1. 5

    My own: https://gitlab.com/dacav/crossbow

    Selling points:

    • Written in C, portable across Unices
    • Documentation by manpages
    • Supports Gopher protocol

    How it works: https://gitlab.com/dacav/crossbow/uploads/c7ae7961fbc8c0585e87df3748dd41bb/crossbow.1.pdf

    Some usage patterns here: https://gitlab.com/dacav/crossbow/uploads/dc07d510a7ba4a91fc576084006264d9/crossbow-cookbook.7.pdf

    1. 3

      Almost ignored this assuming it’s nodejs portfolio puffware. But it looks like real work, from the “trailofbits” umbrella (source of algo vpn, by far the best VPN experience I’ve ever had).

      The blog mentions a related tool polyfile which looks seriously cool. And something unrelated called Sinter.

      1. 2

        What is a “nodejs portfolio puffware”? I find this espression amusing

        1. 8

          puffware = software that looks cool (bootstrap, hero image) but scratching the surface reveals shallow, half-baked demoware or a broken wrapper around actual software. Adds twitter followers.

      1. 7

        I systematically track the channels/users that I want to follow quite anonymously by using my own feed aggregator, Crossbow , and invoking youtube-dl from it. For those who are interested, here’s a cookbook manpage including instructions on how to handle youtube:


        1. 5

          I systematically report side projects on my CV, as well as a link to my technical blog. In my opinion it matters even if who evaluates you as a candidate doesn’t delve into your code.

          I cannot tell if my perception corresponds to truth.

          I personally don’t do leetcode. I believe into making sensible, working and curated side projects instead, serving the double purpose of personal satisfaction (mainly) and live CV (side effect).

          1. 7

            By installing libre office? Oh! Oh! Oh. Sorry, I had to make this bad joke

            1. 0

              Wasn’t OpenOffice better than Libre Office, or is my memory playing tricks on me? Or maybe I was just more content with those kinds of GUIs when OpenOffice use to be popular.

              1. 1

                From what I remember OpenOffice was great, but over time feature development and stability started to get worse. LibreOffice became the response to OpenOffice

                1. 7

                  LibreOffice was forked from OpenOffice around when Oracle acquired Sun. Shortly after, Oracle dumped OpenOffice onto the Apache Foundation, where it’s still being updated.

                  LibreOffice is considered by most to be better maintained and more actively developed, though.

                  1. 1

                    Thanks for the context!

            1. 1

              Thanks. I might have a use case for it ;-)

              Do you think output into maildir (instead local mail delivery) would be a worthwhile feature? E.g.:

              crossbow-maildir ~/Mail
              1. 2

                The feature you need is already there, in a sense.

                The idea with crossbow is to handle feed updates by means of a specialized program. The local mail delivery is a side effect of the fact that the periodic refreshing of feeds (via crossbow-fetch) is meant to be triggered by a cronjob, but it is not a strict requirement. And if the crossbow-fetch invocation does not produce output, there won’t be any local mail at all :-)

                A thing you can do, in order to satisfy your needs, is to write a little script, let’s call it “crossbow-maildir”, why not :-), whose synopsis could be:

                crossbow-maildir -s MAIL_SUBJECT [-l URL]

                The script would add some content to ~/Mail. If a URL is provided by the -l flag, the script will obtain the content by invoking curl on the given URL. If no URL is provided, the script reads the content from stdin.

                This hypothetical script, which is probably easy to write, can be integrated with crossbow:

                If the feed you want to subscribe will carry the whole content as a description you can pipe it directly into the crossbow-maildir script:

                crossbow set -i FEED_ID -u FEED_URL \
                    -o pipe -f 'crossbow-maildir -s %t'

                If the feed does not provide the content, you can use the -l flag of the crossbow-maildir script:

                crossbow set -i FEED_ID -u FEED_URL \
                    -o subproc -f 'crossbow-maildir -s %t -l %l'

                A set of generic scripts tackling different needs could be written. I don’t have anything like that for the moment (except for a couple of portable scripts in the crossbow-cookbook(7) man page). If you get to write such a script, consider sharing it: it could be valuable for others having your same desires, and it might be nice to create a collection.

                EDIT – I realized now that what I described is probably exactly what you mean :-P I apologize. Then yes, it would totally be worthwhile.

                1. 1

                  Thanks a lot for the detailed description!

