Dude: "Damn... I really want to be able to see the inside of my computer. Why won't anyone help me install windows to the case?"
this post was submitted on 30 Mar 2025
14 points (100.0% liked)
linuxmemes
31394 readers
2155 users here now
Hint: :q!
Sister communities:
Community rules (click to expand)
1. Follow the site-wide rules
- Instance-wide TOS: https://legal.lemmy.world/tos/
- Lemmy code of conduct: https://join-lemmy.org/docs/code_of_conduct.html
2. Be civil
- Understand the difference between a joke and an insult.
- Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".
- Don't get baited into back-and-forth insults. We are not animals.
- Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
- Bigotry will not be tolerated.
3. Post Linux-related content
- Including Unix and BSD.
- Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of
sudoin Windows. - No porn, no politics, no trolling or ragebaiting.
- Don't come looking for advice, this is not the right community.
4. No recent reposts
- Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.
5. π¬π§ Language/ΡΠ·ΡΠΊ/Sprache
- This is primarily an English-speaking community. π¬π§π¦πΊπΊπΈ
- Comments written in other languages are allowed.
- The substance of a post should be comprehensible for people who only speak English.
- Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.
6. (NEW!) Regarding public figures
We all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations. - Keep discussions polite and free of disparagement.
- We are never in possession of all of the facts. Defamatory comments will not be tolerated.
- Discussions that get too heated will be locked and offending comments removed. Β
Please report posts and comments that break these rules!
Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.
founded 2 years ago
MODERATORS
Got my parents a new computer for Christmas. I didn't feel like acting as their 24/7 tech support so I let it with the Windows 11 that it came with. Yesterday they couldn't get their webcam and microphone to work at all for our weekly family videocall. We ended up having the videocall on Signal. I believe they would face less troubles with Debian at this point.
Too bad my usb stick can only store one distro at a time.
Ventoy is completely insane in terms of how it works fwiw: https://discourse.nixos.org/t/custom-nixos-installer-plug-install-play-how-to-achieve-this/61710/13
Thanks for the extra info and thanks for this useful nixos discourse post!
NixOS ftw (I use NixOS btw)
Solution: install windows for them, but complain and evangelize at every opportunity. You'll be so insufferable they'll never ask you again.
I do that every time I have to use windows. But I think my boss does not like that...
Another solution - install Windows 2000, which was the first and the last good Windows distro.
Another solution: install a Linux distro in kiosk mode and make the browser home page https://www.windows93.net/
Windows? Not heard of that distro before, sorry.
They must've meant Lindows, very common mistake.
Lindows is deprecated. Must've meant Wubuntu.
Me with 40$ 1tb external ssd with ventoy be like
I can't fit an SSD up my ass. :(
Not with that attitude
Was the Ventoy binary blob issue resolved and it's cool again?
No. But the argument itself is so stupid to me.
Ventoy has never been a secure tool. People are making the argument that it should be, which is just nutty.
If you're one of those people that grab random fuckin' ISO's from all over the internet to test em out, then no. You really shouldn't use Ventoy. If you run official ISO from recognized sources, then realistically the risk is ever present, but minimal.
Like getting in a wreck on the way to the store to pick up milk. It's always a possibility, but not many people would stand around and make the argument that you should stay home forever because you might get into an accident, which is basically the argument against Ventoy. It's "we'll, it's a crazy useful tool, but you shouldn't use it because something might happen."
It's just such a bad argument. Fact of the matter is, is that if there were a non-hacky as shit way to do what Ventoy does, it would be available right now. But it's not... Because it's really not.
The only way to avoid the issues that Ventoy employs is to not use ISOs and use something like netboot.xyz, which presents its own set of issues. How do you know you're not being MITM from the iPXE environment? Like, sure. You can technically verify it, but how do you know for sure on the fly?
Like, if you sit down you can pick apart any software for being an insufferable gaping asshole of security vulnerabilities.
The problem with Ventoy isn't the ISOs.
The problem is they use binary versions of core tools like cryptsetup in their source tree, vs compiling them at build time.
This leaves the door open to supply-chain attacks. I.E. a PR with a bad cryptsetup binary, or an attack on crypt that makes its way downstream with no way to audit. This is how huge software distributions make their way to Wikipedia in a bad way: https://en.m.wikipedia.org/wiki/XZ_Utils_backdoor
The solution is the build those binaries at build time, which a fork is working on.
The advantage of Ventoy is its ability to work in any environment and handle 99% of ISOs. Compiling the binaries at build time requires a mature development environment to be able to build these utilities.... Your exponentially increasing the size and complexity of the project to solve a relatively minor security issue.
Ventoy is not the only way to create a bootable drive... If you don't trust the blobs then don't run the software.
Forking ventoy to add the complexity of building these utilities is only going to be available for *nix base environments so Windows users are pretty much shit out of luck. Your exponentially increasing the size of the project, it's complexity, and simultaneously significantly narrowing its usability....
I said it before and I'll say it again it's such a bad fucking argument. It's not mature software. It's a literal confluence of hacks... And if you're not comfortable with using it then don't use it. It really is a huge security risk. But advocating that nobody use it is such stupid fucking thing.
