Impressive, very nice. Let’s see Paul Allen’s 256GB Ventoy USB with 118 Linux distros and 36 ISO boot tools up his ass
Is that… BoneOS?
When did you get so tasteful?
Solution: install windows for them, but complain and evangelize at every opportunity. You’ll be so insufferable they’ll never ask you again.
Constable Odo treatment.
Thanks for reminding me that the DS9 box set is a high priority on my ripping list
I do that every time I have to use windows. But I think my boss does not like that…
I don’t need friends that are Windows users.
I don’t care what they use, be it linux, a BSD, OSX, Plan9… but windows?? that is pathetic!!
Or don’t
Use whatever you want to use. You can always say no to support requests.
I charge a consulting fee. If you have to ask, you can’t afford it.
Another solution - install Windows 2000, which was the first and the last good Windows distro.
lolll
Another solution: install a Linux distro in kiosk mode and make the browser home page https://www.windows93.net/
Was the Ventoy binary blob issue resolved and it’s cool again?
Just have 500 thinkpads and you can avoid security issues all together! A thinkpad for every distro EZEZ
No. But the argument itself is so stupid to me.
Ventoy has never been a secure tool. People are making the argument that it should be, which is just nutty.
If you’re one of those people that grab random fuckin’ ISO’s from all over the internet to test em out, then no. You really shouldn’t use Ventoy. If you run official ISO from recognized sources, then realistically the risk is ever present, but minimal.
Like getting in a wreck on the way to the store to pick up milk. It’s always a possibility, but not many people would stand around and make the argument that you should stay home forever because you might get into an accident, which is basically the argument against Ventoy. It’s “we’ll, it’s a crazy useful tool, but you shouldn’t use it because something might happen.”
It’s just such a bad argument. Fact of the matter is, is that if there were a non-hacky as shit way to do what Ventoy does, it would be available right now. But it’s not… Because it’s really not.
The only way to avoid the issues that Ventoy employs is to not use ISOs and use something like netboot.xyz, which presents its own set of issues. How do you know you’re not being MITM from the iPXE environment? Like, sure. You can technically verify it, but how do you know for sure on the fly?
Like, if you sit down you can pick apart any software for being an insufferable gaping asshole of security vulnerabilities.
The problem with Ventoy isn’t the ISOs.
The problem is they use binary versions of core tools like
cryptsetupin their source tree, vs compiling them at build time.This leaves the door open to supply-chain attacks. I.E. a PR with a bad
cryptsetupbinary, or an attack on crypt that makes its way downstream with no way to audit. This is how huge software distributions make their way to Wikipedia in a bad way: https://en.m.wikipedia.org/wiki/XZ_Utils_backdoorThe solution is the build those binaries at build time, which a fork is working on.
The advantage of Ventoy is its ability to work in any environment and handle 99% of ISOs. Compiling the binaries at build time requires a mature development environment to be able to build these utilities… Your exponentially increasing the size and complexity of the project to solve a relatively minor security issue.
Ventoy is not the only way to create a bootable drive… If you don’t trust the blobs then don’t run the software.
Forking ventoy to add the complexity of building these utilities is only going to be available for *nix base environments so Windows users are pretty much shit out of luck. Your exponentially increasing the size of the project, it’s complexity, and simultaneously significantly narrowing its usability…
I said it before and I’ll say it again it’s such a bad fucking argument. It’s not mature software. It’s a literal confluence of hacks… And if you’re not comfortable with using it then don’t use it. It really is a huge security risk. But advocating that nobody use it is such stupid fucking thing.
Advocate that people understand the risks of using it but to just run around and scream about how nobody should be using it for any reason whatsoever until the maintainer closes the security hole that makes it run is pretty stupid.
You:
solve a relatively minor security issue.
Wikipedia:
In February 2024, a malicious backdoor was introduced to the Linux build of the xz utility within the liblzma library in versions 5.6.0 and 5.6.1 by an account using the name “Jia Tan”.[b][4] The backdoor gives an attacker who possesses a specific Ed448 private key remote code execution through OpenSSH on the affected Linux system. The issue has been given the Common Vulnerabilities and Exposures number CVE-2024-3094 and has been assigned a CVSS score of 10.0, the highest possible score.[5]
Binary supply-chain attacks are not “minor security issues”. There is a reason many companies will not allow admins to use Ventoy.
I like Ventoy, it’s a fantastic project. I like that the author is transparent about where they won’t be spending their time. You can like a project, and recognize it’s flaws at the same time.
A contributor building a PR to solve the build concerns is not a bad thing, it’s to be celebrated. Even a short-term solution of having the build script pull the binaries from a release and checksum them would alleviate a lot of that concern. And the Windows vs Nix item would be alleviated by the GitHub build ENV. Binary releases isn’t the problem, it’s binary in the source. This is about audits and traceability more than the build itself.
