While Ventoy is technically open source so the code can be verified, the source also contains a number of binary blobs. As these blobs are already compiled, there is no way to verify what they actually do. Ostensibly, these blobs are just drivers and whatnot that are taken from the official upstream sources and are used by Ventoy for good reason to install things. But because they are already compiled blobs, no one is able to actually verify that. It is possible that they can also do something else nefarious, like secretly install some hidden spyware in your new OS that you are installing using Ventoy.
ELI5: Imagine you like a particular restaurant because they post the ingredients list on their menu. That way, you can tell if a dish fits your dietary requirements. But you notice that while one of their salads lists ingredients that make sense like “ICEBERG LETTUCE” and “CHERRY TOMATO”, one of that salad’s other ingredients is just “CANNED FOOD PRODUCT”. Well, that is incredibly vague and not all that helpful. You can’t really tell what that ingredient is or if it is something you are allergic to. For most people, in most situations, it is entirely fine. They can probably eat the salad with no problem. But some people would rather not risk the potential problems that come from not knowing for sure.
It was also strange that after this issue was brought up about Ventoy, it took quite a long time for the developer to actually respond. I believe they eventually came up with a good idea for a solution (using GitHub build actions or whatever to build the blobs from source), but mentioned that will be a big effort to actually switch to. So, they have not actually done that yet. I believe the unverified blobs are still in place in the source right now.
I’ve tried using GH Actions before to build binaries fully from source and it’s difficult AF. It seems like using something like Nix could make this more doable.
While Ventoy is technically open source so the code can be verified, the source also contains a number of binary blobs. As these blobs are already compiled, there is no way to verify what they actually do. Ostensibly, these blobs are just drivers and whatnot that are taken from the official upstream sources and are used by Ventoy for good reason to install things. But because they are already compiled blobs, no one is able to actually verify that. It is possible that they can also do something else nefarious, like secretly install some hidden spyware in your new OS that you are installing using Ventoy.
https://github.com/ventoy/Ventoy/issues/2795
https://github.com/ventoy/Ventoy/issues/3224
ELI5: Imagine you like a particular restaurant because they post the ingredients list on their menu. That way, you can tell if a dish fits your dietary requirements. But you notice that while one of their salads lists ingredients that make sense like “ICEBERG LETTUCE” and “CHERRY TOMATO”, one of that salad’s other ingredients is just “CANNED FOOD PRODUCT”. Well, that is incredibly vague and not all that helpful. You can’t really tell what that ingredient is or if it is something you are allergic to. For most people, in most situations, it is entirely fine. They can probably eat the salad with no problem. But some people would rather not risk the potential problems that come from not knowing for sure.
It was also strange that after this issue was brought up about Ventoy, it took quite a long time for the developer to actually respond. I believe they eventually came up with a good idea for a solution (using GitHub build actions or whatever to build the blobs from source), but mentioned that will be a big effort to actually switch to. So, they have not actually done that yet. I believe the unverified blobs are still in place in the source right now.
I’ve tried using GH Actions before to build binaries fully from source and it’s difficult AF. It seems like using something like Nix could make this more doable.