undefined | Better HN

0 pointstheamk7mo ago0 comments

Not "instead", it's "in addition to". Your classical defense-in-depth.

0 comments

No, "instead". If they compromise bubblewrap to send out your files, and you run bubblewrap anyway for any reason, you're still compromised.

But obviously you can probably safely pin bubblewrap to a given version, and you don't need to "install packages through it", which is the main weakness of package managers

ChocolateGod7mo ago

Bubblewrap uses the same Linux functions that billion dollar cloud infrastructure use. Bubblewrap does no sandboxing/restrictions itself, it's instructing the kernel to do it.

aragilar7mo ago

How? bubblewrap isn't something someone has randomly uploaded to npm, it has well known maintainers and a well organised release process (including package signing). Which is easier to do: upload a package to npm and get people to use it, or spend 2+ years trying to become a maintainer of bubblewrap or one of its dependencies to compromise it.

oulipo27mo ago

Sure, but there's plenty of packages with well-known maintainers who get compromised...

1 more reply

j / k navigate · click thread line to collapse

0 comments

oulipo27mo ago

No, "instead". If they compromise bubblewrap to send out your files, and you run bubblewrap anyway for any reason, you're still compromised.

But obviously you can probably safely pin bubblewrap to a given version, and you don't need to "install packages through it", which is the main weakness of package managers

ChocolateGod7mo ago

Bubblewrap uses the same Linux functions that billion dollar cloud infrastructure use. Bubblewrap does no sandboxing/restrictions itself, it's instructing the kernel to do it.

aragilar7mo ago

oulipo27mo ago

Sure, but there's plenty of packages with well-known maintainers who get compromised...

1 more reply

j / k navigate · click thread line to collapse