Toolship: A (More) Secure Workstation

1. nix

   1 412 14,515 10.0 C++

   Nix, the purely functional package manager

   

   I would also recommend looking into NixOS reproducible builds, which allows declaratively specifying the entire system configuration and precisely defining which packages are installed, their versions, and dependencies. The OS remains immutable and consistent. A quite powerful tool for creating a secure and minimalistic workstation environment.

   https://nixos.org/

2. InfluxDB

   www.influxdata.com featured

   InfluxDB – Built for High-Performance Time Series Workloads. InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.

   

3. dotfiles

   2 3 3,279 8.5 Shell

   My dotfiles. Buyer beware ;) (by jessfraz)

   

4. dockerfiles

   3 35 13,863 0.0 Dockerfile

   Various Dockerfiles I use on the desktop and on servers.

   

   https://blog.jessfraz.com/post/docker-containers-on-the-desk... is the one I remember, a bit old but still useful to see how she does it.

   Seems super painful and indirected for a nebulous gain to me, but find your joy however you want I guess

5. dew

   4 3 8 4.6 Shell

   Run everything in (Docker) containers (by efrecon)

   

   I have written dew (https://github.com/efrecon/dew) for more or less the same purpose. I hardly keep any binary (and dependency) in my installation, they are all inside containers that I can easily dispose of at any time. The default in dew is to run them as your user. At the command prompt, instead of running, for example, kubectl xxx, I run dew kubectl xxx. It's a bit slower but provides an increased level of security.

6. toolship

   5 1 35 5.1 Shell

   A framework to containerize dev tools

   

   No, I don't think you're missing anything, other than you'd only mount the directories you want the tool / development environment to have access to. Take for instance the `npm` command [1], it mounts `$PWD` so if you install a compromised package then it can go through the folder you're in, but it can't then go up directories and sniff around your home directory. It would also only have access to the environment variables that have been configured for the container, which in this case would also include AWS credentials.

   1 - https://github.com/yapret/toolship/blob/main/src/node/functi...

7. firejail

   6 144 6,353 9.6 C

   Linux namespaces and seccomp-bpf sandbox

   

   Firejail can also be a useful option, though no good if you're on Mac https://firejail.wordpress.com/

   Uses the same Linux primitives as docker etc, but can be a bit more ergonomic for this use case

8. distrobox

   7 409 10,983 8.6 Shell

   Use any linux distribution inside your terminal. Enable both backward and forward compatibility with software and freedom to use whatever distribution you’re more comfortable with. Mirror available at: https://gitlab.com/89luca89/distrobox

   

   I'm running silverblue but running my containers through distrobox. Both toolbox and distrobox are running on podman under the hood, so it's the same technology as far as I understand. However, distrobox has some interesting features relevant to this idea of development isolation. One is that it has an assemble feature[1] built-in. Where you can feed it a recipe file and it will build or rebuild containers accordingly. The other is that it allows setting a custom home directory for the container, among other host/container isolating options[2].

   Perfomance wise my containers take a couple MiB of rams and no perceptible CPU usage when not in use. At least as far as I can tell.

   [1] https://github.com/89luca89/distrobox/blob/main/docs/usage/d...

   [2] https://github.com/89luca89/distrobox/blob/main/docs/usage/d...

9. SaaSHub

   www.saashub.com featured

   SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

   

Suggest a related project