Ventoy is a wonderful product that has a bit of a BLOB build concern currently. If you have some devops time to spare, maybe you can assist? There is some apprehension around the blobs included in the release and how they are prepared. I hope this can get resolved eventually so I can get back to enjoying it myself. Consider donating to the project also (right had side of github repo has donate links for the author)
GitHub Issue
Main Repo
Be sure to 👍✅Subscribe✅👍 for more content like this!
Join this channel
Please share this video to help spread the word and drop a comment below with your thoughts or questions. Thanks for watching!
Digital Spaceport Website
🌐
🛒Shop (Channel members get a 3% or 5% discount)
Check out for great deals on hardware and merch.
*****
As an Amazon Associate I earn from qualifying purchases.
When you click on links to various merchants on this site and make a purchase, this can result in this site earning a commission. Affiliate programs and affiliations include, but are not limited to, the eBay Partner Network.
Other Merchant Affiliate Partners for this site include, but are not limited to, Newegg and Best Buy. I earn a commission if you click on links and make a purchase from the merchant.
*****
[ad_2]
source
Thank you for voicing your concerns and bringing these issues to the community. I too will be looking into this myself as I have fairly recently been a regular ventoy user for os deployment across a large number of machines.
It is safe, but does NOT support secure boot by default. You need to import its digital certificate.
Glim or multibootusb? I can see why one might be reluctant to trust ventoy, so those other two projects come to mind as having a lot less code (just scripted grub config actually) to eval for safety—you bring your own grub, and there's no other binary object code to trust. You lose a few features over Ventoy, but it's probably worth it to reduce the number of things that periodically report containing viruses and trojans you just have to trust…
I've been wary of Ventoy for a while, and I've never trusted it due to seeing a lot of red flags, despite everyone else praising it. I've wanted to use it, but held back, and am still using dd, rasperry pi imager, or rufus, instead. (When donating to ventoy on homepage, where does it go to? Who gets the money? Is it the chinese dev? It's a massive undertaking for a solo dev. How is that possible?)
Dit you explore Netboox xyz? And there is also a netbootVentoy
So you read my comment and hid it very cool.
Is secure boot safe? Generally speaking sometimes, most of the time, maybe? Be wary of what installation medias you put on ventoy, definitely. You should be checking hashes of all installation medias, before and after installation to ensure that whichever operating system or ptoduct is genuine or non-modified.
You can compile your own version of ventoy if you'd like, but as it stands right now it is not currently a malicious software.
It does enable bypass secure boot, because you're booting to ventoy, then you chainload to a different iso of your choice. So, yea, you can definitely have a corrupt or malicious iso on the ventoy. Good practice would be to remove the ventoy key in bios after installing a new os from ventoy, then secure boot won't have the ventoy bypass registered (which it shouldnt use for booting a different OS anyway)
Real world example, say you put arch linux or a derivative of arch linux that does not have a signed secure boot key on ventoy, you can install it, but once you've removed the ventoy and restarted your pc, you will not be able to boot into that os due to secure boot seeing it and saying "hey, idk what that is, dont trust it!" arch distros and arch kernel updates often come out before full secure boot verification (if they ever get signed lol).
Hypothetically someone could use the ventoy key to sign their corrupt distribution, but you can and should bypass this by removing the ventoy key from bios after using the media to install operating systems.
Ventoy by itself is relatively safe, but technically could chainload bad systems, always do your research, and double if not triple verify your hashes, check the hash when you download it, check it once youve put it on the ventoy, check again once youve installed that operating system, and only download things from trusted sources if you want to stay secure.
Or build your own OS. Learn how these systems work if you care about security at all. Imo windows is malware, Microsoft goes to great lengths to monopolize software and harvest user data. And secure boot wont save you from malicious code, ransomware, krypto or data mining hidden services.
Secureboot only checks the boot of your operating system, not your hard drives and data.
Put a password on your bios if you think someone intends on using ventoy signed key to attack your pc. To become a cyber security professional you need vast and deep knowledge in the fields of applications, operating systems, internet protocols (depending on your specialization.)
Concerning Ventoy might have problems considering I just started using it a few months ago.
While it would be great to have the whole thing open sourced so that the blobs can be inspected. I feel like this isn’t that big of a deal. We’re using blobs all over the place all the time. Most of the firmware on our systems is a blob. If we’re going to be worried about something it should start there. I use ventoy and will continue to do so, until proven otherwise. Trust has to start somewhere or none of this would work. That being said I do hope that they open it up more so it can be scrutinized.
DD does not have blobs :)))))))))))))))))))))))))))))))))))))))))))))
I'm a big fan of Ventoy, and I find it unfortunate that it's seeing a problem like this crop up.
Even without the issue, though, I've been intending to set up a Clonezilla USB where I have a bunch of prebuilt Clonezilla images I can restore to my systems. It should allow me to have more deeply customized premade setups compared to NTLite ISOs and shell scripts, so I'm hoping it'll reduce my workload significantly.
I'm still going to use Ventoy for the time being where needed, but thanks for the heads up and further drive towards my Clonezilla setup.
I use Ventoy all the time, and I'm not in a position to just buy way too many USB drives, and I don't have many other computers to fall back on. Reflashing and reflashing and reflashing is NOT a viable solution for me. I frequently have to reinstall my few systems, and last thing I need is having a needed tool fail because the flash drive happened to be unavailable. I just needed a solution to boot my many Linux distro install ISOs, Windows ISOs, and recovery tools. I don't need to fragment them all on 20 flash drives, not to mention backups and just carrying them around to be available. I have a single large USB drive containing Ventoy and all my ISOs, as well as a second drive full of my backup ISOs.
Ventoy's really my only good solution, and I honestly don't mind the security implications of Ventoy's own build process, and I only ever update Ventoy when I need to.
So if you don't know what you are talking about why are you stirring the controversy pot? Did you see Toolybird post in the thread?
Dang, thanks
Interesting… I use the sister project iVentoy when deploying sandbox clusters at home and my understanding is that they share a bit of the same DNA.
Thank you for the call-to-action!
When I'm not using pxeboot, I make heavy use of the IODD ST400 external drive. It fulfills the features of Ventoy but as a hardware solution and it works incredibly well. Most systems that can boot from USB CD-ROM can boot an ISO from the IODD.
As I toyed a bit with Ventoy: I understood that you can put in your own isos into it and even base the images on a (private) repo for iso you want to use! Granted it needs some manual wrangling but hey what doesn't need that in the Linux ecosystem.
So IMO if you have these concern about XYZ level threads (I distinctly not question the validity of these concerns!) you can completely manage the used isos by yourself and not rely on Ventoy provided isos. As I understood Ventoy this is the intended use for it.
Would pxe boot work for your needs with netboot XYZ? You could set up a vlan to securely image machines with a set of isos that you can smb over? My only issue is that I deploy quite a few notebooks so it'd need to pick up some USB network adapters but otherwise looks like a decent option.
No, Ventoy is not safe.
audio is slightly off
Thanks for your effort of making a video based on my question 🙂
It'd be wonderful if the freaking BIOSes just had this boot to ISO feature built in rather than people relying on the Chinese for it.
Sounds concerning.. taking a look.
The audio and video seems a bit out of sync, although its possible the video is rendering slowly on my laptop, but seems to be happening to this particular video only, so I might be correct.