Talk:Packaging/Binaries

From NixOS Wiki
Revision as of 02:57, 8 October 2021 by imported>Nix (Silverblue mostly working with Flatpaks)

Latest comment: 8 October 2021 by Nix in topic untrusted binaries

untrusted binaries

packaging and running untrusted binaries on nixos?

for example jdownloader is closed source, so i want to limit access to files, clipboard, etc.

--Milahu (talk) 16:47, 1 October 2021 (UTC)Reply

A virtual machine is most robust. X11docker a good combo; x11docker supports Kata Containers, which aims to combine the security of VMs with speed of containers. Security a good page for this too. Spectrum OS is a Nix-based design with similar aims; they were looking at crosvm with virtio_wl. — Nix (talk) 09:24, 2 October 2021 (UTC)Reply
There is a demo here: https://alyssa.is/using-virtio-wl/#demoNix (talk) 09:28, 2 October 2021 (UTC)Reply
Another relevant approach is Microsoft's development of VAIL with RDP (extending Wayland's Weston compositing manager's RDP support) in order to support low-latency zero-copy GPU-accelerated X11/Wayland-graphical Linux virtual machines on Windows. The same technology could be deployed very similarly with a Linux-guest-on-Linux-host approach for the sake of of security. — Nix (talk) 23:59, 7 October 2021 (UTC)Reply
I did some looking into OSTree today. They bill themselves as "git for operating system binaries," and were largely inspired by NixOS. Fedora is building CoreOS for containerized-cloud and Silverblue as an immutable containerized workstation OS. There's also projects like Toolbox built around OSTree which look inspired by nix-shell, but adds containerization. Particularly interesting for this discussion is the model of Silverblue. They seem mostly to lean on Flatpaks though, which isn't very sound as is. — Nix (talk) 00:47, 8 October 2021 (UTC)Reply

https://docs.fedoraproject.org/en-US/fedora-silverblue/