get so tasteful?
Ventoy is completely insane in terms of how it works fwiw: https://discourse.nixos.org/t/custom-nixos-installer-plug-install-play-how-to-achieve-this/61710/13
Thanks for the extra info and thanks for this useful nixos discourse post!
NixOS ftw (I use NixOS btw)
118 ISOs, and windows ain’t one
i installed linux mint on my sisters household PC last week.
my dad did his usual grumblings about “it should be windows” and i just said “i’ve been out of the windows ecosystem completely for the last 5 years and partially for another 3 years beyond that. i no longer provide support for windows, if you want them to have windows you need to support it”
he went quiet after that.
Honestly that sounds like a jerk move. Why would you force someone to use Linux? It isn’t your computer and if you are helping them you should do what they want. I wouldn’t be surprised if they bought a new machine and then ghosted you.
Where did they say they forced anyone? They just said they installed it.
Maybe I’m just reading into it but I read it as they wiped the drive and installed Linux without asking for explicit permission.
Well, based on the rest of their comment, they were “providing support”, so the implication is that the sister asked for help and received it.
I would assume that they informed their sister as to what would be installed. I don’t think it’s fair to assume the worst without context.
It’s not hers. it’s one of my computers that i am deploying to her house for her and her family to use.
It’s technichally for my neice but the rest of the family all also have access.
no one in that household has expressed a specific preference of operating system. other than my brother in law texting me to tell me one of the old games he tried to install doesnt work (i did promptly offer to “make it work” but he declined).
I have no problem with them installing windows on it if thats what they want. they wont be coming to me for technical support if they do though.
Honestly that sounds like a jerk move.
Quite the opposite,
Why would you force someone to use Linux?
In what world is that force ? He wasnt holding a gun to her head, the opposite, he’s freeing her from stupidity.
Decent people help others, they don’t go along with their stupid ideas before at least trying to convince them its a stupid idea. An allegory perhaps, your friend comes over, they have a 1/2 dozen beers, they’re going to drive home… In your world it seems it’s force to ask them not to and to stay over.
It isn’t your computer and if you are helping them you should do what they want
Helping them is the phrase you seem to be confused about. It’s his sister, not his boss at the office.
Some people actually want Windows. That’s not a “stupid idea” and it definitely shouldn’t be compared to drunk driving. I’ve lost people to drunk driving but last time I checked no one died or was fired because they use Windows. The evangelical rhetoric around Linux is harmful to Linux. Don’t go around promoting Linux like it is somehow going to be worlds ahead of Windows.
If someone is looking for a Windows alternative it might be worth a mention. Don’t turn into some sort of Linux sales person. Linux can be good but it isn’t a Windows alternative. It requires some getting used to.
Why does your dad have an opinion on what your sister use?
Right? OS arguments over Thanksgiving dinner sounds like kind of a good time.
he’s still coming round to the fact he’s not getting security updates soon due to lack of a TPM module.
He’ll be running mint too by the end of the year
Please don’t go around forcing people into Linux…
i’m not forcing him into it, microsoft is
