With all the supply chain attacks in the Linux ecosystem, isn’t the natural solution to move to full application sandboxing?

Flatpacking is great but not all applications support it.

Is it too much of a hassle?

  • ultimate_worrier@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    0
    ·
    23 days ago

    You were correct. The packages have to come from somewhere. They don’t just appear out of the ether. They need to be built from source. Guess what happens when the actual source code is corrupted by a supply chain attack?

    A little taste of nixpkgs vulnerabilities that could be exploited: https://discourse.nixos.org/t/checking-and-dealing-with-cves

    The blast radius on a NixOS system is pretty small, though, because of that immutable nix store.