While very useful in theory, the source tree contains numerous binary blobs without source code. This issue has been brought up to the authors multiple times, have not been corrected, and have even gotten worse (more blobs have been added to the code over time). This is a potential malware vector, similar to the “test files” in the xz-utils backdoor catastrophe…
Very worrying!
indeed…
(though a lot of comments on that issue seem quite rude)
There have also been no updates to Ventoy since June, which was when the concerns started to gain public attention. I really hope that it’s not malicious… I installed my current system with Ventoy.
It crazy to hear this !
Ventoy is a must for me 
I am not entirely worried about this, but I do think either the main contributor or some community members who are willing and have the time to replace the blobs with source could happen. Its just there are a lot of deps there, and having to track down the source can be a pain if you aren’t the one who included the blobs in the first place
I think the most worrisome part isn’t even the presence of the blobs themselves, but rather the lack of any response or updates by the maintainer despite the concerns that were raised. I wish they would at least come out and state that this will be addressed…