If[0] the maintainer is entirely honest and well-intentioned, they are clearly a vulnerable target lacking the capabilities to reliably detect if their supply chain would be compromised. Using Ventoy is a huge risk regardless of what you think of maintainer credibility at this point.
The cynical take is that what's on display in this issue is feigned ignorance/incompetence constructing plausible deniability.
Their security posture has not evolved with the times, the threat-landscape, and the growth of the project.
[0]: Very doubtful if you have been following this saga or dig around enough
https://github.com/fnr1r is currently working on a reproducible open build system. If you wish to help the process, direct your attention there! You can see progress on the issues of their repos, as well as in this now (appropriately) locked issue: https://github.com/ventoy/Ventoy/issues/2795
I really like Ventoy and use it and I’m just not worried about getting attacked with it on my personal homelab.
It just works really well.
I used Ventoy for a long time with various distros and even Windows, but for some reason it didn’t work with Arch (btw). I had to use a separate USB thumbdrive just for it.
Having just used Ventoy to install Linux on a computer, should I consider it compromised and reinstall? Or technically completely trash it?
I'll believe it when it happens. The maintainer hasn't done much regarding this for over 5 years. There are issues raised about this back in 2020 and not much has changed. It just seems suspicious to me. But I might be paranoid.
I'm not willing to trust it.
FWIW "blob" isn't an acronym. It refers metaphorically to an amorphous ball of goop. In databases only, it has been backronymed to "binary large object".
So much work because most people can’t manage a simple dd-invocation.
And because Windows don’t allow direct access to the physical layer from a user-space shell.
Such a waste.
Nice that the community is addressing this. I was never able to trust Ventoy in the past, and as such still have a wide array of USB sticks to install Linux flavors with.