I am thinking about using distrobox. Since I am on debian I wont need it to install software I could otherwise not install. But I have some apps that require weired install scripts and I am thinking about using it as a security measurement. Do you think that is a good idea? Does that idea makes sense?
Sure, or containers, e.g. Docker/Podman, especially if there is a Web API available.
That being said, whatever you do, in fine it’s about trust. What you are installing can cause damage so IMHO it’s more about keeping things manageable while having your actually important data (not programs, downloaded content, etc but rather things you did yourself, e.g. written documents, sketches, configuration files, prototypes, photos, etc) safe even when the system itself is broken regardless of how and why.
This is just incorrect
…or containers, e.g. Docker/Podman
Distrobox is a script that manages Docker/Podman containers
What you are installing can cause damage so IMHO it’s more about keeping things manageable while having your actually important data…
Programs are installed the container, not on the host system. When you break the container the host system is fine unless using rootful (or Docker) containers.
…while having your actually important data (not programs, downloaded content, etc but rather things you did yourself, e.g. written documents, sketches, configuration files, prototypes, photos, etc) safe…
Using Distrobox does NOT keep your own files safe, it actually mounts your home directory and external USB drives inside the containers by default fully exposing your documents to whatever you install inside.
From the documentation:
Isolation and sandboxing are not the main aims of the project, on the contrary it aims to tightly integrate the container with the host. The container will have complete access to your home, pen drive, and so on, so do not expect it to be highly sandboxed like a plain docker/podman container or a Flatpak.
By default it will break out many things. I use db as an extra layer of containers in addition to a python venv with most AI stuff. I also use it to get the Arch AUR on Fedora too.
Best advice I can give is to mess with your user name, groups, and SELinux context if you really want to know what is happening where and how. Also have a look at how Fedora Silverblue does bashrc for the toolbox command and start with something similar. Come up with a solid scheme for saving and searching your terminal commands history too.
If they require weird install scripts you don’t want to install on your system, then do not install it with Distrobox either. For those cases you don’t trust the weird install script, I recommend to use a Virtual Machine; if you really really need the program.
It works well when you want to install software that is not compatible with your distro, but it is not a great security measure since it integrates with your host system instead of acting as a sandbox.
Isolation and sandboxing are not the main aims of the project, on the contrary it aims to tightly integrate the container with the host. The container will have complete access to your home, pen drive, and so on, so do not expect it to be highly sandboxed like a plain docker/podman container or a Flatpak.
I recommend you doing so, but not as a security measure, more of so as a “keeping everything organised”-measure.
I like to keep my host OS clean and install everything containerised
