I am thinking about using distrobox. Since I am on debian I wont need it to install software I could otherwise not install. But I have some apps that require weired install scripts and I am thinking about using it as a security measurement. Do you think that is a good idea? Does that idea makes sense?
I am a massive Distrobox fan. I do not use it for security though.
- create environments for specific purposes: dev, testing, cybersecurity work, video, AI, etc
- access to the full app library of any distro
- isolation of multiple large apps for easy and complete removal when you are done with them
- use Glibc apps on your MUSL distro
- install apps easily on an immutable distro
- total compatibility ( eg. Legally install a real RHEL9 Distrobox for free )
- ”try out” an unfamiliar distro without a VM
- experiment and break things without messing up your main system
- separate your distro base from your userland ( eg. Minimal Debian Stable install with pretty much all apps coming from an Arch Linux Distrobox ). Rock solid stability of the base system paired with a massive ecosystem of up-to-date packages.
I wouldn’t use it for security, use VMs if you need isolation.
I used Distrobox for various dev projects on Fedora Atomic and it worked great for that. I did a separate homedir mainly just to avoid dumping a bunch of crap into my real home but definitely have the expectation that anything you install has full access to the system.
I run FreeCAD via Distrobox as well since the flatpak performance was pretty bad and it’s wayyyy faster which is nice and preferable to rpm-ostree in my instance.
I recommend you doing so, but not as a security measure, more of so as a “keeping everything organised”-measure.
I like to keep my host OS clean and install everything containerised
It works well when you want to install software that is not compatible with your distro, but it is not a great security measure since it integrates with your host system instead of acting as a sandbox.
Isolation and sandboxing are not the main aims of the project, on the contrary it aims to tightly integrate the container with the host. The container will have complete access to your home, pen drive, and so on, so do not expect it to be highly sandboxed like a plain docker/podman container or a Flatpak.
If they require weird install scripts you don’t want to install on your system, then do not install it with Distrobox either. For those cases you don’t trust the weird install script, I recommend to use a Virtual Machine; if you really really need the program.
