| ▲ | secureblue 5 days ago | |
secureblue creator here :) some corrections: > last I heard it wasn't out of Beta or whatever yet It is > But it uses containers rather than VMs It doesn't use plain containers for app isolation. We ship the OS itself as a bootable container (https://github.com/bootc-dev/bootc). That doesn't mean we use or recommend using containers for application isolation. Container support is actually disabled by default via our selinux policy restricting userns usage (this can be toggled though, of course). Containers on their own don't provide sandboxing. The syscall filtering for them is extremely weak. Flatpak (which sandboxes via bubblewrap: https://github.com/containers/bubblewrap) can be configured to be reasonably good, but we still encourage the use of VMs if needed. We provide one-click tooling for easily installing virt-manager (https://en.wikipedia.org/wiki/Virt-manager) if desired. In short though, secureblue and Qubes aren't really analogous. We have different goals and target use cases. There is even an open issue on Qubes to add a template to use secureblue as a guest: https://github.com/QubesOS/qubes-issues/issues/9755 | ||
| ▲ | orblivion 5 days ago | parent [-] | |
I keep hearing different things about how well containers can isolate. I guess the "on their own" caveat is the important one. I don't really know how they work. Hearing not to rely on it from the developer of secureblue is pretty strong case. Thanks. | ||