@robin @jak2k @vkc That is a potentially good sign. The appearance of a social engineering attack on Veronica's YT channel doesn't give me much hope though. When it was just binary blobs there was the "mhh... worrying but whatever". When it was the ignored security thread it was "mhh... more worrying but whatever". Now that there's social engineering involved too, I'm thinking "ok this is bad". I doubt the Arch Linux maintainer is aware of that.

I actually am working on getting a security audit done over here - I have two VMs installed, one for building Ventoy and new copies of all of the blobs, and one for comparing and inspecting them. I'll report back what I find.