                  I’m really impressed how flexible the tool is.

                  1. 1

                    My pleasure. Feel free to reach me with any feedback, especially defects or typos in the manpages. I recently pushed some patches on the devel branch, to tackle some minor annoyances, btw. L

              1. 14

                This is one of the top reasons i use perl as the base language in my current project: its long-lasting stability and availability.

                A script written for perl 5.00 would still run today without issues.

                1. 10

                  Indeed. I’ve chosen Perl for my static blog engine (App::PFT), and I never regretted it.

                  Perl is a really good language, if you know how to do it. It is very expressive, and has a very thorough documentation. It has a bad reputation due to the fact it allows a lot of freedom, but I think most of people who blame Perl don’t really know how to write good Perl. Trust me, it is perfectly possible to achieve a good code base in Perl, if one applies some discipline.

                  And just to say it out loud, I’m somewhat bored/annoyed by this “let’s rewrite it in X” meme. This makes sense only if the software is broken and/or unmaintainable.

                  1. 2

                    Even a lot of Perl 4 stuff runs either unmodified or with small changes on perl 5. It’s only in the past few years that a few of the backwards-compatibility things that were most harmful to adding new features or to maintainability finally got sacrificed. Odds are if some 25 or 30 year old code forms an important part of your system, you’re not upgrading to the latest version of the perl interpreter anyway :)

                  1. 5

                    This is a happy news! I hope it comes with GNU/Linux support! EDIT Ops, yes it does.

                    Many years passed since when I used to play, but back then I definitely needed to use Wine.

                    Nowadays I would not even install it like that, as I would never trust a closed source program. This solves the trust problem and might solve the portability one EDIT definitely it does)

                    1. 1

                      Nowadays I would not even install it like that, as I would never trust a closed source program.

                      This is mostly an issue with the UNIX design.

                      It is fairly safe to run closed source programs under seL4, as they can never exceed their capabilities.

                      As Linux’s security model is fairly weak, and the kernel isn’t even formally verified to enforce this weak model and cannot be (due to sheer size), everything running under Linux has to be considered part of the trusted computer base.

                      Closed source programs can’t be trusted, as you point out, and thus can’t be allowed to reside within the TCB.

                      1. 5

                        This is mostly an issue with the UNIX design.

                        This is entirely true, but makes it sound like a small problem. It’s like saying “global warming is mostly an issue with cars and power plants”. ;-)

                        1. 2

                          Fortunately, it is a resolved problem. Use seL4. The whitepaper covers (Chapter 7) how this can be done progressively, with minimum hassle.

                          What saddens me is the amount of effort put into the wrong approach, when the right approach exists.

                          This is akin to making a building “a little higher” again and again, into a seriously unstable large tower, just by carefully adding to the top of it, when the foundation and structure was not made for the purpose.

                          The cost in man hours to each of these “little changes” in Linux pains me to read about, when considering how much progress would be made if this effort was put into the right approach, where the cost of progressing is orders of magnitude lower, thanks to fitness for purpose.

                          Fortunately, building regulations prevent this. In computing, however, we’re not as fortunate.

                          1. 9

                            You keep pushing seL4, as though it were some kind of panacea. But consider:

                            It doesn’t, and can’t, protect against the well-known hardware vulnerabilities in all modern x86 and ARM chips. It doesn’t even support PowerPC architecture, which is currently the most practical “safe” alternative architecture. It supposedly supports 64-bit RISC-V (yay!) … but, can you even buy a practical RISC-V PC? Not yet. You need a PhD in CS and a few weeks of intensive study just to actually understand the claim of that the formal proof makes. Much more work to really understand the proof itself. So, it’s rather more “faith based” than the marketing would suggest. As a microkernel, it provides very much less functionality than we are conditioned to expect from Linux or BSD. You’d need to supplement it with something like big chunks of Gentoo to even get a baseline usable system. Is any part of Gentoo formally verified? Most serious, real-world vulnerabilities aren’t in the kernel anyway, they are in applications (and occasionally device drivers and similar), so adopting seL4 wouldn’t help with that directly.

