With all the supply chain attacks in the Linux ecosystem, isn’t the natural solution to move to full application sandboxing?
Flatpacking is great but not all applications support it.
Is it too much of a hassle?
With all the supply chain attacks in the Linux ecosystem, isn’t the natural solution to move to full application sandboxing?
Flatpacking is great but not all applications support it.
Is it too much of a hassle?
You don’t necessarily need QubesOS to get better isolation. You can package unsupported applications as Flatpaks yourself and run them with minimal permissions. The downside is the maintenance burden, and Flatpak sandboxing isn’t as strong as Qubes’ VM-based isolation. It’s a useful middle ground, but it doesn’t completely solve supply-chain risk. Qubes can be good, but it’s all about your friction budget.
Humans optimise for convenience eventually.
Am I naive to think that Qubes would be less work?
I’d set up a few different qubes for the apps kind of like graphene and then just let them update. If I hear anything bad about them I just nuke that qube right?
A little extra up front work, but way easier to maintain?