undefined | Better HN

0 pointsshermantanktop7mo ago0 comments

This is trading one distribution problem (npx) for another (bubblewrap). I think it’s a reasonable trade, but there’s no free lunch.

0 comments

homebrewer7mo ago

Not sure what this means. bubblewrap is as free as it gets, it's just a thin wrapper around the same kernel mechanisms used for containers, except that it uses your existing filesystems instead of creating a separate "chroot" from an OCI image (or something like it).

The only thing it does is hiding most of your system from the stuff that runs under it, whitelisting specific paths, and optionally making them readonly. It can be used to run npx, or anything else really — just shove move symblinks into the beginning of your $PATH, each referencing the script above. Run any of them and it's automatically restricted from accessing e.g. your ~/.ssh

https://wiki.archlinux.org/title/Bubblewrap

conception7mo ago

It means that someone just has to compromise bubblewrap instead of the other vectors.

johnisgood7mo ago

This is such a defeatist perspective. You could say this about anything ad nauseum. I think bubblewrap (or firejail) is less likely to be a successful target.

haswell7mo ago

While this may be true, this is still a major improvement, no?

i.e. it seems far more likely that a rapidly evolving hot new project will be targeted vs. something more stable and explicitly security focused like bubblewrap.

throwawaysoxjje7mo ago

Am I getting bubblewrap somewhere other than my distro? What makes it different from any other executable that comes from there?

1 more reply

theamk7mo ago

Not "instead", it's "in addition to". Your classical defense-in-depth.

1 more reply

cozzyd7mo ago

sure but surely one gets bubblewrap from their distro, and you have to trust your distro anyway.

j / k navigate · click thread line to collapse

0 comments

homebrewer7mo ago

https://wiki.archlinux.org/title/Bubblewrap

conception7mo ago

It means that someone just has to compromise bubblewrap instead of the other vectors.

johnisgood7mo ago

This is such a defeatist perspective. You could say this about anything ad nauseum. I think bubblewrap (or firejail) is less likely to be a successful target.

haswell7mo ago

While this may be true, this is still a major improvement, no?

i.e. it seems far more likely that a rapidly evolving hot new project will be targeted vs. something more stable and explicitly security focused like bubblewrap.

throwawaysoxjje7mo ago

Am I getting bubblewrap somewhere other than my distro? What makes it different from any other executable that comes from there?

1 more reply

theamk7mo ago

Not "instead", it's "in addition to". Your classical defense-in-depth.

1 more reply

cozzyd7mo ago

sure but surely one gets bubblewrap from their distro, and you have to trust your distro anyway.

j / k navigate · click thread line to collapse