[conspire] debian package

Nick Moffitt nick at zork.net
Wed Aug 17 01:48:49 PDT 2016


Tony Godshall:
> I wonder if this might be a use-case for the new "snap" packages.
> 
> Essentially, it's containerization at the package level.

It's a nice system for larger collections of software, typically things
that would be installed as multiple packages.  The nice thing about it
is the way it removes yet another barrier to security containment by
giving snap builders a sort of pick&mix selection of exceptions to a
default-deny apparmor (and SELinux, and seccomp, etc) setup.

So you say "oh well this is a network daemon so it'll need the
'network-bind' set of permissions" and all the local data ends up in
highly contained subdirectories that are versioned by snap revision.

I love it because it is the sort of thing that can put an end to the
hideous "To install our program, first disable SELinux" instructions you
see on some software.  It's kind of the ultimate fulfillment of the
promise of chroots, in a way.




More information about the conspire mailing list