> Deepin is a distribution developed in Wuhan, China by Deepin Technology. Its homepage proclaims it "the top Linux distribution from China" ... The extensive EULA is uncommon for the Linux space, and the privacy policy goes into some detail about the types of information they collect – not just browser history, but information on when you use your computer and the applications installed on your system.
What underlying result are you hoping the long term fixation on asking this question going to resolve? The developer is Chinese and probably doesn't care what someone else's preferred distro is or maybe they are associated with it - what difference does it make to why it's on the site and why not just ask them directly about it instead?
If you mean to just highlight the association with Deepin it doesn't need to be guised as a question.
If you look at https://github.com/ventoy then longpanda is ventoy and they're very likely from China:
> It would be much appreciated if you want to make a small donation to support my work!
> Alipay, WeChat Pay, PayPal and Bitcoin are available for donation. You can choose any of them.
From the very beginning I've been reluctant to use Ventoy. In the beginning there were no instructions on how to build from source. Then after that there were binary blobs that were used in the build.
So far I've never used Ventoy due to these issues. The concept sounds great though.
The attitude in the comments regarding the "look you can see how it's built" is concerning.
A simple virus could easily backdoor every binary on the system which built the file, rince and repeat.
Before anyone says that Linux virus do not exist, I have written a handful, as I'm sure many others have. Do not assume lack of observation to be confirmation of your view.
I have always been interested in how these things work, and based an early one on Silvio Cesares paper ( https://www.win.tue.nl/~aeb/linux/hh/virus/unix-viruses.txt ) as I was associates with him while at university. This virus was to confirm what was written in the paper.
The second I wrote was attempting to exploit the trust that erlang VM's have with each other. I have rewritten a few in various BEAM based languages, this was to give evidence to management that security/protections should be put in place for erlang clustering (rabbitmq, HA erlang, etc).
Another was for working for a large north american linux vendors product security group, In an effort to know ones enemy and the effort involved in some of the 'in-the-field' backdoors that were found. In this case, I was reproducing the "virus/RAT" (I use that term loosely) that contained dirtycow exploit primitive in the wild. I also reversed/reproduced/(exploited ?) their exploitable C&C infrastructure. This information was handed over to the law enforcement and I've never heard any more about it.
Each virus had its own reason, none of them escaped my demonstrations.
Yeah that part has always been weird. I will say that it works wonderfully, especially if you need to install windows from a usb but only have computers running Linux/Mac available
The demand for a Ventoy-like tool is clearly there, but I hope that one day we'll have an alternative that we can actually trust. Until then it seems that having a small collection of USB sticks is still the way to go, the inconvenience is preferable to the whole installation getting compromised.
I use and recommend ventoy for convenience. It is so convenient. That is, good for nerds to play with hardware and test distros. Not for end users.
For security, I always recommend Burning an ISO into a physical optical disc. Check the ISO MD5 before burning. No thumbdrives.
Then pray god your Government only aproves sales of backdoored hardware where you live. I recommend at least disabling (pulling out) the build-in Network cards (yes, wifi/bt too) and buying usb replacements.
Aside from the security issues, this project is pretty clearly violating the GPL by distributing binary versions of other people's code without including either the source code or the original copyright notices.
GPL does not mandate inclusion nor public availability of source code. The code must provided to users upon request. Most providers of binaries make the source public so they don't have to handle each request manually.
No where near the ergonomics as far as I can tell, but with containers, there's been an effort to make bootable containers. I seem to remember there being some other options (I wanna say like Wyvern or something like that was one but not finding it), but the big obvious effort is bootc. https://containers.github.io/bootable/projects.html . 38d old thread: https://news.ycombinator.com/item?id=40289120
I love using my IODD in "dual-mode" with Clonezilla. It exposes a USB-DVD drive with an emulated Clonezilla DVD in it as well as its' HDD storage so I can dump an image right to the hard drive.
(Bonus points: I can then have Clonezilla bundle me a clonezilla-iso package of my captured image, and save it back into the ISO folder to boot from later!)
