| |
| ▲ | kragen 4 days ago | parent | next [-] | | Apt has been painfully slow since I started using Debian last millennium, but I suspect it's not because it uses a lot of CPU, or it would be snappy by now. | |
| ▲ | dontlaugh 4 days ago | parent | prev [-] | | It parses formats and does TLS, I’m assuming it’d be quite bad. I don’t think you can mix and match. | | |
| ▲ | 4 days ago | parent | next [-] | | [deleted] | |
| ▲ | jitl 4 days ago | parent | prev [-] | | stuff that talks to "the internet" and runs as "root" seems like a good thing to build with filc. | | |
| ▲ | loeg 4 days ago | parent [-] | | It probably uses OS sandboxing primitives already. | | |
| ▲ | kragen 4 days ago | parent [-] | | In normal operation, apt has to be able to upgrade the kernel, the bootloader, and libc, so it can't usefully be sandboxed except for testing or chroots. | | |
| ▲ | loeg 4 days ago | parent [-] | | No, that doesn't follow. That only means the networking and parsing functions can't be sandboxed in the same process that drops new root-owned files. C and C++ services have been using subprocesses for sandboxing risky functionality for a long time now. It appears Apt has some version of this: https://salsa.debian.org/apt-team/apt/-/blob/main/apt-pkg/co... | | |
| ▲ | kragen 4 days ago | parent [-] | | That's true; you can't usefully sandbox apt as a whole, but, because it verifies the signatures of the packages it downloads, you could usefully sandbox the downloading process, and you could avoid doing any parsing on the package file until you've validated its signature. It's a pleasant surprise to hear that it already does something like this! |
|
|
|
|
|
|
