Content
@
0 reply
0 recast
2 reactions
Paul Dowman 🔴✨
@pauldowman.eth
I'm surprised that in 2024 we still run so much random crap unprotected. All dev tools should be sandboxed somehow. IDE plugins, homebrew, every package used by the app you're building, etc, etc., all with full access to your machine. 😱 IHMO dev containers is the best way. It gets a bit awkward when you need docker, but there are solutions (docker-in-docker, etc). https://containers.dev/
10 replies
5 recasts
26 reactions
killjoy.eth
@killjoy
Yeah this x 100. I am finding it can be a bit painful to work in the container but worth it for the peace of mind. Does docker in docker work well enough in a container? That has its own security compromises but way better than the status quo.
2 replies
0 recast
0 reaction
Paul Dowman 🔴✨
@pauldowman.eth
I've used docker-from-docker, it worked well. It lets docker tools inside the container use the system docker (magically hooks up the socket file to communicate).
1 reply
0 recast
0 reaction
shazow
@shazow.eth
IIRC if you have write access to the system docker socket, you basically have root access to the host system, no?
1 reply
0 recast
1 reaction
killjoy.eth
@killjoy
Yeah you’re right. Seems like you can’t have your cake and eat it too. Best approach from a security perspective is probably running builds in a context dedicated to that purpose.
1 reply
0 recast
1 reaction
shazow
@shazow.eth
There's lots of tooling around restricting permissions and namespacing (systemd, apparmor, etc). I don't know if there's any package managers that aggressively exercise them consistently, though. Flatpak has provisions too but it's hit and miss, I often have to tweak it manually. Hopefully it'll become more popular!
0 reply
0 recast
1 reaction
