You’re right to bring that up. There was and still is some concern about Ventoy using a lot of precompiled binary files (called “blobs”) in its source code, rather than building everything from source during release. This makes it harder to verify that the binaries are safe and haven’t been tampered with, especially after incidents like the XZ Utils backdoor in 2024.
The developer acknowledges this and has started listing all the blobs with their sources and checksums here: https://github.com/ventoy/Ventoy/blob/master/BLOB_List.md
This file was created in response to issue #3224, which was opened specifically to address concerns about these blobs. It includes descriptions, where each blob came from, and SHA256 hashes so users can check them manually. However, it doesn’t include automated build scripts, so verification still depends on manual effort.
And as of May 2025, the maintainer proposed a plan to improve transparency by using GitHub CI to build the blobs from source in separate repositories: https://github.com/ventoy/Ventoy/issues/3224
No major malicious activity has been found, but the lack of full reproducible builds means some trust is required. If you’re security-conscious, it’s worth verifying the hashes yourself or considering alternatives. The project remains open source and widely used, but this issue hasn’t been fully resolved yet.
You’re right to bring that up. There was and still is some concern about Ventoy using a lot of precompiled binary files (called “blobs”) in its source code, rather than building everything from source during release. This makes it harder to verify that the binaries are safe and haven’t been tampered with, especially after incidents like the XZ Utils backdoor in 2024.
The developer acknowledges this and has started listing all the blobs with their sources and checksums here:
https://github.com/ventoy/Ventoy/blob/master/BLOB_List.md
This file was created in response to issue #3224, which was opened specifically to address concerns about these blobs. It includes descriptions, where each blob came from, and SHA256 hashes so users can check them manually. However, it doesn’t include automated build scripts, so verification still depends on manual effort.
The discussion started in early 2024 in issue #2795:
https://github.com/ventoy/Ventoy/issues/2795
And as of May 2025, the maintainer proposed a plan to improve transparency by using GitHub CI to build the blobs from source in separate repositories:
https://github.com/ventoy/Ventoy/issues/3224
No major malicious activity has been found, but the lack of full reproducible builds means some trust is required. If you’re security-conscious, it’s worth verifying the hashes yourself or considering alternatives. The project remains open source and widely used, but this issue hasn’t been fully resolved yet.