I almost want one of these, except I have no use for it nowadays. Ventoy didn't even work the one time I tried it, probably because it couldn't hook nixos's initrd properly.
But also, I'm insanely frustrated that (1) Google doesn't allow USB Gadget mode to do this from stock Android (2) the app that appeared to work for LineageOS/rooted devices is abandonware.
There's no good reason why your phone can't serve up ISOs with gadget mode.
I already travel with my ancient Pixel 3a as a backup (which has come in handy, clumsy me). It would be slick to have that as a portable ISO host, and backup phone. (Ignore the USB2 USB-C port, it's fine.)
I remember giving that a go many years ago. Not 100% successful, but when it worked, it was fantastic. It would be incredibly handy nowadays, especially for troubleshooting use cases. OS installation, memtest, clonezilla, portable Windows installation, and you'll always have them with you since you're already carrying your phone!
You can create your own multi-boot media fairly easily with Syslinux. My understanding of Ventoy was that it was just a set of config scripts for Syslinux in the first place.
I remember that when I first encountered Ventoy a while back, it appeared to be just a bootable ISO pre-configured with Syslinux. I didn't use it much, since I already had my own Syslinux config with a variety of bootable environments that I found useful already set up.
Has it involved into something more complex? It seems odd to complain about binary blobs in something that is meant to be a tool for aggregating pre-existing binary boot media into a single image.
It's not odd because you may trust the boot media and not the actual tool. There should be a way to just dump ISO files directly onto a disk and be presented with a menu very simply to boot one of them. It would require the least amount of trust.
Well, you'd install the Syslinux boot sector onto a removable drive, then copy your ISOs onto that drive, then set up a config file to set up menu options and point them at your ISOs, then you'd boot off of that drive.
Are there any real concerns about Ventoy and security? So ig I use it to boot installer, the installed OS can be backdoored? Or is it just some „possibility”, but rather unreal?
netboot.xyx is also killer though slightly different. I installed a permanent netboot version on my home server so I never need to boot an install disk again, but you can also flash it to USB.
Netboot.xyz can itself boot from USB, but it does not then boot arbitrary isos off the USB like Ventoy. That's what I meant by it's slightly different, it chain loads netboot images. I find that's what I almost always want to do with a tool like this or Ventoy, so it suits my (and probably many) people's needs. But yes, it's not an exact replacement.
You can add arbitrary netboot images, but I'm not actually sure how much it can do with no network at all.
To be fair, the OP was some how just pointing fingers. I took a quick look at the issue, 2 of 3 links mentioned are actually with detailed build instructions. It's only ventoy_unix doesn't. Giving that it's just someone's hobby project, I don't see that as a particular issue. A PR to fix those would be much better than the post.
ventoy is pretty useful even if it is potentially risky. they found a way around the secure boot problems (https://ventoy.net/en/doc_secure.html) and i will be the first to admit that i enrolled their keys on the devices i use.
i am still waiting for an ergonomic way to have a persistent usb install of a linux distro, which does not kill the flash storage over time. till then, i got similar levels of trust of the tool as i do with using windows.
My reason to use Ventoy is the possibility to have multiple ISOs on one single USB stick. Before I would have to dd the new ISO to the stick, wiping what was there before. Effectively this resulted in more writes to flash and ultimately multiple broken USB sticks.
You can just use Syslinux with the memdisk module (if you want to boot full ISOs stored on the thumbdrive), or you can extract the ISOs into directory trees and configure Syslinux menu options to load the contents equivalently to the ISO's original bootloader (as long as they're not using hardcoded paths or volume labels to find the filesystems to mount).
Ventoy developer longpanda offers tools for injection into Linux and Windows ISOs, which work with the Ventoy injection plugin, https://news.ycombinator.com/item?id=38691857
> Deepin is a distribution developed in Wuhan, China by Deepin Technology. Its homepage proclaims it "the top Linux distribution from China" ... The extensive EULA is uncommon for the Linux space, and the privacy policy goes into some detail about the types of information they collect – not just browser history, but information on when you use your computer and the applications installed on your system.