Note that VS Code is built on Electron and it is a pain to sandbox because Electron has (had?) SUID sandbox helper, and you cannot run SUID binaries in sandbox easily. Sandboxing on Linux is extremely difficult task.

▲

jandrese 4 hours ago | parent | next [-]

It feels so bad to see the "You need go give Chrome SUID Root for the sandbox to work". Setting a Web Browser SUID Root was an old joke about clueless users. It was the worst security screwup someone could imagine.

▲

NewJazz 2 hours ago | parent | prev | next [-]

Don't build your ide on electron then.

▲

duped 4 hours ago | parent | prev [-]

podman seems to handle rootless namespaces just fine, minor caveat for some perf overhead but it's not the end of the world.

▲

internet101010 3 hours ago | parent [-]

And volumes. Volumes are not fun with podman. Ironically my team tried GitHub Codespaces and never looked back. Super cheap and uses DevContainers.

	▲	unethical_ban 2 hours ago \| parent [-]
		What's the difference between Podman and docker for volumes? Other than needing to add Z to get volumes to mount with SELinux