                            But most importantly, hobbyists and academics can more or less follow their hearts, but businesses and militaries pull much more weight, and they adopt things incrementally for (broadly) economic reasons, involving all sorts of messy things like liability and licensing and training costs. Network effects dominate decision making for reasons that have perfectly rational game-theoretic explanations. It is often wiser to stick with the devil you know. Until you understand how and why the world works like that, I imagine you will continue to be confused, frustrated, angry, and sad. That was my journey, anyway. I feel much more at peace now. :-)

                            I’ll be blunt; I think seL4 is an extremely expensive toy. It’s a highly subsidized research project that (to my knowledge) hasn’t ever been deployed in a genuinely high-assurance system, much less at scale. I’d love to see that change, but I’m not exactly holding my breath.

                            1. 3

                              You keep pushing seL4

                              I see this as necessary.

                              Ask a few random bystanders about microkernels (nevermind seL4, which they’ll likely never have heard about), and they’ll likely either not have a clue whatsoever, or just spit a bunch of misinformation showing their ignorance, such as references to the Tanenbaum-Torvalds debate being somehow “won” by Linus, or a blanket statement that “microkernels are slow” or “nice and academic, but do not work in practice”.

                              Awareness helps. The starting point here is that of believing a bunch of non-facts as facts, thus quite severe and much worse than mere ignorance. It is an uphill battle.

                              It doesn’t, and can’t, protect against the well-known hardware vulnerabilities in all modern x86 and ARM chips.

                              It’s merely out of scope. Basically, seL4 is software. What you’re doing is pointing at hardware being shit as justification for software being shit.

                              If you’re actually referring to seL4 not implemeting Meltdown, Spectre and such, then that’s plain wrong. seL4 does indeed implement many such mitigations. Again, it is unfortunate hardware sucks so much, but the hardware is indeed out of scope. Other teams elsewhere are working on fixing that problem.

                              One of the advantages of having proofs is that the assumptions are stated explicitly. By doing this, families of problems are prevented. Refer to 3.1. Proof assumptions in the seL4 whitepaper.

                              You need a PhD in CS and a few weeks of intensive study just to actually understand the claim of that the formal proof makes.

                              The same could be said about open source. But we both know it is a net positive, even if we don’t personally read every line of code that we use, directly or indirectly.

                              Network effects dominate decision making for reasons that have perfectly rational game-theoretic explanations. It is often wiser to stick with the devil you know.

                              The old “Nobody has ever been fired for using IBM”, in new incarnations. The LAMP stack, Docker, AWS, x86 and so on.

                              Until you understand how and why the world works like that, I imagine you will continue to be confused, frustrated, angry, and sad. That was my journey, anyway. I feel much more at peace now. :-)

                              I’ve been through that. It’s better, but I sadly can’t help but feel at least a little sick about how poorly everything is being done, and how often the wrong tool gets picked for the job, and incompetence is rewarded.

                              It’s a highly subsidized research project that (to my knowledge) hasn’t ever been deployed in a genuinely high-assurance system, much less at scale.

                              Refer to first paragraph of section 2.2. seL4 Is a microkernel, not an OS.

                              seL4 is but the successor of OKL4, a microkernel with the reputation from real world deployment that you seek. To my knowledge, and feel free to correct me if I am wrong, no microkernel has a comparable level of deployments, nor reputation.

                              seL4 is written by essentially the same people, who by now have plenty of experience, and is dramatically better, in no small way because of this experience.

                              1. 6

                                This whole OT thread is why we can’t have nice things.

                                1. 3

                                  But this is my nice thing! You’re so right about it being a lousy place for it, though. Sorry about that.

                                  1. 2

                                    The things you’re fighting about aren’t the problem, it’s the fighting and identifying that’s holding us back. No need for apologies tho, it gets us all from time to time.

                                  2. 2

                                    We are celebrating Soldat’s open sourcing, in our own way.

                                    1. 2

                                      I’ll pay that.

                              2. 7

                                Where’s the equivalent of Kubernetes for seL4? How do I write a simple config file like I can in Docker or Nix and produce a secure, reproducible environment that can then be deployed to dozens of systems? It would cost millions and years to build something like that? We don’t even know exactly what something like that would look like, and how to manage it so that it’s not a giant pain in the ass to administer?

                                The problem’s not resolved, then. Sure we know, in theory, how to resolve it, and have that theory put into practice in some sorts of systems – the ones I’ve heard about have been high-reliability embedded systems, which are relatively small and have a lot of effort put into them. But all the technology to use it at, if you forgive me the buzzword, “web scale” has yet to actually be built. You’re right, the technology should be built, but here we are.

                                Like I said, global warming is mostly an issue with cars and power plants. We know how to build wind farms and electric cars, so the problem is resolved, right?

                                1. 1

                                  Where’s the equivalent of Kubernetes for seL4?

                                  These are component frameworks, covered briefly in 3.2.

                                  Kubernetes, or docker, are the heavyweight workarounds (I also like to call them hacks) detailed in section 4.2. These really are toys, next to capabilities as implemented by seL4.

                                  How do I write a simple config file like I can in Docker or Nix and produce a secure, reproducible environment that can then be deployed at massive scale?

                                  No. You actually cannot in Docker or Nix. These are toys, as they rely upon the aforementioned ugly hacks Linux provides, and any claims of these providing “security” are not to be taken seriously. In some contexts, they are criminally irresponsible. And I am saying this despite doing this for a living.

                                  For the state of the art, refer to Genode’s Sculpt. It isn’t even limited to static scenarios like the ones you described, but also supports dynamic ones.

                                  You’re right, the technology should be built, but here we are.

                                  We are in a much better position now than a few years ago, thanks to the current state of seL4, both technical (release 6.0 and ongoing work) and organizational (seL4 foundation has been established, and there is commercial and government participation).

                                  It would cost millions and years to build something like that?

                                  Would you rather put the manpower into running a fool’s errand? The popular ecosystem you’ve referenced is fundamentally broken. It cannot be fixed. No real progress can be made without a reset. Thus, leaving aside those who work on these on their free time, it is a large waste of resources to try and advance these deadend systems.

                                  Like I said, global warming is mostly an issue with cars and power plants. We know how to build wind farms and electric cars, so the problem is resolved, right?

                                  I see you agree with me ultimately. Doing things wrong is not the right way to do things. Yes, I also see the redundancy here.

                                  I do try and not defend the wrong approaches.

                        1. 3

                          I wrote a cron job that fetches RSS feeds and pipes new items into a folder in my emails.


                          • Most mail clients (well, the ones I use) support basic styling, HTML & images
                          • Search is already implemented (by the mail host)
                          • Read / unread tracking is already implemented, and syncs across devices
                          • Clients can be configured to prefetch attachments, so you can read offline and sync up the read state afterwards.
                          • The fetch script can work on things that aren’t RSS via chromedriver


                          • Getting attachments to display inline on a variety of clients took too much work.
                          • It’s kind of a hack
                          1. 3

                            I use Newsboat as a backend for fetching RSS items.

                            I wrote Newsboat-Sendmail which taps into the Newsboat cache to send emails to a dedicated email address.

                            To make sure the IDs of the emails’ subjects are kept whenever the server asks me to wait before sending more emails, I wrote Sendmail-TryQueue. It saves emails that could not be sent on disk (readable EML format, plus shell script for the exact sendmail command that was used).

                            Finally I use Alot to manage the notifications/items.

                            1. 2

                              …so basically Thunderbird.

                              1. 1

                                Thunderbird is one client.

                                I can also use it via the fastmail web ui, or my phone.

                                Lastly, the chromedriver integration means I get full articles with images, instead of snippets.

                                1. 1

                                  Ah, I think I misunderstood its features and your workflow. And now I’m curious. How does the non-RSS bit work? Do you customize & redeploy when adding new sources? In other words, how easy or hard is it to generalize extracting the useful bits, especially in today’s world of “CSS-in-JS” where sane as in human-friendly class names go away?

                                  1. 1

                                    So, the current incarnation has several builtins, each wrapping a simpler primitive:

                                    • The simplest is just ‘specify a feed url and it’ll grab the content from the feed and mail it to you’.
                                    • The next simplest-but-useful is ‘specify a feed url and it’ll grab the link from the feed, fetch the link, parse it as html, extract all content matching a css selector, inline any images, and mail it to you’. This works well for eg webcomics.
                                    • The third level replaces ‘fetch the link’ with ‘fire up chrome to fetch the link’ but is otherwise similar.

                                    My planned-future changes:

                                    • Use chromedriver but specify the window size and content coordinates; this should work around css-in-js issues by looking for boxes of approximately the right size / position in the document. I’m not currently following any feeds that need this, though.
                                    • Store values and look for changes. I plan to use this to (eg) monitor price changes on shopping sites.
                              2. 2

                                haha, I like this one. You’ve turned RSS into newsletters!

                                1. 1

                                  mailchimp sells this as a feature.

                                2. 1

                                  I use rss2email which basically does the same thing.

                                  1. 1

                                    I wrote a rss reader which is meant for cronjobs, which is btw the reader I use.


                                    The version 0.9.0 is usable. Soon I plan to release version 1.0.0

                                  1. 3

                                    Thanks for sharing, this is a great presentation. In fact, it gave me quite a number of ideas! For instance, it’s a good while I’m thinking of a set up involving dynamic ips, but I think I don’t need it at all! :)

                                    1. 1

                                      You’re welcome :)

                                    1. 1

                                      I have been building a very similar, minimalist, cron based aggregator, but it generates HTML instead of email. Not sure I’ll adopt what you’ve got instead, but certainly worth a deeper look! Thanks for posting!

                                      1. 1


                                        Actually, Crossbow does not generate email. Cron generates local email out of the cronjob’s standard output/error. If crossbow is configured to be silent, or if it executed outside cron, no email will be generated.

                                        For example, you can invoke crossbow-fetch manually and redirect the output on a file.

                                        1. 2

                                          This is great! I’ve just realised from your comment, that it can then be hooked up to something like noti

                                          1. 1

                                            In true Unix fashion… it can be hooked to anything and it can hook sub processes and pipe the data into them

                                      1. 1

                                        Finishing and releasing Crossbow, the cron friendly rss reader.

                                        1. 9

                                          At this point, how people are reacting to the coronavirus bothers me more than the risk of the virus. It’s not just most of the web sites. The worst is that my whole city did a run on toilet paper, cleaners, meats, etc. Our grocery and supply stores have been empty for almost a week from folks stockpiling non-stop. Strangely, beer and liquor is still well-stocked.

                                          I’ve been through a few rounds of the world ending in my life. Almost always media-driven, sometimes political. This level of real-world madness reminds me of Y2K if it all happened really fast. Except there’s no end of the world parties since they’re afraid of being close to other people. We at least had a lot of fun in 1999. There was no beer or liquor left. :) This doomsday looks to be lonely for a lot of people. Folks just need to stop watching the news or acting crazy after watching it. I feel for them. I’m just gonna keep living as usual with some things in upswing.

                                          On the bright side, we had lots of interesting papers, authored by’s, etc here during the same time range. Although C.V. had a few mentions, Lobsters was a breath of fresh air (i.e. a nice escape) compared to the other sites I was looking at. Community is changing a lot. Yet, still more mind-expanding submissions and quality discussion than many other places. Everyone keep it up!

                                          1. 6

                                            Dangerous line of thinking, comparing to a real pandemic to Y2K which took no lives.

                                            1. 3

                                              Thank you, the most sensible thing I read on the topic in days.

                                              1. 2

                                                I’m young and don’t remember any other End Of The World situations, but I’m equally as bothered. I’m in my final year of school, and the teachers are talking more about it getting shut down than actually helping with those last bits of the syllabus. While I personally think the situation is being entirely blown up (not to belittle any concerns for the vulnerable for whom the virus might actually pose an issue), I’m still concerned about how this time of my life is going to be affected - I haven’t been able to visit many universities because the offer days have been cancelled.

                                                Carrying on as normal is probably the best bet, but it’s definitely still worth letting any vulnerable people know that you’re there if they need anything, as with all the media coverage it can be difficult to know what to do, and confusion isn’t going to do anything to make the situation better.

                                                1. 12

                                                  It’s a situation in which literally millions of people will likely die if big steps aren’t taken to prevent the worst-case scenarios. I’ve noticed that essentially everyone I’ve heard saying the issue is overblown has included a mention about its effect being disproportionately toward the vulnerable. It’s hard to escape the unpleasant implication that they thus value the vulnerable drastically less than the healthy/young.

                                                  1. 2

                                                    I don’t mean to imply that I don’t value the vulnerable. But I’m worried that the more the issue is viewed as the pandemic it is by the general population, the less concern people will have for those who need their concern most. Millions of people will likely die if big steps aren’t taken, but how many of those big steps should be families of healthy individuals buying up all the toilet paper and alcohol gel that they can, and how many of those steps should be families of healthy individuals letting the vulnerable people around them know that they can call them if they need anything, so as to allow them to avoid having to go to public places?

                                                    When I alluded to the issue being overblown, I meant that much of the population have nothing to worry about, and their hysterical response is only going to harm those who actually do have something to worry about. I also focused on my own personal detriments as a result of the outbreak, which definitely didn’t help to set the tone that I wanted to set. I hope that helped to clarify where I’m coming from?

                                                  2. 1

                                                    Well, there’s the damage from the virus and that from all the responses to it. I definitely feel for those of you being affected at school, work, etc. Part of the reason some of us call out the overreaction is to reduce that.

                                                    As a personal example, I just found out an hour ago that at least three people in my family whose jobs require Chinese imports will likely get laid off. Others I know in service sector are at risk with hour cuts already hitting them.
                                                    Some self-employed folks that do events are getting cancels. I was about to do some but those might be toast, too. These people and their families might lose their current homes due to how companies and regulators are responding.

                                                    Very real effects. I’m helping those I can down here with all damage being from people and businesses rather than the virus. So far. If its damage goes up, I’ll be trying to help on it, too.

                                                    Got the rest of you in my prayers for now. All I can do given how fast and unpredictably the situation is moving.

                                                    1. 3

                                                      Agreed - I suspect the economic damage from the virus will cause nearly as many deaths as the primary infection.

                                                      I still think the quarantine is the right response to a difficult set of tradeoffs, though.

                                                1. 3

                                                  Have you checked out https://sourcehut.org/? They offer CI services for different Linux and BSD flavors.

                                                  1. 1

                                                    Thanks, this one seems to be a good candidate, and I didn’t spot it. Do you have experience with it?

                                                    1. 2

                                                      The author of sourcehut is a lobster.

                                                      While I don’t yet have experience with it, my reading of its docs makes me want to try.

                                                      1. 1

                                                        I played with it and I had a good impression. But I plan to use it for one of mine side projects to get more experience :)!

                                                        1. 1

                                                          I like it – it’s like GitLab CI (in terms of simple config through a .build.yml file). One of the killer features (for me) is it allows you to ssh onto the build server if it fails to debug what went wrong. This feature seriously reduces the number of wasted cycles tweaking ci config to dump more debug for a rebuild.

                                                      1. 2

                                                        It sounds like the openSuse Build Service is close to what you are after. They offer the infrastructure to compile and package your application on a number of different linux distributions. Unlike some of the other CI tools out there, they will also offer a package repository for your users to install your software with.

                                                        1. 1

                                                          Yes, this one I’ve noticed before, but it seems to neglect the *bsd side. Thanks for the link though!

                                                        1. 25

                                                          If you can’t find it, just start cleaning. If it’s a big purchase, sleep first. Musical instruments and exercise gear are always worth the money. Never run a credit card balance. Pants 2 days, shirts 1. Oil change every 3,000/6mos. Park far away. (Ok I copied some)

                                                          1. 10

                                                            3,000 miles is way too frequent if you’re running synthetic oil. Vehicles usually come with a manual that includes a maintenance schedule, follow that.

                                                            1. 7

                                                              At least for jeans, I wear them sometimes months straight without washing – unless I spill something on them.

                                                              1. 1

                                                                The environment is happier this way.

                                                            1. 9


                                                              …what? It’s still the best in this world of bloated sh#t!

                                                              All right, all right… C++ then.

                                                              1. 1

                                                                PFT (App::PFT), which is my own static website generator. It boils down to text files in markdown format, written with $EDITOR, handled and compiled into a site made of html pages

                                                                1. 1

                                                                  I hope people realize that containers are not for security, but for (bundly!) dependency handling! There are proper way to sandbox software under Linux, and that would be using SELinux.

                                                                  1. 3

                                                                    It would be interesting to further compare this with Firejail and bubblewrap – both allow you to isolate any piece of software running on your system, i.e. they don’t necessarily tie you to a single distribution mechanism. I’ve used Firejail for Firefox with great success.

                                                                    1. 2

                                                                      Yeah, heads up with firejail. Use a SELinux sandbox(1) instead ;-) I’ve tried it and the result is really worth it, in my opinion. I’m using it often, for lots of sites I don’t trust (which is close to anything, these days)

                                                                      1. 1

                                                                        heads up with firejail. Use a SELinux sandbox(1) instead