I’m the Never Ending Pie Throwing Robot, aka NEPTR.
Linux enthusiast, programmer, and privacy advocate. I’m nearly done with an IT Security degree.
TL;DR I am a nerd.
Yes, I understand Flatpak does some seccomp syscall filtering. It still isn’t enough to consider a secure sandbox where the threat model is that the app is untrusted. Bubblewrap is generally considered a weak sandbox and isn’t “secure by default”, allowing for easy footguns.
LXC/Incus does support proper VMs but it isnt as common.
Neither are really designed to run untrusted apps.
I guess I just don’t understand your question. Explain in more detail.
Really think about the Ws (who, what, where, when, how).
If you want to protect against an “advanced” threat actor, you can not do that without multiple layers of isolation, including but not limited to virtualization, MAC (SELinux), namespaces, seccomp.
All protections are meaningless without a clear understanding of what assets you are protecting, the threat you face, and they want from you.
Distrobox is design to be the opposite of confined. Its goal is integration. The container is stripped away as much as possible to allow for sharing host resources.
As it says on the Distrobox website:
Security implications
Isolation and sandboxing are not the main aims of the project, on the contrary it aims to tightly integrate the container with the host. The container will have complete access to your home, pen drive, and so on, so do not expect it to be highly sandboxed like a plain docker/podman container or a Flatpak.
I would also argue calling “plain docker/podman container or a Flatpak” being “highly sandboxed” is also quite wrong and a misuse of those technology.
It uses Docker/Podman which is not a security sandbox. The purpose is app containers, not a security boundary. It shares the sane kernel as the host, which makes kernel vulnerabilities a source of container escapes. Docker (the default) runs as root and could be a source of privilege escalation. Best case is use gVisor or SELinux. Still not a secure sandbox.
Similar problems with Flatpak. Not a secure sandbox. Doesn’t Barely filters syscalls (and in a general way instead of per-app), barely reduces attack surface, granting frequently required permissions often significantly reduces the strength of the sandbox, shares a kernel with the host (and no application kernel like gVisor or sydbox), weak use MAC (like SELinux). Most of this can also be said of the previous 2 container software (and also LXC/LXD/Incus).
Also, don’t use browsers with Flatpak, they have a significantly weaker sandbox because it is missing a layer of sandboxing (namespaces). This makes attack exponential more likely by reducing the need chain another major vulnerability to execute a successful sandbox break.
What you want is a VM. It is designed to be a secure sandbox but needs some configuring.
Licenses don’t matter when corpos don’t care anyways. Especially for training LLMs. They don’t care about copyright. I choose to use tools based on there merits over simply going “it has my favorite license.” Even though I say that, I still prefer AGPL even though I understand that of the corpos want to steal, they’ll steal it.
Anything really. Just use Docker/Podman or LXC and then the base OS won’t matter.
Next thing I am looking at is secureblue for Fedora CoreOS. Security matters and a rock solid base with hardened defaults is really nice. It also is Atomic and because it is effectively just CoreOS, you install it with a JSON file (I think). Using the provided example butane file it took like 30 seconds to install. Now I need to customize it further.
I am not trying to say that SailfishOS (or Jolla) isnt a cool project, it just doesnt belong here. Whenever people post Obsidian.md in here I say the same thing for the same reason. Try posting in the Linux phones community. I don’t subscribe to this community to see proprietary software invade the FOSS space.
AOSP is open source, Google’s Certified Android is not. You can contest that if you want.
That doesn’t change that SailfishOS is straight up proprietary for most of its developed compotents. It does not belong in this community. The Wikipedia page for SailfishOS says under license “proprietary with some open source components”.
Sailfish OS is proprietary. It does not belong in this community.
I still dont understand /e/OS. Just use LineageOS. It supports all the same devices and doesnt lag as far behind. You can choose to run an insecure OS if you like (see: all Windows 10 users) but definitely don’t recommend it to others.
