Received: from mx1.mailbun.net (mx1.mailbun.net [170.39.20.100])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id B2781782CE6
	for <~alpine/users@lists.alpinelinux.org>; Mon, 19 Jul 2021 10:28:17 +0000 (UTC)
Received: from penelo.lan (unknown [107.125.25.140])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: ariadne@dereferenced.org)
	by mx1.mailbun.net (Postfix) with ESMTPSA id 8DF9A11355B;
	Mon, 19 Jul 2021 10:28:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dereferenced.org;
	s=mailbun; t=1626690496;
	bh=8bVE4V7CsR99MQbVwINPt7/3ShSIigHlAGtNc98NNTI=;
	h=Date:From:To:cc:Subject:In-Reply-To:References;
	b=GOML5/XoL0anR1hfKGEVBYhR+w5BxPWrL1RfIislkMZkCSAfHLb5IhO4QDmKPeenZ
	 33t4CVWsFm9+heqMdCtK/H6Hiq6Nz5rNtzsAceJoctpQAdvaS4mDJ0fMlmX7xGRA5o
	 b/YozzgMf/hXT+fiKPbLLVHpM3TTVMn0OSiJAfkEkmlzG6YksjWN4v1CRKr2LANRD8
	 tfG0PlkYxYRmwo4osnPe61wuFc7VwWHdST7RGYyqZcmbs6WGOXn9RHFj+EqzibLY38
	 ztyXk5PpqOhtjsykxwWf2BD6qbuJPeDnMrLBBvTQu+KucSLb6+VACEOFZoui3BJK3w
	 N5NuVW4zWV/0A==
Date: Mon, 19 Jul 2021 05:28:13 -0500 (CDT)
From: Ariadne Conill <ariadne@dereferenced.org>
To: Wolf <wolf@wolfsden.cz>
cc: Ariadne Conill <ariadne@dereferenced.org>, ml-devel@keemail.me, 
    ~alpine/users@lists.alpinelinux.org
Subject: Re: Firejail
In-Reply-To: <20210719101703.yqqpbtcsgc2cqkpo@mail.wolfsden.cz>
Message-ID: <baa6b11-72eb-e3d0-d732-dc04ff7ae2a@dereferenced.org>
References: <MexPCzM--3-2@keemail.me> <87c4c1c0-f20-3f9-2a6-a85c9a4b2133@dereferenced.org> <20210719101703.yqqpbtcsgc2cqkpo@mail.wolfsden.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed

Hello,

On Mon, 19 Jul 2021, Wolf wrote:

> On 2021-07-19 02:26:45 -0500, Ariadne Conill wrote:
>>> I've noticed that `firejail` isn't available in the repositories. Will it be available in the future?
>>
>> `firejail` has a rather problematic design, so we dropped the package as we
>> were not confident in its dependability as a security tool.
>
> Would you be able to recommend some reading on the topic? Since I'm
> using it on my laptop I would like to know more.

The basic gist of it is that we weren't really thrilled about having a 
SUID program with several CVEs that describes itself as a security tool in 
the repo.

Although the CVEs have been mitigated, they were caused by lack of 
experience writing C code, which means there are likely many more CVEs in 
firejail just waiting to be discovered.  Given that it's SUID and has to 
be SUID in order to do its thing (due to the way its implemented), I hope 
you can understand the skepticism.

Ariadne