With all the supply chain attacks in the Linux ecosystem, isn’t the natural solution to move to full application sandboxing?
Flatpacking is great but not all applications support it.
Is it too much of a hassle?
With all the supply chain attacks in the Linux ecosystem, isn’t the natural solution to move to full application sandboxing?
Flatpacking is great but not all applications support it.
Is it too much of a hassle?
You were correct. The packages have to come from somewhere. They don’t just appear out of the ether. They need to be built from source. Guess what happens when the actual source code is corrupted by a supply chain attack?
A little taste of nixpkgs vulnerabilities that could be exploited: https://discourse.nixos.org/t/checking-and-dealing-with-cves
The blast radius on a NixOS system is pretty small, though, because of that immutable nix store.