While very useful in theory, the source tree contains numerous binary blobs without source code. This issue has been brought up to the authors multiple times, have not been corrected, and have even gotten worse (more blobs have been added to the code over time). This is a potential malware vector, similar to the “test files” in the xz-utils backdoor catastrophe…
Very worrying!
indeed..
https://github.com/ventoy/Ventoy/issues/2795
(though a lot of comments on that issue seem quite rude)
There have also been no updates to Ventoy since June, which was when the concerns started to gain public attention. I really hope that it’s not malicious.. I installed my current system with Ventoy.
It crazy to hear this !
Ventoy is a must for me 
I am not entirely worried about this, but I do think either the main contributor or some community members who are willing and have the time to replace the blobs with source could happen. Its just there are a lot of deps there, and having to track down the source can be a pain if you aren’t the one who included the blobs in the first place
I think the most worrisome part isn’t even the presence of the blobs themselves, but rather the lack of any response or updates by the maintainer despite the concerns that were raised. I wish they would at least come out and state that this will be addressed…
They can wave that list of sources around all they want, it doesn’t excuse their nonchalant responses over the years or extreme insecurity like this: iVentoy installing unsafe Windows Kernel drivers · Issue #106 · ventoy/PXE · GitHub
Do not use Ventoy. Just use dd or gnome-disks or more trusted programs like Rufus.
Also don’t use Balena Etcher either, that thing has trackers.
Ventoy has definitely some problems but please note that iVentoy is a separate software, I’m not sure they share the same bug.
Are there alternatives or tricky (manual) way to start multiple ISO files from same USB ?
I have more then 4 ISO files on Ventoy-USB. It will be extremely difficult for me to not use Ventoy
Why not just use separate flash drives?
That option won’t work for me. I use my Ventoy as my keychain and have over 20 ISO files stored on it. I definitely won’t be using 20 separate USB keychains!
I’m in the same boat. I’ve stopped using Ventoy since it seems risky, but there is nothing that can replace it at this time unless you have tons of money and space for more flash drives. I’m sure if someone forked the project it’d gain traction considering how long this issue has gone unresolved.
6 USB-drives?
I also store a clone of that drive on my family members. With 3 houses, I have to manage 18 drives 
That’s not maintainable.
Is the latest updates are still bad for Ventoy? What is the latest situation?
Someone has to definitely fork goddamn Ventoy…
I am tired of people just shrugging this off like it is no problemo.
Ventoy and iVentoy are the same developer.
iVentoy is shipping extremely suspicious obfuscated drivers.
Ventoy is shipping extremely suspicious blobs.
Ventoy author then goes and ignores or downplays this for years.
This is 3 red flags.
People need to stop giving this person or group such absurd leniancy given how much these programs are in a critical path.
I genuinely question if the majority of the sympathizers are just astroturfing from them ala Jia Tan’s promotion.
did you check ?
it’s based on Rufus.
I’d like to add: It is possible to create a multi-boot USB drive with GRUB: Multiboot USB drive - ArchWiki
I didn’t.
I find it very concerning actually, I just pointed out that arguing about Ventoy using another software even from the same developer was somewhat flawed and could be misleading.
I agree with you in your assessment though.
It has also binaries. Does it matter?