rfcs
bubblewrap
rfcs | bubblewrap | |
---|---|---|
673 | 76 | |
5,881 | 3,875 | |
1.2% | 2.5% | |
9.8 | 6.1 | |
6 days ago | 12 days ago | |
Markdown | C | |
Apache License 2.0 | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
rfcs
-
Don't defer Close() on writable files
That nobody has gone through the effort of collating its requirements and writing an RFC after https://github.com/rust-lang/rfcs/pull/770 was closed (back in 2015).
I assume a big issue is that this is full of edge cases up the ass, and the value is somewhat limited in the sense that if you know you want durable writes you'll sync() and know you're fucked if you get an error, but close() does not guarantee a sync to disk, as the linux man page indicates:
> A successful close does not guarantee that the data has been successfully saved to disk, as the kernel uses the buffer cache to defer writes.
-
An Optimization That's Impossible in Rust
I never heard of "German strings" in place of the small string optimization before! And there had been way too many proposals to add such types to the standard library [1] [2] [3] [4]. My understanding is that:
1. Both `Vec` and `String` should share the same layout as part of the standard library's contract.
2. Unlike `String`, the equivalent optimization for `Vec` is more questionable especially when T might be any type. C++ standard libraries frequently do implement multiple layouts for std::string but not for std::vector for the same reason.
3. Rust never allows an implicit copying of `String` in the first place, which greatly benefits from the SSO, so the lack of SSO in Rust is less important compared to C++.
[1] https://github.com/rust-lang/rust/issues/4991
[2] https://github.com/rust-lang/rust/issues/20198
[3] https://github.com/rust-lang/rfcs/pull/2990
[4] https://github.com/rust-lang/unsafe-code-guidelines/issues/4...
- Async2 – The .NET Runtime Async experiment concludes
-
Jiff: A brand new Datetime library for Rust, from the builder of ripgrep
nrc was poking at the problem in 2016 https://internals.rust-lang.org/t/struct-field-defaults/3412 which led to this RFC https://github.com/rust-lang/rfcs/pull/1806
It got postponed because it wasn't going to make it into Rust 2018: https://github.com/rust-lang/rfcs/pull/1806#issuecomment-327...
-
Cultivating Open Source Community
You can check out Rust-langs RFC Repo to see their well-documented and thorough process for an RFC.
-
Generics in Rust: murky waters of implementing foreign traits on foreign types
Finally, I found the answer in the RFC Book (RFC stands for Request For Comments). RFC 2451 from 2018-05-30 that starts with the following lines:
-
Ask HN: What April Fools jokes have you noticed this year?
RFC: Add large language models to Rust
https://github.com/rust-lang/rfcs/pull/3603
- Rust to add large language models to the standard library
-
Why does Rust choose not to provide `for` comprehensions?
Man, SO and family has really gone downhill. That top answer is absolutely terrible. In fact, if you care, you can literally look at the RFC discussion here to see the actual debate: https://github.com/rust-lang/rfcs/pull/582
Basically, `for x in y` is kind of redundant, already sorta-kinda supported by itertools, and there's also a ton of macros that sorta-kinda do it already. It would just be language bloat at this point.
Literally has nothing to do with memory management.
- Coroutines in C
bubblewrap
-
Docker, Linux, Security. Kinda.
As an example we will look at man 1 bwrap. Bubblewrap allows us to sandbox an application, not too dissimilar to docker. Flatpaks use bubblewrap as part of their sandbox. Bubblewrap can optionally take in a list of syscalls to filter. The filter is expressed as a BPF(Berkley Packet Filter program - remember when I said docker gives you a friendlier interface to seccomp?) program. Below is a short program that defines a BPF program that can be passed to an application using bwrap that lets us log all the sycalls the application makes to syslog.
-
I Use Nix on macOS
Nothing nix specific but you may be interested in https://github.com/containers/bubblewrap
- I reduced the size of my Docker image by 40% – Dockerizing shell scripts
- Exploring Podman: A More Secure Docker Alternative
-
Using GitLab Kubernetes Runners to Build Melange Packages
Recently, I came across Chainguard and wrote the article How to build Docker Images with Melange and Apko. As a fervent supporter of Kubernetes and GitLab CI, I was eager to experiment with building images using Melange in this particular setup. GitLab's shared Runners work seamlessly with Bubblewrap, eliminating the need for additional configurations. This post is intended for enthusiasts like myself, interested in hosting their own Kubernetes Runners and leveraging the Kubernetes Runner Type of Melange.
- how strong is the steam (runtime) sandbox for games?
- Server-side sandboxing: Containers and seccomp
-
A Study of Malicious Code in PyPI Ecosystem
```
This is basically manually invoking what Flatpak does:
https://github.com/containers/bubblewrap
This is also useful for more than just security. E.G., you can test how your app would behave on a fresh install by masking your user configuration files. I personally also have a tool that uses it to basically bundle all dependencies from an entire Linux distribution in order to make highly portable AppImages— Been meaning to post that, will get around to it eventually maybe.
The flags above should hide your user data (`--tmpfs`), disable network access (`--unshare-all`), hide/virtualize devices and OS state (`--dev` and `--proc`), and make the rest of the root filesystem read-only (`--ro-bind`— Including the insecure X11 socket in `/tmp`, which you might want to expose for GUI apps).
Check them against `bwrap --help`; I might have omitted one or two more things you'd need.
- Bubblewrap – Low-level unprivileged sandboxing tool used by Flatpak
What are some alternatives?
rust - Empowering everyone to build reliable and efficient software.
firejail - Linux namespaces and seccomp-bpf sandbox
crates.io - The Rust package registry
flatpak - Linux application sandboxing and distribution framework
Rust-for-Linux - Adding support for the Rust language to the Linux kernel.
flathub - Issue tracker and new submissions
polonius - Defines the Rust borrow checker.
nsjail - A lightweight process isolation tool that utilizes Linux namespaces, cgroups, rlimits and seccomp-bpf syscall filters, leveraging the Kafel BPF language for enhanced security.
zig - General-purpose programming language and toolchain for maintaining robust, optimal, and reusable software.
distrobox - Use any linux distribution inside your terminal. Enable both backward and forward compatibility with software and freedom to use whatever distribution you’re more comfortable with. Mirror available at: https://gitlab.com/89luca89/distrobox
rust-gc - Simple tracing (mark and sweep) garbage collector for Rust
multipass - Multipass orchestrates virtual Ubuntu instances