This week in Plasma: Getting #Plasma6.3 into shape, more KRunner searches, better scaling and a whole lot more:
https://blogs.kde.org/2025/01/18/this-week-in-plasma-getting-plasma-6.3-in-great-shape/
This week in Plasma: Getting #Plasma6.3 into shape, more KRunner searches, better scaling and a whole lot more:
https://blogs.kde.org/2025/01/18/this-week-in-plasma-getting-plasma-6.3-in-great-shape/
@[email protected] @[email protected]
Can you tell us what happens on the “sandbox all the things” goal?
I think this is a pretty crucial step forward, even though #sandbox technologies (most often through user namespaces) are more problematic than I initially thought.
(Basically, user #namespaces open up #privesc dangers to the monolithic #kernel, which is incredible. #Android and #ChromeOS use #LXC, mounts and #SELinux for #sandboxing)
@Rhababerbarbar @[email protected]
“Sandbox all the things” is not currently a KDE goal.
https://kde.org/goals/
@[email protected] @[email protected]
Thx for the info, then it is like that.
Here is the goal proposal
https://phabricator.kde.org/T17370
Tbh, #bubblewrap would need to be fixed drastically to be as secure as the #Android #sandbox. And (I am not sure yet) I think even #Snaps are more secure (on #Ubuntu with #Apparmor patches) than #Flatpak with the current system.
As far as I understood, sandboxing needs to happen in #userspace, with tools like #fuse doing the work while being restricted by #MAC like #SELinux or Apparmor.
@[email protected] @[email protected]
For people interested, maybe #crabjail and #crablock can be a solution!
https://codeberg.org/crabjail/crablock
A #sandboxing tool written in #Rust, featuring " bleeding edge #Linux #security features like #Landlock or MDWE_REFUSE_EXEC_GAIN."
@Rhababerbarbar @[email protected]
That is the proposal page. Of all proposals, and there are always quite few, the community votes and selects three to work on for two years. This one was not selected.
@[email protected] @[email protected]
True, changed the naming ;)