undefined | Better HN

0 pointscookiecaper7y ago0 comments

To be clear, I agree. Containers on Linux are very weak security boundaries and should not be considered safe sandboxes for untrusted or dangerous code. In fact, post-Spectre, only physically independent hardware unattached to the network should be considered a reasonably safe sandbox.

However, something is better than nothing, and it's just not true that there's no difference between running something from the AUR and running something in a "confined" snap. There is some crap in the way at least.

0 comments

beojan7y ago

Good point. Though the fact that you read your PKGBUILDs before running them (you do read your PKGBUILDs, right?) at least compensates for this.

j / k navigate · click thread line to collapse

0 pointscookiecaper7y ago0 comments

0 comments

beojan7y ago

Good point. Though the fact that you read your PKGBUILDs before running them (you do read your PKGBUILDs, right?) at least compensates for this.

j / k navigate · click thread line to collapse