How will another centralized git host solve for US DMCA protection?

I just checked another link on archive.org that really just explains how to do linear interpolation of a missing array element from neighboring elements. This is insane. GH should really be considered a potential single point of failure now.

Yes, it is a VST plugin (and standalone), and amusingly probably works better in Wine than Native, aside from the fonts being craptastic. Containerized distribution doesn't really work for plug-ins.

This is the first time I'm reading of Pipewire, and it sounds promising, but will need to have host support before it becomes a reasonable VST / LADSPA replacement. (I didn't see if that's among its goals, but such would seem reasonable.)

Well, in the case of WSLg the sandbox is WSL itself (and you can spin up multiple different ones, though they'd hardly qualify as micro VMs). The only part that "only works on Windows" is the RDP client. The rest is specifically developed for Linux and open source. The backend is an extension of FreeRDP, so presumably the FreeRDP client would be just fine on Linux.

Also, xpra and waypipe are developed with the intent of being used remotely. They do not have any zero-copy provisions to reduce latency and overhead on local-only applications, like you would get with at least the virtio_wl and WSLg approaches.

As mentioned to open, containers within VMs are a security standard for cloud-native when security is critical.

x11docker is just a (very convenient) security layer for containers which need to expose graphics (and possibly webcam, audio, networking, clipboard, printers...). Kata Containers are just "micro VMs" where you spin up a separate kernel to drop the container into.

Bubblewrap is okay if you trust your kernel, but locking the app away in its own VM with its own kernel gives another layer to bust through.

I was just looking into various approaches to use process isolation for security on the desktop in Linux.

Containers within VMs are a norm for security in cloud-native [1]. Some lessons there could be applied to desktop.

One option is the approach of Spectrum OS [2]. They use crosvm (same as what Firecracker "micro VMs" uses) and virtio_wl [3][4].

Another approach might be x11docker [5] with Kata Containers [6].

Curiously, the work for WSLg (WSL with graphics) [7][8] to support graphical Linux guest VMs could also be applied on a Linux host.

  1: https://archive.fosdem.org/2020/schedule/event/kernel_address_space_isolation/attachments/slides/3889/export/events/attachments/kernel_address_space_isolation/slides/3889/Address_Space_Isolation_in_the_Linux_Kernel.pdf
  2: https://spectrum-os.org/
  3: https://spectrum-os.org/design.html
  4: https://alyssa.is/using-virtio-wl/
  5: https://github.com/mviereck/x11docker
  6: https://katacontainers.io
  7: https://github.com/microsoft/wslg
  8: https://xdc2020.x.org/event/9/contributions/611/attachments/702/1298/XDC2020_-_X11_and_Wayland_applications_in_WSL.pdf

Pulseaudio has network support. You should be able to share your microphone. Of course you need to run pulseaudio inside the container, too. So it's no longer an application container, but a system container.

I used system containers in the past, they are not always easy. No idea whether it would work with podman.

Now that I think about it: The browser obviously uses the display of the host. How? Only over X11 network protocol? That worked in the past, does it still work today? I thought modern browsers would need /dev/dri/? If that is made available, why would Webcams not be possible?

No, you absolutely can. Priests are "qualified" through reading religious texts of dubious validity. If anything, they should be trusted less.

I don't know if it's even possible to answer whether a god exists, but it's quite easy to find the flaws in religious stories, and if anyone can answer that question, it's certainly not them.

And most devices have backdoored CPUs too (Intel ME)

I wonder what the next Crypto AG (CIA front) will be