top | item 43784306

(no title)

tholdem | 10 months ago

Sandboxing should be built in and by default, not DIY and glued on, like with apparmor and firejail.

"Your car does not come with a seatbelt? Seatbelt parts are easy to order online and assembled on any car, it's your fault for not using one."

> Also the very same npm backdoors have already hit android apps. What can sandboxing do if you backdoor a dependency of your banking app?

The whole point of sandboxing is that one compromised app can not compromise the whole system and other apps. Compromised dependency on my banking app on Android or iOS only compromises that banking app and nothing else.

discuss

cosmic_cheese|10 months ago

It’s always felt strange that Linux desktops try to make sandboxing and permissions the responsibility of packaging standards. That strikes me as much more of a system level thing like audio or display output.

dustbunny|10 months ago

Fedora Silverblue is this

pona-a|10 months ago

How so? I'm writing this from an Fedora Sericea, which is Silverblue but with Sway instead of GNOME. Atomic Fedoras solve only package hysteresis (your package manager being unable to reproduce the intended system state because of unaccounted for changes) by generating the root file system with OSTree. It has nothing to do with sandboxing the applications themselves.

tholdem|10 months ago

It may be in the future, but for now it is no different from Fedora Workstation in terms of security. Please correct me if I am wrong. AFAIK Silverblue has no additional sandboxing or any other improvements to security.