Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If[0] the maintainer is entirely honest and well-intentioned, they are clearly a vulnerable target lacking the capabilities to reliably detect if their supply chain would be compromised. Using Ventoy is a huge risk regardless of what you think of maintainer credibility at this point.

The cynical take is that what's on display in this issue is feigned ignorance/incompetence constructing plausible deniability.

Their security posture has not evolved with the times, the threat-landscape, and the growth of the project.

[0]: Very doubtful if you have been following this saga or dig around enough



> Very doubtful if you have been following this saga or dig around enough

This is the first I'm hearing of any of this drama. Any links to relevant information indicating that the maintainer is being disingenuous?


There are probably better links still around if you DYOR but a sample with further pointers:

https://nixsanctuary.com/ventoy-718-shades-of-open-source/

https://news.ycombinator.com/item?id=40689629 (See also: Sus behavior from Deepin which recently got the project removed from Suse)

https://feddit.org/post/12078124

https://linuxmom.net/@vkc/112906968594601449




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: