On Monday, November 25th, 2024 at 00:12, Evan Carroll <[email protected]> wrote:
> > > A lot of words on that one, > > Not sure if you're the author of the paper. But off the get go, I'm > extremely confused. I wanted to give my critique on the paper instead of > the technology. My experience with "user-space sandboxing" is kernel > user-namespaces. My interface to them is podman. It's not clear what this > "sandbox" offers that podman's rootless mode does not. I believe I'm in the > majority with experience in containerization. But you're grounding this > paper in "two prime examples of sandbox: Gentoo's sandbox and Exherbo's > sydbox" -- things most people have probably never used. This for me raises > the question: when would I want "Gentoo's sandbox and Exherbo's sydbox" > over kernel user-namespaces and podman? You're comparing apples and oranges. podman is a container engine that gives you isolation. You can use a sandboxing solution on top, such as gVisor or syd-oci to provide a security boundary. > I don't see that answer immediately and so my desire to continue reading > drops significantly. This is only constructive criticism, maybe I'm not > your desired audience but the title was interesting enough for me to jump > in. I appreciate your feedback regardless. I can see how the article may have been confusing for you. However that confusion stems from an important misunderstanding: Namespaces provide isolation, not necessarily security. > -- > Evan Carroll - [email protected] > System Lord of the Internets > web: http://www.evancarroll.com > ph: 281.901.0011 <+1-281-901-0011> Best regards, Ali Polatel
publickey - [email protected] - 0xC22DA9DE.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
