N.E.P.T.R

Because of federation they are probably un-deletable. Most likely federated to multiple servers.

Screensharing is the only thing i dont think it does. Voice and video good. See snikket or conversations.im

Also the repo image

Yes, I understand what GVisor does. Cgroups2 are for isolation of system resources, bit arent even the main sandbox feature used for isolation by Docker. I am pretty sure namespaces significantly more important for these containers’ security.

GVisor helps with one of the main risks in a container setup which is the shared kernel by hosts and guests. I understand it comes with a performance penalty (and I didnt know it was incompatible with SELinux), but that does change my original point that GVisor is a security improvement to default Docker. I understand there is more nuance, even when I wrote my original comment I understood (just like any other security feature) it cant be used in every scenario. I was being intentionally general, and in my second comment I was pretty specific about what it protects against: Kernel vulnerabilities and privilege escalation.

I researched cgroups2 more and I still dont understand why you brought it up in the first place. Cgroups2 and gvisor provide very different security benefits. Cgroups help to keep a system available (lessening the risk DoS attacks) by controlling access to some system resources (io, devices, cpu, memory) and grouping processes of a similar type. It seems rather optimized to solve resource control on a container host. I mentioned gvisor because it is mostly just a drop-in replacement container runtime which doesnt need setup to be used.s

Now for a different container runtime which provides significantly more features (than gvisor) with less downsides (if configured correctly for a specific workload), Sydbox provides syd-oci which id an application kernel runtime which uses a permission config file to create a sandbox, isolating using namespaces, seccomp, landlock, and more. It can sandbox in many different categories (often times leveraging multiple features to provide a multilayer sandbox), you can see the categories at the syd manpage. The biggest downside is that you must really understand what your container application needs otherwise it will prevent it from running. It is a “secure by-default” sandbox which can be softened through config.

I dont really understand what you mean in your last sentence.

My reason for saying GVisor is safer is because it is an application kernel which provides traps and emulates most Linux syscalls in the guest with a far smaller set of syscalls to the host kernel, helping to prevent container escapes and privilege escalation. GVisor also fully drops privileges early into start up (before running any significant logic), helping to prevent privilege escalation.

Cgroups is not a really a security feature (from what I understand). It is about controlling process priority, hierarchy, and resources limiting (among other things). You can not use GVisor with LXC.

Here are some, though they def spammed more communities:

!foss@beehaw.org !privacy@lemmy.dbzer0.com !linux@lemmy.world !linux@lemmy.ml

It was posted in like 5 different communities, some not even close to related (for example 3 Linux communities), some posted twice (eg. the Linux previously mentioned communities). They could have just crossposted it using the feature. Either way it is still a lot of spam. It isnt even that important of news because anyone who cares about this (anti or pro LLM) has already made up their mind and would already have formed an opinion on this feature without a random article.

In order of most to least secure

VM > Docker+GVisor > Docker/LXC

Docker+GVisor is good middle ground because it provides the guest container with an application kernel in a memory safe language and reduced syscall attack surface to avoid kernel container escapes. Docker/LXC share the kernel with the host.

One of my gotos is that they may have nothing to hide, but their friends and family (or people who they know who are at risk) might like having privacy. People don’t (unusually) live in isolation and others are affected by their actions/choices.

They disregard the risk from the vendor because you are already using their hardware. The hardware has firmware already included which is proprietary, the hardware itself is proprietary, and hardware effectively runs as root anyways. You should already trust your hardware or you shouldn’t be using it. Linux-libre is a purity test, that is it. It is security theater which actually, definitely, really makes you vulnerable without doing anything meaningful. The only time it makes any sense is if you only use open source hardware.

Windows has plenty of things to complain about. This type of feature is not one of them.

Example: https://www.agwa.name/blog/post/how_to_crash_systemd_in_one_tweet

Also, in this article some explanation of why nothing should be in pid1 other than what is truly necessary, and any example pid1 program written in C under the heading “So how should init be done right?”

Are these “other features” hard dependent on systemd? If yes, how are they modular (or portable)? “My program can be used on any system with a couple of small dependencies: Linux kernel, glibc, and the systemd Kernel” /j

There are some attempts to use systemd tools independent for it, like elogind and eudev, but see what I mean. Hard forks (with major rewrites) are required because these tools heavily depend on systemd, which fine I understand having dependency, but you cant just use part of systemd since it is to tangled together. It would be nice if mire of systemd code was available as separate libraries so you could further reduce attack surface by building a significantly slimmed version of systemd+feature. I am unsure if you meant modular as in “you can choose to enable them” or as in “you can build without them” or both.

Also, I never claimed systemd ran everything under pid1, just plenty more then the should be, like init plus service manager (and more), not every single systemd tool because that would be beyond stupid and systemd isnt made by idiots.

Compromising/crashing pid1 (which becomes increasing likely when the program is massive) takes down the entire system. pid1 should only be the initial init (which should be as small as possible, basically a stub) and start the service manager as a separate pid. This allows the system to gracefully recover by restarting other processes without fully locking-up/crashing. It is a bad practice.

Disclaimer: I use systemd distros. I dont hate systemd, I just like the ability for alternatives to flourish without fighting an uphill battle.

It has major project scope creep (does too many things that arent init or service management), isn’t modular or portable, only just gained support for muslc, it runs most of its init and management things in pid1 (which is a security and stability issue), it is a massive C program (large attack surface), it isnt very fast when compared to any other init (especially s6 or dinit which boot in under 4 seconds), it implements non-standard interfaces which just encourages further dependency, etc.

Systemd is like the Walmart of Linux OS tools. It replaces many other options and does things good enough (not the best, good enough) to make it worth it to use them and their ecosystem, and they make things simple to use. But just like Walmart, they undercut other options, stifle adoption, until they are the only shop in town.

Dinit does everything I need out of service manager, has similar command utilities and syntax to systemd, is much faster, simpler and cleaner code, avoids many of the pitfalls of systemd, supports user services. s6 is pretty good to but kinda terrible UX.

The simplest answer to why I dislike systemd is that with all the major distros using systemd, it will become harder and harder to use most Linux software without systemd and its growing set of utilities. If systemd made an effort to work with the community to implement standard interfaces then alternatives could flourish without requiring large on-going patches to much of the Linux software ecosystem. It will only get worse from here. Systemd is (basically) the init of Linux and I think that is sad.

The other problem with Matrix for me is that Element call (the protocol) is not present in most public instances and isn’t very straightforward to selfhost. The default is jitsi which is not E2EE. Pretty major IMO because if Matrix is supposed to be a Discord alternative and supposedly E2EE but VC isnt encrypted, pretty yikes.

Also they have claimed for years that they have forward secrecy. Has something actually changed recently?

I misread that at first lol. Tats = tattoos, my brain didn’t see that ‘a’

Where did you read that Signal uses MLS? I could not find any claims of using MLS on Signal’s specs page or their GitHub repo. Also MLS doesn’t mean anything on its own, see Soatok’s blog on MLS.

Soatok is currently in the process of writing a blog post about another vulneribilty they found in Matrix’s encryption, and with Matrix’s history of numerous vulnerabilities, I would stay away from that shit. No matter how “good” the algorithm is in theory, it is all about implementation. Matrix also has very brittle encryption, often times many messages will become unrecoverable, which is terrible UX.

You’d be better off just selfhosting XMPP+OMEMO, with the caveat that it is also flawed and leaks plenty of metadata.

The best alternatives to Signal (but not Discord) are SimpleX and Briar. Both are significantly better than XMPP/Matrix for privacy and security.

Lol

It still isnt great. Better than DeltaChat/Matrix but decently worse than Signal’s security.