During a recent trip down the rabbit hole, I stumbled into an alarming GitHub issue ventoy/Ventoy#2795:

Due to the recent XZ-Utils drama I checked the code and I’m appalled. There are more BLOBS than source code.

• https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/cryptsetup
• https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/Unix/ventoy_unix
• https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f894657802/DMSETUP

There is no reason to have those not be build in the release process.

That immediately gave me the shivers!

If you’re unaware of Ventoy, first of all, I’m jelly you are freed from the pain of not being able to use this tool in good conscience anymore. Secondly, it is a very popular and nifty tool that allows you to boot into multiple operating systems from the same pen drive without having to wipe it or flash over any previous operating system already present. All you have to do is copy over the .iso files into your pen drive — just like copying regular files. That’s it!

It’s extremely convenient for me as I just have to flash Ventoy on all my pen drives from the get go, which creates the Ventoy partition and allows me to copy over ISOs or anything else into the remaining free space — I get to use it like a normal flash drive.

I’ve been using and evangelizing Ventoy within my circles ever since I’ve known about it and this issue totally flew under my radar. I’m far from being super knowledgeable in the area of bootloaders and operating systems but I do know for a fact that it’s a 🚩 huge red flag to have prebuilt binaries of unknown origin in an open-source tool used by probably tens of thousands of IT admins and home users, especially one that is placed right in front of the initial system setup process. In a worst case scenario, think of malware that injects itself into the boot process, lingers around and steals all your data 24/7.

While I really, really want to be optimistic and say it’s probably that the author never came around to getting releases built and released via CI (because fuck the monstrosity that’s GitHub Actions), it’s a concern that since the issue was raised over a year ago, there has been no communication from the author of the project on the grave matter. Given the criticality of a project like this and where it’s used, it’s not at all unreasonable to feel alarmed.

Based on a quick read of the discussions that ensued in the issue, I infer that there are some build instructions scattered around but the overall procedure doesn’t seem to be straightforward for someone else to just fork over and enable CI builds. Out of all, fnr1r seems to have made the most progress in splitting things out, refactoring and trying to make a fork happen but it’s still early to say anything.

I haven’t found a good alternative to Ventoy since finding out about this alarming development. Tools like YUMI doesn’t seem any better in terms of reputation or functionality. If my focus was just on Linux distros, there are ways to go on about it but as soon as I mix Windows and other bootable ISOs, I believe there’s no good alternative.

While it’s not exactly an alternative, I discovered netboot.xyz while looking for alternatives and that seems like a nifty way to setup VMs and machines. I’m going to give it a try and see if it works for my needs. I wouldn’t even need a pen drive if this works very well.