ventoy has been under scrutiny in the last year or so, mainly for
including hundreds of precompiled blobs, with possibly unclear/unchecked origin.
the main developer failing to address the issue, indeed even to answer about it at all.
Part of the context can be understood from this discussion. I do not want to enter any technical or moral debate here, but beyond the obivous security risks, I think this is a bad practice especially for such a package.
In AUR there is one package which tries to reduce the ballooning number of precompiled blobs included (so it mitigates but not solves the issue), and one more standard ventoy-bin. While there is no official arch ventoy package.
However in the cachyos repo there is a ventoy-bin package which, as far as I understand, carries on the problems of the standard ventoy build.
I wonder if it is not a better practice to remove the package from the cachyos repository. Users that want to install it, can do so via AUR. This would remove the layer of trust that the repo gives to a package which, at the same time, can fully compromise a system and is build with bad practices.
EDIT: I had unwillingly posted the first line only of this post. Apologizes to those who wasted their time reading the half sentence.
Well too bad cause you are going to get called out. If Ventoy was truly the issue you claim it to to be distro maintainers would be calling it out. The last big issue with Ventoy had nothing to do with it but rather with either files used to create the distro ISO’'s or Calamares itself.
Thanks for your reply. But I do not find it very informative. I ask why it is on the repo if there are potential issues, and you say that there are no potential issues because it is in the repo. Maybe there are no potential issues, but maybe there should a motivation other than the self-referential “it is in the repo”
Do not take what I said out of context and or twist it again. I clearly said the issues have NOTHING to do with Ventoy itself and you know it. Looks like you are only here to bash. That trolling and spamming.
Wow, that Github thread was a tad involved. I see your point, and yes it is concerning.
I’m not sure how much of a difference pulling it from the Cachy repo would make when it comes to a “layer of trust” though, as most people see the AUR as a standard part of Arch. In fact, many people champion Arch because of the AUR.
Yes, I’ll (occasionally) take the time to check the build-file of an AUR package if it’s not popular, but most people wont, because again, “AUR is a part of Arch”.
Ideally, the dev would version all of the blobs source files, rebuilding when there’s a change upstream, and I think that someone was working on that in the thread (I mostly skimmed it).
Does anybody have more insight here? Is Ventoy still such a risk? I love that tool so much, but of course it is pretty scary to know that there are dozens of pre-compiled blobs in its repo…
Just read through both threads, too awhile. It seems Ventoy does have issues, and there is a chance anyone using it can be compromised (Possible, not Probable.) However a mitigation to remove the exploits and make it more ‘trustworthy’ is not yet happening.
I personally feel the Dev is feeling a little attacked/overwhelmed and despite ramblings from the community no one has actually stepped up and started to help. Yes they have ‘offered’ but no progress has been made.
The biggest concern stems from:
’…wintool.tar.xz is recognized by VirusTotal as something that injects fake trusted root certificates …’
Now this could be a false positive, which we all know does happen, add to this that Ventoy generates is own certs for Secure Boot, any Bad Actor can compromise the Cert, you insert it into your Secure Boot, and away they go.
I could be wrong, my Wife tells me daily I am, however it does seem to be a BIG question Mark.