Advocate that people understand the risks of using it but to just run around and scream about how nobody should be using it for any reason whatsoever until the maintainer closes the security hole that makes it run is pretty stupid.
You:
solve a relatively minor security issue.
Wikipedia:
In February 2024, a malicious backdoor was introduced to the Linux build of the xz utility within the liblzma library in versions 5.6.0 and 5.6.1 by an account using the name "Jia Tan".[b][4] The backdoor gives an attacker who possesses a specific Ed448 private key remote code execution through OpenSSH on the affected Linux system. The issue has been given the Common Vulnerabilities and Exposures number CVE-2024-3094 and has been assigned a CVSS score of 10.0, the highest possible score.[5]
Binary supply-chain attacks are not "minor security issues". There is a reason many companies will not allow admins to use Ventoy.
I like Ventoy, it's a fantastic project. I like that the author is transparent about where they won't be spending their time. You can like a project, and recognize it's flaws at the same time.
A contributor building a PR to solve the build concerns is not a bad thing, it's to be celebrated. Even a short-term solution of having the build script pull the binaries from a release and checksum them would alleviate a lot of that concern. And the Windows vs Nix item would be alleviated by the GitHub build ENV. Binary releases isn't the problem, it's binary in the source. This is about audits and traceability more than the build itself.
Not having a security first posture on these kinds of attacks is how the xz event happened, and I would hate to see that happen to Ventoy. I look forward to contributors helping the author out.
Binary supply-chain attacks are not βminor security issuesβ.
Yes they are. The binaries for Ventoy aren't even updated from release to release. It's not even evident how old they are. So crying about an attack that only matters if these binaries are bleeding edge is absolutely a minor issue. I don't even understand how someone of sound mind and body could possibly believe otherwise.
Not having a security first posture on these kinds of attacks is how the xz event happened
No one is making the argument that security doesn't matter. No one is pushing the idea that Ventoy is secure. I'm saying singularly and only that a supply chain attack is just about the dumbest goddamn angle possible to bitch about Ventoy because I could argue that Ventoy would be more vulnerable than it is now to a supply chain attack if the binary blobs are built and updated every time you build a bootable drive. It's just a truly fucking insane argument that shows a lack of understanding of what a supply chain attack is. The built binaries may be vulnerable and it's difficult to prove if they are or not, but if you update the binaries all the time they're more (attack surface is larger) than if they're only updated when absolutely necessary...
It's just plain a poor argument and I'm tired of every armchair expert pretending that its not. People in high security environments aren't using Ventoy. It's just such a ridiculous argument.
Just gonna drop this one in here.
https://github.com/ventoy/PXE/issues/106
Ventoy PXE used by iVentoy installing malware and fraudulent CA certs from... you guessed it, binary blobs. The primary dev is now in damage control in another issue and moving forward on updating the primary repo. Good on them.
So, yea, not a minor thing, even for Ventoy.
Directly from the developer:
iVentoy and Ventoy are two completely different softwares and have no shared files.
You seem to be implying that because iVentoy (which is not Ventoy) is vulnerable to this attack then that means that Ventoy is also vulnerable which is not only highly speculative, it remains to be seen.
Actually, when iVentoy boot Windows through PXE, it will boot the WinPE with test mode, so there is no need for the driver file to be signed. So httpdisk_sig.sys is actually not needed and can be removed later.
The dev goes on to explain;
the httpdisk driver will be installed only in the temporary WinPE environment (running in the RAM), not the final Windows system
The driver is singularly used in the PE environment. That's it.
Is this a security issue? Sure. Is it as bad as everyone wants to make it out to be? Not really. From start to finish the Ventoy fever people seem to be getting by unsigned blobs is simply insane. Its a bout of hysteria and it's not impressive at all.
I read what sounded like an intelligent follow-up on this subject. But Iβm not smart enough to verify for myself, so I still refrain from using ventoy - even though Iβd love to start using it again.
It was basically βwacky code from all over the place, poor coding practices, canβt find anything bad, but methods used are sus afβ
Says one dude I read on the internet :/
That's it.
Sounds like a Chinese geek tried to make something useful, did a lot of dirty hacks to get it going.
And couldn't properly explain because his social skills and English weren't great.
The blobs weren't super suspicious, just some gpld tools, basically busybox kind of stuff.
The real problem is what he made was so fucking insanely useful and needed by everyone that the standards for software skyrocketed.
Like you make a cure for cancer and everyone starts screaming at you because one of the side effects is temporary impotence.
Meanwhile me with a CD book that has 17 bootable DVDs and CDs plus a separate DVD+RW for more random, less permanent crap and a portable USB DVD drive (the drive is sourced from e-waste and fails to write both DVD+/-RW and CD-RW at 4x, only 2.4x and 10x respectively work).
I like spinny media.
I mean, I also have a Ventoy disk, but I haven't used it for a looooong time because it's no fun, but discs are.
I just need a bigger backpack. The WRT54GL is taking up quite some space too.
Much cooler than ventoy, no?
You have all that up your ass!? ( ; οΎΠοΎ)
I mean, they have a hole in the middle, so if I stack them they let stuff pass.
I- I didn't think of that...