Bubblewrap Reviews and details

Social recommendations and mentions

• Using GitLab Kubernetes Runners to Build Melange Packages

  Recently, I came across Chainguard and wrote the article How to build Docker Images with Melange and Apko. As a fervent supporter of Kubernetes and GitLab CI, I was eager to experiment with building images using Melange in this particular setup. GitLab's shared Runners work seamlessly with Bubblewrap, eliminating the need for additional configurations. This post is intended for enthusiasts like myself, interested... - Source: dev.to / 4 months ago

• A Study of Malicious Code in PyPI Ecosystem

  ``` This is basically manually invoking what Flatpak does: https://github.com/containers/bubblewrap This is also useful for more than just security. E.G., you can test how your app would behave on a fresh install by masking your user configuration files. I personally also have a tool that uses it to basically bundle all dependencies from an entire Linux... - Source: Hacker News / 8 months ago

• Firejail: Light, featureful and zero-dependency security sandbox for Linux

  To, say, override the KDE plugins while testing. This is useful for me since it's rather challenging during development to actually get KDE apps to reliably load my plugins on NixOS: I think kio slaves are probably wrapped and getting other environments injected into them. Rather than bother with any tricky hacks, Linux namespaces make it relatively easy to test regardless. Bubblewrap is used internally by Flatpak... - Source: Hacker News / 10 months ago

• How I published a gratitude journaling app for iOS and Android using SvelteKit and Capacitor

  After some research I had nailed down that I would have to use either bubblewrap, PWABuilder or Capacitor. Since all those worked with Progressive Web Apps, I set out to start with building a PWA. - Source: dev.to / 11 months ago

• Anti-cheat and Steam Flatpak (Eli5)

  Well, they run inside https://github.com/containers/bubblewrap which is a sandbox system. In Flatpak you can override any "hole" that might be the default. Source: 12 months ago

• Am I better off running a GNU/Linux distro over ChromeOS? If so, why?

  Apps in ChromeOS are sandboxed regardless. Over at Linux we're trying to achieve 'bandaid-solutions' using tools like bubblewrap and (albeit to a lesser degree) firejail. Note that the term 'bandaid-solutions' was not meant derogatory, I think both bubblewrap and firejail are amazing utilities. However, their best efforts can only do so much in an environment in which privileged access is the norm, rather than the... Source: almost 1 year ago

• Top Android Phones From China Are Packed With Spyware, Research Finds

  As for Linux distributions, most of them don't have proper sandboxing of applications. We might get there one day with bubblewrap and Flatpak. Source: about 1 year ago

• Show HN: Val.town – A Cloud Scripting Site

  I don't want to say too much, because I know our security isn't perfect, and some about of obfuscation adds some security. Once we move to a more secure model, I will happily tell you all what use used to use to sandbox code. Soon we'll do real sandboxing, either ourselves through Docker, wasm, bubblewrap[1], etc, or an existing FaaS (Lambda, Deno Deploy, Cloudflare Workers) or FaaSaaS (Deno Subhosting) [1]... - Source: Hacker News / over 1 year ago

• Should I remove SNAP from my system?

  Bubblewrap was the foundation of Flatpak and of Valve's Linux namespaces project as well Steam pressure vessel. So then you go to Bubblewrap's Github and low and behold the meta project of it is called "containers" and in the readme they talk about namespaces and OCI images directly. https://github.com/containers/bubblewrap. Source: over 1 year ago

• Scotty: How to handle potentially infinite loops?

  Then, I'd use OS-level sandboxing and resource limiting tools on the subprocess. For example, you could use cpulimit --50 to limit it to 50% of a CPU. A more modern way would be to use Linux cgroups. I also like using Bubblewrap for running untrusted processes within Linux namespaces. Note that some of these things can be tricky to set up if you're already in a Docker container. Source: over 1 year ago

• The future of apps on Linux

  No, it uses bubblewrap, which uses Linux cgroups and a few other linux-specific features that are unrelated to SELinux. From their docs:. Source: over 1 year ago

• Adressing Misconceptions

  Actually I am 100% correct and can provide links to all the documentation. Flatpak uses bubblewap to execute an application from within a namespace. Namespaces are a kernel feature that allows the app to run in a completely separate environment, including under a fake user that only exists in that namespace. You can then grant access to whatever you want within the host system, like a single directory, or the... Source: almost 2 years ago

• Show HN: Porting OpenBSD Pledge() to Linux

  How does this approach for sandboxing compare to the bubblewrap that uses namespaces? https://github.com/containers/bubblewrap. - Source: Hacker News / almost 2 years ago

• PyPI: Python packets steal AWS keys from users

  The "user-friendly" part is always tricky. Maybe you could give bubblewrap a go. I think that it strikes the correct balance between inconvenience and security. I use it to wrap different package managers like npm. https://github.com/containers/bubblewrap. - Source: Hacker News / almost 2 years ago

• Painless Desktop containers for everyday development

  You could get something like this using a Bubblewrap script. I have one which marks everything but the current directory read only and drops me into a shell in that container. So a similar idea would be to overlay mount your system for that container so you can edit, and then on exit the changes vanish. Might try this actually :) https://github.com/containers/bubblewrap. - Source: Hacker News / almost 2 years ago

• Where do I learn about: subuser, bubblewrap, and/or firecracker security?

  I currently use firejail and apparmor. I generally get the ideas- but subuser seems to do something else like chroot containers? Is this outdated? Effective? I also saw bubblewrap, which I do not get the difference between subuser and bubblewrap... Is the hierarchy that bubblewrap can run inside/under subuser? Like how any user can run firejail? Source: about 2 years ago

• Google detail more on how Steam on Chrome OS works with Linux

  Since when is sandboxing things a bad thing. And steam btw uses sandboxing on linux, not a full VM but more than the required chroot: It uses bubblewrap, also used by flatpack. Source: about 2 years ago

• Node.js packages don't deserve your trust

  It's hard to make it practical without linking a whole lot of your local environment in. Remember it's death by a thousand cuts - every time you need some new thing, you just add it without considering the consequences too much. Probably lots of people doing this with their whole home directory linked in read/write. Recently I got a little concerned about this and made myself a basic safety harness with the... - Source: Hacker News / about 2 years ago

• Bubblewrap CLI: Create Android application that launches PWAs

  Not very good name considering there is sandboxing tool for linux with the same name https://github.com/containers/bubblewrap. - Source: Hacker News / about 2 years ago

• Bubblewrap: Unprivileged Sandboxing Tool for Linux

  My reading of https://github.com/containers/bubblewrap#related-project-comparison-firejail is that it is literally what flatpak uses: > Firejail is similar to Flatpak before bubblewrap was split out. - Source: Hacker News / about 2 years ago

• Bubblewrap: Unprivileged Sandboxing Tool for Linux

  "How does it compare to firejail?" you were going to ask: https://github.com/containers/bubblewrap#related-project-comparison-firejail. You're welcome. - Source: Hacker News / about 2 years ago