Why have I wasted time flashing USB drives to install Windows (and Linux) on PCs when I could have been doing this all along?

[Windows Central]

Never flash a USB drive again to install Windows or Linux, just use Ventoy. It's so easy, why didn't I know about it before now?

Why have I wasted time flashing USB drives to install Windows (and Linux) on PCs when I could have been doing this all along? : Read more

 

[mes-uk]

Fun times...allow me to give a bonus step, Ventoy is just the starting point – now, add a Pi Zero. I use a Pi Zero as a USB flash drive, utilising gadget mode to serve both as storage and as an Ethernet connection simultaneously. Imagine a 512GB (or larger) flash drive that also provides USB connectivity. I've housed the whole setup in a keychain-style case with an integrated USB adaptor.

It's pretty great, and went from a dust collector to something really useful.

 

[HITS]

This tool has had a recent (the last year or so) list of questionable / safety concerns raised. If I were you, I would quickly add some kind of note at the top about how the UEFI key that's added to the system to use SecureBoot is potentially VERY dangerous. Or about the blobs in the code that are unable to be verified easily. Or that the developer has yet to respond to a host of questions as this is his spare time project. Or that he's based in China, and could be compelled by the govt to add backdoors, etc (not saying that is the case, but it's possible).

I have no doubt that this has been an amazing tool in the arsenal of IT guys for a while now, but in its current state, and with the XZ Utils Backdoor, I don't think it's safe to use.

Head to the GitHub page and go to issue #132. The comments in this section will hopefully help explain the problem. Not saying it's unsafe, but I definitely won't be using it until the Developer responds.

 

[Jestzer]

As HITS has mentioned, this software is not to be trusted, no matter how convenient it is.

 

[TheBeav111]

Lmao love the update at the top: "don't waste your time reading this article do your own research"

 

[TheBeav111]

Lmao love the update at the top: "don't waste your time reading this article do your own research"

Wtf it says I'm a new member .... My account is so old the PW is only 6 lower case letters lmao...

 

[HITS]

I'll take it. Hopefully it'll help keep people from jumping in the deep end that can't swim Thanks Richard!

 

[gregzeng]

TX. This has been mentioned many times in my comments in the reader's part of Distrowatch, over the decades. PCLOS is the only Linux operating system that includes Ventoy in its repositories.

 

[FatalKeystroke]

iodd makes some portable drives and drive cases that are a dream come true for this. I have one that I keep a 2tb drive in loaded with basically every ISO I've ever used as well as a ton of portable apps for different OS's and a few images of live Linux distros I can boot into for various uses. You just organize the files using a specific structure and it just behaves like a regular external drive. Highly suggest looking into it if you like the idea behind the article, I've never seen a better solution. (Points to the guy that brought up using a Pi, their device uses the same idea without the Ethernet but a lower barrier of entry besides price)

 

[Windows user fan]

Nah Rufus ain't even that bad and it is easier for me. It is fast and always did the job

 

[Sim2er]

iodd makes some portable drives and drive cases that are a dream come true for this. I have one that I keep a 2tb drive in loaded with basically every ISO I've ever used as well as a ton of portable apps for different OS's and a few images of live Linux distros I can boot into for various uses. You just organize the files using a specific structure and it just behaves like a regular external drive. Highly suggest looking into it if you like the idea behind the article, I've never seen a better solution. (Points to the guy that brought up using a Pi, their device uses the same idea without the Ethernet but a lower barrier of entry besides price)

I have an iodd also, I think it was recommended by a bootloader developer as the only way to keep secure boot secure and get this functionality. Some of the best money i ever spent was getting that drive.

 

[GraniteStateColin]

This tool has had a recent (the last year or so) list of questionable / safety concerns raised. If I were you, I would quickly add some kind of note at the top about how the UEFI key that's added to the system to use SecureBoot is potentially VERY dangerous. Or about the blobs in the code that are unable to be verified easily. Or that the developer has yet to respond to a host of questions as this is his spare time project. Or that he's based in China, and could be compelled by the govt to add backdoors, etc (not saying that is the case, but it's possible).

I have no doubt that this has been an amazing tool in the arsenal of IT guys for a while now, but in its current state, and with the XZ Utils Backdoor, I don't think it's safe to use.

Head to the GitHub page and go to issue #132. The comments in this section will hopefully help explain the problem. Not saying it's unsafe, but I definitely won't be using it until the Developer responds.

Just to provide links for people to read about these:

The referenced Issue #132: https://github.com/ventoy/Ventoy/issues/132

Also #135 on the ISO safety
https://github.com/ventoy/Ventoy/issues/135

And more on the BLOB problem (with some annoying social media-like facets) #2795:

[issue]: Remove BLOBs from the source tree · Issue #2795 · ventoy/Ventoy

What happened? Due to the recent XZ-Utils drama I checked the code and I'm appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f8946...

github.com

Note that the danger with BLOBs is that code COULD (as HITS points out, doesn't necessarily mean it does) modify the ISO during install to create backdoors or triggers. This would be consistent with other actions the Chinese government has taken in their contributions to Open Source projects reaching Western audiences, including some that worked their way into router firmwares.

Just to give extreme examples of how this can be used: think of the Israeli backdoor attack on Hezbollah via their modified pager firmware (and composition in those cases) or the combined US and Israeli backdoor malware attack on Iran to stop their nuclear work several years ago. While I don't think this could lead to explosive or melting hardware, it certainly could lead to clandestine access to systems, which an adversarial government could use to gather info or to take control of all infected systems at a critical moment in time.