Progress update on the Ventoy blob problem (github.com)
from fnrir@lemmy.blahaj.zone to linux@lemmy.ml on 30 Apr 14:37
https://lemmy.blahaj.zone/post/25304065

Posting this since quite a bit has changed since I last posted about this on !technology@lemmy.world.

Here’s a rough breakdown of the current status:

This should be enough to boot Linux with just what’s built manually, but I haven’t tried that yet.

Secure Boot is just done by using a pre-built bypass package. I’ll deal with that later.

Having more people testing this would be nice. :)

Cheers

#linux

threaded - newest

catloaf@lemm.ee on 30 Apr 14:40 next collapse

What is the ventoy blob thing and why is it important?

fnrir@lemmy.blahaj.zone on 30 Apr 14:44 collapse

TLDR: There’s binaries instead of source code in the repo, which makes it hard to near-impossible to verify what it’s doing. And the instructions for building those is lacking.

GH issue: github.com/ventoy/Ventoy/issues/2795

cornshark@lemmy.world on 30 Apr 16:30 next collapse

What’s ventoy?

SloppilyFloss@lemmy.ml on 30 Apr 16:35 next collapse

A tool to make bootable Live USBs out of operating system ISOs.

princessnorah@lemmy.blahaj.zone on 30 Apr 17:27 collapse

I think that’s not quite right, otherwise you could say that Rufus is the same. Ventoy is a Live USB tool that allows you to drag and drop ISOs onto a storage device and boot them without needing to image the device at all. It has its own interface that it boots into, that lets you select which ISO to then boot up.

fmstrat@lemmy.nowsci.com on 02 May 12:24 next collapse

One boot USB to rule them all. Just copy ISOs to it, and boot to a menu of ISOs.

teije9@lemmy.blahaj.zone on 02 May 17:31 collapse

a tool that allows multiple isos to be on one live usb, while the usb still works as a usb

gwilikers@lemmy.ml on 01 May 05:25 collapse

Oh really? You’re saying its a security risk?

Black616Angel@discuss.tchncs.de on 01 May 06:24 collapse

It is a risk as seen in the exploit in xz utils.

drspod@lemmy.ml on 30 Apr 15:01 next collapse

If only booting Linux distros, consider GLIM instead: github.com/thias/glim

stefenauris@pawb.social on 30 Apr 18:42 collapse

Thanks for sharing! I never heard of that before

eneff@discuss.tchncs.de on 30 Apr 16:20 next collapse

Thank you for your work on this! It’s highly appreciated!

I’m about as broke as it gets currently, but are there ways to send money your way in case someone who’s able to comes across this?

fnrir@lemmy.blahaj.zone on 30 Apr 17:51 collapse

Focus on yourself first. I do have a Ko-Fi, but I don’t promote it much.

pastermil@sh.itjust.works on 01 May 03:08 next collapse

So in short, these seven components are what makes the Ventoy blob, am I getting this right?

balsoft@lemmy.ml on 01 May 09:56 next collapse

Are there any instructions on how to build this all to get the ventoy installer binary that can replace upstream? Or is the project not up to this stage yet? I can go without Windows and FreeBSD support.

fnrir@lemmy.blahaj.zone on 01 May 10:09 collapse

On Linux installation is done through a series of scripts and vtoycli. I haven’t worked on that yet, but there’s build scripts there that should do the trick, but since they build it for multiple architectures, you’ll have to run just the stuff for your arch (probably x86_64).

sth like:

cd vtoycli/fat_io_lib/release
gcc -specs "/usr/local/musl/lib/musl-gcc.specs" -O2 -D_FILE_OFFSET_BITS=64 fat*.c -c
ar -rc libfat_io_64.a *.o
cd ../..
gcc -specs "/usr/local/musl/lib/musl-gcc.specs" -Os -static -D_FILE_OFFSET_BITS=64 -Ifat_io_lib/include fat_io_lib/lib/libfat_io_64.a *.c -o vtoycli_64
# Optional
strip --strip-all vtoycli_64
balsoft@lemmy.ml on 01 May 10:11 collapse

