So the idea behind qubesOS is, you’re ‘ok’ as long as anything can’t get to dom0, since you can delete VMs as you please, if you suspect they have anything malicious going on. However ventoy is used to boot isos/live environments so I’m given to believe it has complete control over the system, if it wants to. So, how far can it go, really? Maybe it could muck around in the efi system partition, or could it even install a uefi rootkit if it wanted to?
I ask because, as is mentioned in the links above, the ventoy project doesn’t have best practices when it comes to actually building the software; they pull in some binary blobs and people have no way of verifying those. But even more concerning (for me at least) is the fact that the developer hasn’t responded to any of the issues raised.
So my question is, if I used ventoy in the past, what should I do?