Gregory's ServerThe arch AUR pkgbuild maintainer commented:
https://github.com/ventoy/Ventoy/issues/2795#issuecomment-2272249476
"Anyway, my take on the whole situation is that the Ventoy author is an honourable person. Of course, I cannot be 100% certain, but I firmly believe there are no backdoors or anything dodgy going on here. Everyone needs to chill out a bit.
I'd be willing to help @ventoy try and get a proper build system going. I have proved that we don't need to rely on Centos 7 as a build environment."
This is promising. I really hope a good build system helps address this trust issue.
@robin @jak2k @vkc That is a potentially good sign. The appearance of a social engineering attack on Veronica's YT channel doesn't give me much hope though. When it was just binary blobs there was the "mhh... worrying but whatever". When it was the ignored security thread it was "mhh... more worrying but whatever". Now that there's social engineering involved too, I'm thinking "ok this is bad". I doubt the Arch Linux maintainer is aware of that.
I actually am working on getting a security audit done over here - I have two VMs installed, one for building Ventoy and new copies of all of the blobs, and one for comparing and inspecting them. I'll report back what I find.
@robin @jak2k @vkc That is a potentially good sign. The appearance of a social engineering attack on Veronica's YT channel doesn't give me much hope though. When it was just binary blobs there was the "mhh... worrying but whatever". When it was the ignored security thread it was "mhh... more worrying but whatever". Now that there's social engineering involved too, I'm thinking "ok this is bad". I doubt the Arch Linux maintainer is aware of that.