With all the supply chain attacks in the Linux ecosystem, isn’t the natural solution to move to full application sandboxing?
Flatpacking is great but not all applications support it.
Is it too much of a hassle?
With all the supply chain attacks in the Linux ecosystem, isn’t the natural solution to move to full application sandboxing?
Flatpacking is great but not all applications support it.
Is it too much of a hassle?
You asked me how then explained exactly how. Got it? Great.
i dont even use nix, i just know of it, you seemed like you knew more than me, so i tried to explain, doesn’t mean i was correct, i hoped you could maybe correct me, but sure
You were correct. The packages have to come from somewhere. They don’t just appear out of the ether. They need to be built from source. Guess what happens when the actual source code is corrupted by a supply chain attack?
A little taste of nixpkgs vulnerabilities that could be exploited: https://discourse.nixos.org/t/checking-and-dealing-with-cves
The blast radius on a NixOS system is pretty small, though, because of that immutable nix store.