Not having a security first posture on these kinds of attacks is how the
xzevent happened, and I would hate to see that happen to Ventoy. I look forward to contributors helping the author out.Binary supply-chain attacks are not “minor security issues”.
Yes they are. The binaries for Ventoy aren’t even updated from release to release. It’s not even evident how old they are. So crying about an attack that only matters if these binaries are bleeding edge is absolutely a minor issue. I don’t even understand how someone of sound mind and body could possibly believe otherwise.
Not having a security first posture on these kinds of attacks is how the xz event happened
No one is making the argument that security doesn’t matter. No one is pushing the idea that Ventoy is secure. I’m saying singularly and only that a supply chain attack is just about the dumbest goddamn angle possible to bitch about Ventoy because I could argue that Ventoy would be more vulnerable than it is now to a supply chain attack if the binary blobs are built and updated every time you build a bootable drive. It’s just a truly fucking insane argument that shows a lack of understanding of what a supply chain attack is. The built binaries may be vulnerable and it’s difficult to prove if they are or not, but if you update the binaries all the time they’re more (attack surface is larger) than if they’re only updated when absolutely necessary…
It’s just plain a poor argument and I’m tired of every armchair expert pretending that its not. People in high security environments aren’t using Ventoy. It’s just such a ridiculous argument.
Just gonna drop this one in here.
https://github.com/ventoy/PXE/issues/106
Ventoy PXE used by iVentoy installing malware and fraudulent CA certs from… you guessed it, binary blobs. The primary dev is now in damage control in another issue and moving forward on updating the primary repo. Good on them.
So, yea, not a minor thing, even for Ventoy.
Interesting! & longpanda*
Explains y’all paranoid and keeps using those binaries? Says “sorry I do this free and that would take forever”?
*
To clarify, asking if there has ever been an official developer response/debate on this.
Couldn’t you just compile those dependencies yourself and use your own blobs then?
Yes, but…
The build environment was not clean to start, which is why a contributor is working to correct that.
You could also have the build scripts that run on GitHub pull the binary releases directly from their original release locations at build time, vs a file that an individual can modify in the source tree. This isn’t as good as building from source, but it’s better than nothing.
I read what sounded like an intelligent follow-up on this subject. But I’m not smart enough to verify for myself, so I still refrain from using ventoy - even though I’d love to start using it again.
It was basically “wacky code from all over the place, poor coding practices, can’t find anything bad, but methods used are sus af”
Says one dude I read on the internet :/
That’s it.
Sounds like a Chinese geek tried to make something useful, did a lot of dirty hacks to get it going.
And couldn’t properly explain because his social skills and English weren’t great.
The blobs weren’t super suspicious, just some gpld tools, basically busybox kind of stuff.
The real problem is what he made was so fucking insanely useful and needed by everyone that the standards for software skyrocketed.
Like you make a cure for cancer and everyone starts screaming at you because one of the side effects is temporary impotence.
Such a great post.
Is it mandatory to have in your ass or can you just put it in your pocket?
What’s the difference?
It’s mandatory.
It will become obvious once youve used linux for long enough
Prison pocket.
Too bad my usb stick can only store one distro at a time.
My 77 year old mother-in-law runs Pop cause of me and loves it.
Good for her
Just make sure you respect the wishes of the people around you. It is not ok to force someone to use Linux because you think its a good idea. You don’t get to take advantage of people to push your own agenda. Windows is going to be ideal for most people simply because it is widely supported.
Most sane people wouldn’t bring their some brand car to another brand car mechanic and expect service though, unfortunately most people are not that sane when it comes to it.
No linux? No free support from your frienfly neighborhood technician.
Oh Windows? Yeah that’ll cost…
For me personally I’m not supporting anyone if I can avoid it especially users running Linux. I don’t want to have to manage a custom system when I could instead get them either a plain Windows install or better yet an IPad.
How is me “forcing” somehow worse than Microsoft actually forcing people to use their ad-pushing, data mining spyware of an operating system? My “agenda” is simplifying an elderly person’s computing experience, protecting her from phishing/scams and allowing her the freedom of not having to worry about one other thing.
Weird take, bud.
Best I can do is 60 year old dad on Mint XFCE on a massive Phenom II x4 955. Salvaged from my first PC build.
Hey of it works for your pop and you keep stuff out of a landfill I say that’s a solid win.
My parents love Bazzite.
Is Pop as good and generally user friendly for those less familiar with Linux? Never heard of Pop before!
Why Bazzite for a non-gaming setup? Or are your parents gamers?