You cannot have privacy without at least basic security. Targeted attacks are not the most common kind of attack by long shot. Threat actors scan for vulnerable devices and use automated scripts to execute attacks. Android is one of the most exploited targets. With an outdated OS your browser could be exploited and used to get a sandbox escape, possibly chaining it into root escalation. It all depends on the vulnerabilities found and the longer you wait the more likely for the “stars to align” for the perfect attack. Look at CVE-2025-48593 for an example, zero-click RCE. In recent memory there was also a zero-click RCE utilizing specially crafted MMS, meaning an threat actor could send messages to all phone numbers and try the attack in mass.
/e/OS is by far the most behind on updating security patch levels of the AOSP ROMs (at ~2 months), iode is ~1 and everything else is better than those two.
Privacy without security is not real privacy, it is a mirage.
Security without privacy is like a fortress with cameras inside, a known threat (eg. Gapps Android).
Privacy with security is like a fortess with no known threats at all (eg. AOSP with timely security patches).
Privacy without security is like a fortress where some of the locks have rusted through and if someone tries they can open the doors. It is like replacing the walls with cardboard. “No one can spy on me now” you say in your cardboard castle.
There is no privacy without security. Android is one of the most widely exploited OSes and every month a dozen or more critical severity vulnerabilities are patched. Being 1-2 months behind on security patches is inexcusable for a privacy project.
From the description of this repo:
OpenCal is a web-based open-source software designed to make online appointment scheduling effortless and efficient. Whether you’re managing a team or running a business, OpenCal takes the hassle out of coordinating appointments, eliminating the need for endless back-and-forth emails. With OpenCal, you can streamline communication, save time, and focus on what really matters.
Can you give a description instead of just posting a plain link. Low effort post.
Most include micro iirc
Can you at least credit the OP who originally posted this when reposting? What community did you get this from?
Screensharing is the only thing i dont think it does. Voice and video good. See snikket or conversations.im
Also the repo image
Yes, I understand what GVisor does. Cgroups2 are for isolation of system resources, bit arent even the main sandbox feature used for isolation by Docker. I am pretty sure namespaces significantly more important for these containers’ security.
GVisor helps with one of the main risks in a container setup which is the shared kernel by hosts and guests. I understand it comes with a performance penalty (and I didnt know it was incompatible with SELinux), but that does change my original point that GVisor is a security improvement to default Docker. I understand there is more nuance, even when I wrote my original comment I understood (just like any other security feature) it cant be used in every scenario. I was being intentionally general, and in my second comment I was pretty specific about what it protects against: Kernel vulnerabilities and privilege escalation.
I researched cgroups2 more and I still dont understand why you brought it up in the first place. Cgroups2 and gvisor provide very different security benefits. Cgroups help to keep a system available (lessening the risk DoS attacks) by controlling access to some system resources (io, devices, cpu, memory) and grouping processes of a similar type. It seems rather optimized to solve resource control on a container host. I mentioned gvisor because it is mostly just a drop-in replacement container runtime which doesnt need setup to be used.s
Now for a different container runtime which provides significantly more features (than gvisor) with less downsides (if configured correctly for a specific workload), Sydbox provides syd-oci which id an application kernel runtime which uses a permission config file to create a sandbox, isolating using namespaces, seccomp, landlock, and more. It can sandbox in many different categories (often times leveraging multiple features to provide a multilayer sandbox), you can see the categories at the syd manpage. The biggest downside is that you must really understand what your container application needs otherwise it will prevent it from running. It is a “secure by-default” sandbox which can be softened through config.
I dont really understand what you mean in your last sentence.
My reason for saying GVisor is safer is because it is an application kernel which provides traps and emulates most Linux syscalls in the guest with a far smaller set of syscalls to the host kernel, helping to prevent container escapes and privilege escalation. GVisor also fully drops privileges early into start up (before running any significant logic), helping to prevent privilege escalation.
Cgroups is not a really a security feature (from what I understand). It is about controlling process priority, hierarchy, and resources limiting (among other things). You can not use GVisor with LXC.
The UI is proprietary.
Flatpakbapps cant use namespaces. Flatpak (the software) uses namespaces but Flatpak apps can not.