Talk:Packaging/Binaries
Latest comment: 8 October 2021 by Nix in topic untrusted binaries
untrusted binaries
packaging and running untrusted binaries on nixos?
- NixOS Containers?
- firejail?
- virtual machine?
- https://github.com/mviereck/x11docker - "Run GUI applications and desktops in docker. Focus on security." (via stackexchange)
for example jdownloader is closed source, so i want to limit access to files, clipboard, etc.
--Milahu (talk) 16:47, 1 October 2021 (UTC)
- A virtual machine is most robust. X11docker a good combo; x11docker supports Kata Containers, which aims to combine the security of VMs with speed of containers. Security a good page for this too. Spectrum OS is a Nix-based design with similar aims; they were looking at crosvm with virtio_wl. — Nix (talk) 09:24, 2 October 2021 (UTC)
- There is a demo here: https://alyssa.is/using-virtio-wl/#demo — Nix (talk) 09:28, 2 October 2021 (UTC)
- Another relevant approach is Microsoft's development of VAIL with RDP (extending Wayland's Weston compositing manager's RDP support) in order to support low-latency zero-copy GPU-accelerated X11/Wayland-graphical Linux virtual machines on Windows. The same technology could be deployed very similarly with a Linux-guest-on-Linux-host approach for the sake of of security. — Nix (talk) 23:59, 7 October 2021 (UTC)
- I did some looking into OSTree today. They bill themselves as "git for operating system binaries," and were largely inspired by NixOS. Fedora is building CoreOS for containerized-cloud and Silverblue as an immutable containerized workstation OS. There's also projects like Toolbox built around OSTree which look inspired by nix-shell, but adds containerization. Particularly interesting for this discussion is the model of Silverblue. They seem mostly to lean on Flatpaks though, which isn't very sound as is. — Nix (talk) 00:47, 8 October 2021 (UTC)