My brother set it up for my parents even though they don’t game. I just think he installed it because it as intuitive as Windows for lay people.
Instead of Bazzite, Aurora or Bluefin great options. They’re from the same people, but more general purpose. I use Aurora dx (developer) and my non technical wife uses Aurora.
There’s a game dev version they’re working on that I’m kinda hyped for.
he hasn’t even heard of popos which is a good 50x more popular than bazzite. so obviously he’s here from a “gamers can use this distro” post/video and not familiar with much else
PopOS is great, the installation process is like 5minutes, with 4 minutes being the download and boot from USB. From there on you click “next” 5 times and are rebooting into a working system.
To be absolutely honest, I had to do some googling and command line stuff to get my fingerprint reader in the laptop working but that was the only thing that needed any attention. But I never did a Windows install where I didnt have to configure at least 2-3 drivers, so I consider it a draw.
From there one it is the typical stuff: You need one proprietary software? You have to figure it out for hours how to get it to work. You are fine with open source options? Go enjoy a blazing fast ad-free non intrusive non annoying OS. For me the trade of is worth it. Been using Linux since I was 14, if I could do it from my kids room with parents switching of WLAN after 22:00 you can do it too.
Hey if you don’t know how to do it just say so
I’m shy. ┐('~`;)┌
Windows? Not heard of that distro before, sorry.
They must’ve meant Lindows, very common mistake.
Lindows is deprecated. Must’ve meant Wubuntu.
Just say youre installing wimdows 13
Meanwhile me with a CD book that has 17 bootable DVDs and CDs plus a separate DVD+RW for more random, less permanent crap and a portable USB DVD drive (the drive is sourced from e-waste and fails to write both DVD+/-RW and CD-RW at 4x, only 2.4x and 10x respectively work).
I like spinny media.
I mean, I also have a Ventoy disk, but I haven’t used it for a looooong time because it’s no fun, but discs are.
I just need a bigger backpack. The WRT54GL is taking up quite some space too.
Much cooler than ventoy, no?
Disks are fun, lol are you a masochist?
I bet you never heard its cool sound.
brrrrRRRRR PS PS bRRR PS PS, PS PS, zzzzZZZZZMMMMMMMMM
best thing ever
As someone who loves collecting/hoarding things, major jealous.
I have several dvd drives. Pretty sure none of them works. They have been sitting unused too long. At least one has a permanently deformed rubber band, that drives the spinny thing. They dry out with time and sitting still.
I prefer solid state stuff.
Just be sure you’ve got those backed up. CDR bitrot is real and it can hurt you.
Not to mention iso booting from a disc…just works. Too many times I’ve tried booting various USB images only to have it fail for unknown reasons, the host machine has this weird quirk of not able to boot from a 3.0 port or…idk
Oh boy, you haven’t met some Dell Optiplexes.
That shit, for whatever reason, can’t boot from internal DVD drive. I tried with 2 of them. Both had functional drives, I tried disabling secure boot, enabling legacy boot and some other settings which seemed related, but nothing worked. Then for shits and giggles I tried a USB DVD drive and that worked just fine.
Ya…some devices are seemingly straight hostile for doing this. Combined with Dells insistence on shipping PCs with a wonky “raid” mode for it’s single drive. Just mess. UEFI/secure boot etc…
You have all that up your ass!? ( ; ゚Д゚)
I mean, they have a hole in the middle, so if I stack them they let stuff pass.
I- I didn’t think of that…
If you’re incapable of figuring out how to install Windows then you’re probably incapable of most things in life.
I think without instructions most people would need help due to not knowing what a partition is. So depending on your interpretation of incapable this seems like a huge exaggeration. The Linux installers with GUIs I’ve seen at least explained how to set them up.
I am not incapable, I just don’t want to.
Most people would rather go to the store and get a new computer, than go to a webpage and download an iso. They can figure it out. They are just lazy and have little motivation to try it. They also want what they already know, with as little change as possible.
Windows isn’t hard to install but it does require some computer knowledge
To be fair, Windows wasn’t meant to be installed by the end user that often. It comes preinstalled.
Just saying that it’s brain dead easy to install. You don’t need any technical skill at all.
There are no tricks. Just mouse through a couple of prompts and it’s done.
I’ve installed Linux just as many times as windows and these days Linux is more complicated to set up and install than windows.
Like I get it. Yall have a deep bias for Linux but Jesus Christ can you at least be accurate?
You are vastly overestimating the technical ability of the average computer user. I don’t even mean that in an elitist/disparaging way, they just don’t care about this stuff because they don’t need to.
