1. 16
    1. 4

      This is cool because they are actually exploring the possibilities with existing systems to up the isolation instead of throwing it all out. I’ve done some bits and pieces here - all the techniques they describe are ones I’ve mentioned in various flamewar comments before - but it is really nice to see an actual constructive implementation of the options in one place.

    2. 2

      This sounds ideal if you want to roll your own light-weight Qubes-like environment.

    3. 1

      If you want to forward jist one applic5 you can do so by adding a line to your docker run command. I have a example here: https://raymii.org/s/tutorials/Running_gnash_on_Ubuntu_20.04.html

      1. 7

        Wait, is applic5 a typo? Or is it shorthand like i18n? If shorthand, did you just make it up? It seems like such an arbitrary spot to split it. Also why not just use “app”.

        Sorry for the 21 questions, but I just woke up and it seemed so funny and out of place to me.

        1. 2

          That was a typo indeed. On mobile, so probably didn’t notice the autocorrect failure. I do understand your confusion with i18n yes.

        2. 1

          I have never ever seen anyone use that word, so probably something @raymii made up :).

    4. 1

      Neat! I’ve experimented with similar stuff in OpenBSD vmd VMs + X11 forwarding + Xephyr. Which reminds me, i should probably write that up at some point.

    5. 0

      Local app running in isolation? Sounds like a nightmare…

      1. 3

        would you mind explaining why you think that sounds like a nightmare? it’s a fairly common practice.

        1. 2

          Most of what I do with software is use it to read or manipulate the data from other software. My compiler and build system read the data from my editor. My browser reads the content of my emails. My scripts reach on any given day into whatever data I’m working with that day which came from whatever software produced it.

          Isolating local apps has the feel of the horror that is trying to do anything on an Android system.

          1. 3

            From a usability perspective, it can be nice as long as the high-level APIs work in terms of capabilities. Powerboxes give a nice way of exposing capabilities in a GUI (file dialogs are privileged processes that return capabilities to the process that invokes them) but it is very hard to retrofit to an existing system.

          2. 2

            that makes sense. i think that the android approach is a bit much, but like the idea of isolating apps that have large attack surfaces (we browser, Steam, etc).