Hi. There is a full `Create a bootable USB drive tutorial at BurningIsoHowto - Community Help Wiki which not to include the download to Belena Etcher which has been claimed to be potential spyware, for which there is no Ubuntu APT or Snap repo. Why push Belena ?
As this is more about Etcher software than about the tutorial, we have moved this to a separate topic.
Folks participating in the topic:
Please ensure discussion is factual.
Cite sources when possible.
Let’s please avoid unsupported assertions and speculation when safety and security is involved.
1 Like
I don’t have specific information regarding the security concerns about Balena Etcher, so I can’t comment on that part.
However, for creating bootable USB drives from ISO files, I personally prefer using Ventoy. I find it simpler to use, and in my experience it offers better accessibility support, which is important for some users.
That said, different tools work better for different workflows — it ultimately depends on user preference and needs.
2 Likes
Better yet, why not simply avoid 3rd-party dependencies … and use a script using built-in system capabilities?
For that, I refer you to a script which I included in a posting on the UbuntuMATE Discourse:
Ventoy is a security nightmare
1 Like
Could you please elaborate on why you consider Ventoy a “security nightmare”?
Are there specific vulnerabilities, CVEs, or architectural concerns you’re referring to? I’m genuinely interested in understanding the technical reasoning behind that statement.
4 Likes
I’ve recently tested Balena Etcher on Windows and noticed two things:
- Accessibility has improved significantly — I was able to use it smoothly with assistive technology.
- My security software (Kaspersky) did not flag it or report any threats.
So from my personal experience, Etcher worked well and did not raise security concerns on my system.
That said, I think it’s important we base security discussions on verifiable technical information rather than general statements.
2 Likes
Balena Etcher use Sentry for app performance monitoring and error analysis. Every time you start the program, it phones home to Sentry.io’s servers and Google’s CDN and continues sending analytic data throughout the program’s session. Some people are wary of that because they’re privacy conscious and because BE provides no way to turn it off. You can disable the sending of anonymized error reports, but the application still connects and transmits data to Sentry’s server and Google’s CDN.
I think it’s somewhat hyperbole to classify Balena Etcher as “spyware” since telemetry and analytic data is collected by a lot of applications including open-source ones (Firefox, for instance uses telemetry). Is it a privacy concern? Yes, but users will need to decide for themselves on the trade-off between the usefulness of the application vs. the potential loss of privacy resulting from such use.
You can disable Balena Etcher’s connection to the network by adding “–proxy-server=dummy-server” to its command-line so that it will try to use a non-existent proxy server to connect to the internet. However, this also disables the “Flash from URL” function of the program. In addition, you’ll need to clear ~/.config/balenaEtcher directory after the session so that Balena Etcher doesn’t transmit any stored analytic data the next time you start program without the proxy-server option.
As far as OP’s concern about “pushing” Balena Etcher, I think that a caveat statement about the fact that telemetry and analytic data is collected and transmitted to a third-party is certainly warranted if it continues to be listed on the site.
While “Nightmare” is a bit of exaggeration, there are well known issues regarding Ventoy’s use of pre-compiled binaries of it dependencies used to build Ventoy. Plus, it took a long time for the developer to provide documentation on how to build Ventoy and some of that documentation was inaccurate.
Here’s part of Google’s AI summary of the issue with using pre-compiled binary blob in Ventoy’s build process.
Ventoy has faced significant security concerns regarding the inclusion of numerous precompiled binary blobs (e.g., grub modules, busybox, cryptsetup tools) in its source tree, which has led to suspicion and difficulty in full code auditing.
Key Security Concerns
Lack of Auditing: The presence of opaque binary files means the code cannot be easily analyzed by the community to verify its safety. This makes it impossible to definitively rule out the presence of malware or backdoors (a concern heightened after the xz-utils backdoor incident).
Potential for Malicious Code: Theoretically, as Ventoy has deep access to system drives during the boot process, a malicious blob could inject harmful code that might survive a system reboot.
Licensing Violations: Some of the blobs are suspected to be derived from copyleft-licensed (GPL) software, which would be a violation of their licenses if the corresponding source code is not provided in an easily buildable manner.
Developer Communication: For a long time, the main developer was criticized for not addressing these concerns directly, leading to increased suspicion among some community members. The developer has since acknowledged the issue and is exploring ways to use a more transparent, reproducible build system, but the process has been slow.
There’s plenty of information on various forums, and Ventoy’s own github bugtracker. And while I’m not aware of any security vulnerabilities found in Ventoy, there was serious vulnerability in iVentoy, the PXE boot server from the same developer of Ventoy.
1 Like
To be honest, I was simply a bit concerned that the Ubuntu tutorial was giving instructions to fetch and install a tool that isn’t even packaged with the Ubuntu distribution.
When looking at the ways to install it I could
- download a .deb from Github
- download .zip with compiled binaries
Is there any safe way to download and install that? These aren’t signed in any way are they?
Anyways, this raised suspicion and I googled to find:
- https://www.reddit.com/r/linuxmint/comments/1j746qw/stop_using_etcher_to_create_bootable_linux_mint/
- https://news.ycombinator.com/item?id=28158519
and others
Which just increased my suspicions. Of course these posts might not be backed my any solid facts but it still felt a bit sketchy, especially since it is a produced by a commercial vendor that tries to sell its services trough it. The usb-creator tool included in Ubuntu is more than capable of doing the same thing. So I persist that referring to this 3rd party package is a bad idea.
1 Like
The target audience is primarily people who aren’t running Ubuntu. So it makes no sense to sign-post an app that is in the repo, given the user (typically) isn’t even running Ubuntu, so it wouldn’t help.
There is a tool for Ubuntu users: usb-creator-gtk. Install it with sudo apt install usb-creator-gtk. There’s also a tutorial that covers this.
https://documentation.ubuntu.com/desktop/en/latest/how-to/create-a-bootable-usb-stick/
Note that the tutorial is much (a decade) newer than the one you originally linked to.
The “solution” to this, is probably for someone to write a replacement for Belena Etcher, using a cross-platform toolkit, such as Flutter. If they haven’t already. 
5 Likes
I assume the windows binaries are, but I don’t know for sure. Linux binaries aren’t typically signed are they? You download the binary app and compare its 256sum listed on the website to the binary you download to your system, and that gives some assurance that what you got from their official website is what you have on your system. At the very least you can assume that the binary wasn’t altered during download.
Like Rufus, Balena Etcher works on Windows and is a free open-source solution to creating bootable USB drives. I think its inclusion is justifiable, but with the caveat that I mentioned above being added.
1 Like
I use mintstick for basic burning of iso’s works well. is in the repository.
sudo apt install mintstick
I use usb-creator-gtk, which is also in the repository.
sudo apt install usb-creator-gtk
Canonical’s preferred ISO image writing tool is Startup Disk Creator. It is default in an installation of Ubuntu. But does it run on other Linux distributions? Not if they are not based on Debian. Even Debian based distributions might not have Ubuntu’s Startup Disk Creator in their repositories.
In my mind it makes sense for a tutorial aimed at uses of proprietary operating systems and other Linux distributions to mention just one ISO image writing tool that is available to the target audience.
There is another official tutorial that lists BalenaEtcher as just one of a long list of ISO image writing tools available.
Various ISO image writing tools
That link is part of a re-write of official Ubuntu documentation.
It is good that Canonical is producing Quality documentation and widening out the scope to inform users of other operating systems and also those that unfamiliar with any desktop operating system.
Regards