IMHO both regular users and Linux namespaces are far too complex to rely on for strong security. With user namespaces there have been numerous bugs where some part of the kernel forgets to do a user mapping and think that root in a container is root on the host. In practice neither regular users or containers (Linux namespaces) is a strong isolation mechanism. Service managers such as systemd also make it fairly easy to prevent these footguns and apply security hardening with a common template. But users have existed as an isolation mechanism since early UNIX. Sure, there are footguns like command lines being visible to all users, sometimes open default filesystem permissions or ability to use /tmp insecurely. How is a normal user completely unconfined? Linux is a multi-user system. (And might be missing other language features that the Nix ecosystem/API expects, such as lazy evaluation.) I would love to configure it with Elixir, but Nix is actually 20 years old at this point (!) and predates a lot of the more recent functional languages.Īs a guy “on the other side of the fence” now, I can definitely say that the benefits outweigh the disadvantages, especially once you figure out how to mount the learning curve. I kind of agree with you that any functional language might have been a more usable replacement (see: Guix, which uses Guile which is a LISPlike), but Python wouldn’t have worked as it’s not purely functional. It actually runs a Nix interpreter in your browser that’s been compiled via Emscripten: It’s an interactive teaching tool for Nix. This is probably the best tour of the language I’ve seen available. The programming language is basically an analogue of JSON with syntax sugar and pure functions (which then return values, which then become part of the “JSON”. Including things that people normally resort to Docker for. And then I ran into a lot of problems with code management in a short timeframe that were… completely solved/impossible-to-even-have problems in Nix. For at least 5-10 years, I thought Nix was far too complicated to be acceptable to me. Neither the FSF or Guix are preventing you from exercising your right to run the software as you like, for any purpose, even if that purpose is running unfree software packages - they simply won’t support you with that. Looks like the FSF does not agree with me exercising that freedom. This is both a fundamental misunderstanding of what the four freedoms are (they apply to some piece of software), and a somewhat bizarre, yet unique (and wrong) perspective on the goals of the FSF. To me, that means prioritizing Open-Source software as much as possible, but pragmatically using some non-free software when required. The maintainers got sick of getting non-Guix questions, You have an illusion there’s an “illusion” of purity with the Guix project - Guix is uninvolved with any unfree software. The “avoid any unnecessary hostility” is because the repo has constantly been asked about on official Guix channels and isn’t official or officially-supported, and so isn’t involved with the Guix project.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |