| ▲ | simonw 8 hours ago | |
That's the problem! It's really hard to find trustworthy sandboxing solutions, I've been looking for a long time. It's kind of my white whale. | ||
| ▲ | laurencerowe 2 hours ago | parent | next [-] | |
As I understand it separate isolates in a single process are inherently less secure than separate processes (e.g. Chrome's site isolation) which is again less secure than virtualization based solutions. As a TinyKVM / KVM Server contributor I'm obviously hopeful our approach will work out, but we still have some way to go to get to a level of polish that makes it easy to get going with and have the confidence of production level experience. TinyKVM has the advantage of a much smaller surface area to secure as a KVM based solution and the ability to offer fast per-request isolation as we can reset the VM state a couple of orders of magnitude faster than v8 can create a new isolate from a snapshot. | ||
| ▲ | indigodaddy 7 hours ago | parent | prev [-] | |
I imagine you messed about with Sandstorm back in the day? | ||