I find you still have to fuss with partitions. There isn’t a simple wipe everything and install option. You have to manually select the partitions on the disk, delete them and create a new one which somehow triggers it to create several partitions.
There is an upgrade option.
And then they tell you they don’t want a Microsoft account and you have to look up what’s the current hack to get around that if possible.
That said, I think the Linux install experience is very clear about what it’s going to do.
You had it right until the “create a new one” bit.
You can choose empty space instead of a partition and the setup will create the partitions for you. I mean even if you were to choose a partition, I believe it’ll delete it and create new ones because it needs more than just one partition. So on a clean disk, you can pretty much just hit next at that bit.
Lolwat. Last time I installed windows it literally created 3 partitions exactly when I told it “this clean disk - here ya go”
That’s exactly what I said, it creates its own partitions if you make free space or already have a clean disk. No need to manually make a partition.
Aand why the hell does it do that? And why the hell count is more than one? And while we are at it, what is so deadly and frightening with Linux installer creating a partition?
Jesus Christ can you at least be accurate?
Speaking of accuracy, your comment seems to identify the wrong issue. Navigating the install menus in a non-Arch linux distro is pretty much analogous to Windows. The biggest difference is that Linux distros don’t have 3-4 pages where they sneakily try to include privacy-breaching clauses during the installation.
The real issue is starting the installation in the first place. Windows is easy, because hardware manufacturer’s have en masse bent over to willingly present themselves to Microsoft, Linux doesn’t have this advantage and users must figure out how to get around the 7,000 different Secure Boot UEFI configurations before they can even start the installation process.
It was just as easy to install linux, it came with a graphical installer
Shoutout to Medicat toolkit. Takes ventoy to next level.
i installed linux mint on my sisters household PC last week.
my dad did his usual grumblings about “it should be windows” and i just said “i’ve been out of the windows ecosystem completely for the last 5 years and partially for another 3 years beyond that. i no longer provide support for windows, if you want them to have windows you need to support it”
he went quiet after that.
Why does your dad have an opinion on what your sister use?
he’s still coming round to the fact he’s not getting security updates soon due to lack of a TPM module.
He’ll be running mint too by the end of the year
Please don’t go around forcing people into Linux…
i’m not forcing him into it, microsoft is
Right? OS arguments over Thanksgiving dinner sounds like kind of a good time.
Well, beats other kinds of argument.
Honestly that sounds like a jerk move. Why would you force someone to use Linux? It isn’t your computer and if you are helping them you should do what they want. I wouldn’t be surprised if they bought a new machine and then ghosted you.
Where did they say they forced anyone? They just said they installed it.
Maybe I’m just reading into it but I read it as they wiped the drive and installed Linux without asking for explicit permission.
Well, based on the rest of their comment, they were “providing support”, so the implication is that the sister asked for help and received it.
I would assume that they informed their sister as to what would be installed. I don’t think it’s fair to assume the worst without context.
Honestly that sounds like a jerk move.
Quite the opposite,
Why would you force someone to use Linux?
In what world is that force ? He wasnt holding a gun to her head, the opposite, he’s freeing her from stupidity.
Decent people help others, they don’t go along with their stupid ideas before at least trying to convince them its a stupid idea. An allegory perhaps, your friend comes over, they have a 1/2 dozen beers, they’re going to drive home… In your world it seems it’s force to ask them not to and to stay over.
It isn’t your computer and if you are helping them you should do what they want
Helping them is the phrase you seem to be confused about. It’s his sister, not his boss at the office.
Some people actually want Windows. That’s not a “stupid idea” and it definitely shouldn’t be compared to drunk driving. I’ve lost people to drunk driving but last time I checked no one died or was fired because they use Windows. The evangelical rhetoric around Linux is harmful to Linux. Don’t go around promoting Linux like it is somehow going to be worlds ahead of Windows.
If someone is looking for a Windows alternative it might be worth a mention. Don’t turn into some sort of Linux sales person. Linux can be good but it isn’t a Windows alternative. It requires some getting used to.
It’s not hers. it’s one of my computers that i am deploying to her house for her and her family to use.
It’s technichally for my neice but the rest of the family all also have access.
no one in that household has expressed a specific preference of operating system. other than my brother in law texting me to tell me one of the old games he tried to install doesnt work (i did promptly offer to “make it work” but he declined).
I have no problem with them installing windows on it if thats what they want. they wont be coming to me for technical support if they do though.
Your father gave me his USB stick in Vietnam, son.
where did you keep it?
I carried this uncomfortable hunk of data up my ass for two years. And now little man, I give it to you.
I wouldn’t provide tech support unless you have a very good reason. You also want Windows as that’s what everyone knows. Stick to the beaten path when you can unless you have a very good reason to stray.