Do I have to build all other parts myself before then? (I’m trying to package it for Nix so that other people can also build it more easily)

fnrir@lemmy.blahaj.zone on 01 May 10:17 collapse

Pretty much. I do have some releases, but considering Nix’s philosophy you probably should. Ventoy-CPIO should build fine, if the right toolchains and dietlibc are in PATH. Ventoy-boot relies on overlay mounts though, so it might not build within Nix.

balsoft@lemmy.ml on 01 May 10:19 collapse

Thanks! I will try and report the results back to you.

arsCynic@beehaw.org on 01 May 10:50 next collapse

Got over my laziness
dd will do
stopped using Ventoy
suggesting others to do so too.

electric_nan@lemmy.ml on 01 May 13:52 next collapse

Can you use dd to create multiboot USB drives? Even the link you shared lists Ventoy as an option.

arsCynic@beehaw.org on 02 May 06:03 collapse

“Can you use dd to create multiboot USB drives?”

No. But in my case that’s just a minor inconvenience considering the infrequency of having to use a live USB. And at work I just use separate USBs for wiping drives and OS installs. I much prefer the peace of mind that comes with knowing there’s no Ventoy blob that could potentially infect all its installed operating systems with malware.

In any case, it seems it is possible to manually make a multiboot USB drive manually. Haven’t tried it yet though.

“Even the link you shared lists Ventoy as an option.”

I know. I simply linked that website because it’s where I learned dd from and because for novices it might be less overwhelming than the Arch Wiki.

demunted@lemmy.ml on 02 May 22:31 collapse

Clearly you are not the target audience. For IT pros and tech enthusiasts regularly rebuilding machines and running numerous diagnostic tools from boot, the ability to quickly bootstrap a machines is a massive timesaver. dd is slower and may mean carrying around a lot of usb sticks, something these people all graduated from.

mexicancartel@lemmy.dbzer0.com on 03 May 08:15 collapse

Well you can ditch etcher or rufus with dd, but not ventoy since i carry around like 5 distros in a usb

krolden@lemmy.ml on 01 May 12:44 next collapse

www.iodd.shop/all-products

Much better

pogmommy@lemmy.ml on 01 May 14:11 next collapse

Yeah, bought the st300 after having repeated issues with ventoy not properly mounting disk images causing multiple Linux distro installs to fail. My st300 might be one of my best investments as a technician just for how seamless and simple it is to use.

krolden@lemmy.ml on 01 May 15:53 collapse

I never got uefi images booting properly on those grub multi boot utility drives. Granted the last time I bothered with it was like 10 years ago now since ive had multiple different iodd enclosures since then.

fnrir@lemmy.blahaj.zone on 01 May 14:32 next collapse

Interesting. Sadly it only supports FAT32, NTFS and EXFAT with no Linux filesystems.
And Ventoy is free. It’s hard to argue with free.

krolden@lemmy.ml on 01 May 15:51 collapse

Yeah that’s only for the partition that contains your ISOs.

You can make another ext4 partition on it if you wanted, it just has to not be the first partition on the disk.

Oh and the encryption feature is dumb dont even bother with it

Also you still have to buy your flash drive so why not invest in something better

moonpiedumplings@programming.dev on 03 May 15:08 collapse

The current problem with ventoy is that proprietary blobs are essentially an unauditable possible security backdoor.

This product is entirely proprietary, including the hardware, and even worse.

krolden@lemmy.ml on 03 May 15:16 collapse

All flash drives are proprietary as well what’s the difference

koala@programming.dev on 02 May 09:41 next collapse

I’m still a huge fan of Ventoy, but lately I have been finding more and more issues with it.

So I decided to investigate using a Raspberry Pi Zero with a USB adapter to create a virtual drive:

github.com/…/using-an-rpi-zero-as-an-usb-drive-to…

It’s very wonky and manual at the moment, but I have managed to boot all Linux ISOs successfully so far. Unfortunately, I think only ISOhybrid works OOB, so Windows ISO do not work. I have found some scripts to take Windows ISO and make them ISOhybrid, but haven’t gotten around to doing that yet.

I think it should be doable to package this nicely.

CrypticCoffee@lemm.ee on 02 May 14:40 collapse

Credit to you. Many complained, but you went out of your way to solve the problems. The output here has real value. Thanks.