Received: from w4.tutanota.de (w4.tutanota.de [81.3.6.165])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 860B0782C6C
	for <~alpine/users@lists.alpinelinux.org>; Mon, 19 Jul 2021 08:53:32 +0000 (UTC)
Received: from w3.tutanota.de (unknown [192.168.1.164])
	by w4.tutanota.de (Postfix) with ESMTP id E26C81060122
	for <~alpine/users@lists.alpinelinux.org>; Mon, 19 Jul 2021 08:53:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1626684811;
	s=s1; d=keemail.me;
	h=From:From:To:To:Subject:Subject:Content-Description:Content-ID:Content-Type:Content-Type:Content-Transfer-Encoding:Cc:Date:Date:In-Reply-To:In-Reply-To:MIME-Version:MIME-Version:Message-ID:Message-ID:Reply-To:References:References:Sender;
	bh=e5SfDsSpLNp2la2LB36nCIoMoQmiSdoPBPePc6DQuPQ=;
	b=1T3luZ1rbRfwL0Y2lzuiaIHLPyQZReNuz3WyWF/j7EE3Rr9CQa50jeMioXKkLXgF
	gPmy/nBYSTx8vlgN4KkrKHUq6DOKxLQdIDKz55DnPqhDyRNpmnHI4SKlHkofve36sJ3
	upLV3Tq5nhpiDdAH4+IU/PpYjdl/LgK4BP/Erlx7V+n1Tw4ixF3pDeDFEo5lmLCYVkN
	mVC9MztDIVCriDR1xwDlPjYx5H+HAkNMH+MZQOwxaYsI/SKiGL2WnOpIOGyxi2jUFPt
	VC1PtraocJ89TfMNQgZIBMkWe7qpN0PfVJtF3DmTSzz9wqPTn7bqg45WUpxleHDqZwD
	GmO571xjEA==
Date: Mon, 19 Jul 2021 10:53:31 +0200 (CEST)
From: ml-devel@keemail.me
To: ~alpine/users <~alpine/users@lists.alpinelinux.org>
Message-ID: <MextMId--3-2@keemail.me>
In-Reply-To: <87c4c1c0-f20-3f9-2a6-a85c9a4b2133@dereferenced.org>
References: <MexPCzM--3-2@keemail.me> <87c4c1c0-f20-3f9-2a6-a85c9a4b2133@dereferenced.org>
Subject: Re: Firejail
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="----=_Part_113387_1795006307.1626684811909"

------=_Part_113387_1795006307.1626684811909
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Jul 19, 2021, 07:26 by ariadne@dereferenced.org:

> `firejail` has a rather problematic design, so we dropped the package as we were not confident in its dependability as a security tool.

The main reason I use Firejail is because it has a simple front-end. For instance, if I don't want an application to see the contents of my local filesystem, I could simply use the `--private` flag. I could use `--net=none` to prevent the application from accessing the network. Firejail also has extensive documentation, which makes it easy to figure things out.

I understand that one shouldn't rely solely on Firejail for security/privacy, although I think it's a great tool to have in the arsenal. I would like to request the re-addition of Firejail into the official repositories.

> I'm not familiar with the modifications made to Firefox with tor-browser, but you should be able to just use Firefox with Tor directly, I think.

Yes, I could do this. Although Tor provides additional anti-fingerprinting measures, which Firefox doesn't provide by default.

Also, I noticed that `apparmor` is still in in the testing repository. How unsafe is it to run your systems, especially production-facing ones, without `apparmor`? Is there an alternative that's currently provided?

"All userland binaries arecompiled as Position Independent Executables (PIE) with stack smashingprotection. These proactive security features prevent exploitation of entireclasses of zero-day and other vulnerabilities."

I am not sure what the above lines mean. Does PIE, in a way, function as a kind of alternative to apparmor?

(I am not a security-expert, so please bear with my questions. I'm just trying to harden my system, as a hobby.)


------=_Part_113387_1795006307.1626684811909
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body>
<div>Jul 19, 2021, 07:26 by ariadne@dereferenced.org:<br></div><div dir="auto"><br></div><div dir="auto">&gt; `firejail` has a rather problematic design, so we dropped the package as
 we were not confident in its dependability as a security tool.<br></div><div dir="auto"><br></div><div dir="auto">The main reason I use Firejail is because it has a simple front-end. For instance, if I don't want an application to see the contents of my local filesystem, I could simply use the `--private` flag. I could use `--net=none` to prevent the application from accessing the network. Firejail also has extensive documentation, which makes it easy to figure things out.<br></div><div dir="auto"><br></div><div dir="auto">I understand that one shouldn't rely solely on Firejail for security/privacy, although I think it's a great tool to have in the arsenal. I would like to request the re-addition of Firejail into the official repositories.<br></div><div dir="auto"><br></div><div dir="auto">&gt; I'm not familiar with the modifications made to Firefox with 
tor-browser, but you should be able to just use Firefox with Tor 
directly, I think.<br></div><div dir="auto"><br></div><div dir="auto">Yes, I could do this. Although Tor provides additional anti-fingerprinting measures, which Firefox doesn't provide by default.<br></div><div dir="auto"><br></div><div dir="auto">Also, I noticed that `apparmor` is still in in the testing repository. How unsafe is it to run your systems, especially production-facing ones, without `apparmor`? Is there an alternative that's currently provided?<br></div><div dir="auto"><br></div><div dir="auto">"All userland binaries are
compiled as Position Independent Executables (PIE) with stack smashing
protection. These proactive security features prevent exploitation of entire
classes of zero-day and other vulnerabilities."<br></div><div dir="auto"><br></div><div dir="auto">I am not sure what the above lines mean. Does PIE, in a way, function as a kind of alternative to apparmor?<br></div><div dir="auto"><br></div><div dir="auto">(I am not a security-expert, so please bear with my questions. I'm just trying to harden my system, as a hobby.)<br></div><div dir="auto"><br></div>  </body>
</html>

------=_Part_113387_1795006307.1626684811909--