Replying to Avatar Matt Corallo

It’s incredibly frightening how much all modern software expects you to download an entire toolchain to run it.

If it want anything resembling a secure toolchain you end up stuck with ancient software or C projects only.

Java? Here’s a grade *binary* included in the git “source” repo. Rust? Please go download rust via rustup, if you don’t have the version from this week gfy. Go? Basically the same, with tons of dependencies fetched from random git repos. JavaScript? lol, you’re screwed.
Avatar
Michael Welnick 2y ago

This is why I run almost everything in isolated containers now

Reply to this note

Please Login to reply.

Discussion

Avatar
Matt Corallo 2y ago

Indeed, definitely a base requirement these days, but what about bitcoin or something where you don’t want that container to get pop’d? Modern software is trash.

Avatar
Michael Welnick 2y ago

What do you mean by pop’d?

Avatar
Matt Corallo 2y ago

Compromised/hacked/pwned/0wned/etc :)

Avatar
Michael Welnick 2y ago

I don’t think the balance between security and convenience can ever be solved. It’s a constant game of ever-evolving trade offs. The answer for two distinct entities can be drastically different and that’s a good thing.

Avatar
Michael Welnick 2y ago

For some that’s as extreme as only running code your wrote/verified yourself. For others it’s “YOLO I want the latest and greatest no matter the risks”

Avatar
pythcoiner 2y ago

It's not about modern is trash, it's about modern devs are lazy and like fancy stufs instead thinking about the tradeoff of their choices

Avatar
Braydon Fuller 2y ago

What's a good way to do this? KVM, Qubes and/or Docker container?

Avatar
Michael Welnick 2y ago

Docker is by far the easiest. And you can create a new user for each service and run the daemon under that user if you are worried about vulnerabilities in docker itself