postmarketOS / coldbrew · GitLab
gitlab.postmarketos.org
Welcome to the postmarketOS GitLab o/

Coldbrew is a “brew” style package manager for Linux distributions that offers the full power of the Alpine Linux aports repository with no root access required

Coldbrew is a bit of a mix of flatpak and homebrew. It uses a very lightweight sandbox (bubblewrap) mainly as a means of isolating dependencies. It aims to server a similar goal as homebrew, but without the PATH issues homebrew brings (see: https://invent.kde.org/kde-linux/kde-linux/-/merge_requests/408)

Example Usage:

coldbrew install neovim # install the package
coldbrew run nvim       # run nvim
coldbrew wrap nvim      # create a wrapper to type less
nvim                    # run nvim
  • Oinks@lemmy.blahaj.zone
    41·
    11 hours ago

    This is interesting, but I wouldn’t consider this to be at all comparable to Flatpak. From what I can see the only purpose of using bubblewrap here is the dependency isolation (without having to recompile the world ala Nix), which does have some value but it feels misleading to even call it a sandbox.

    It mounts /home and /run into the sandbox chroot, which means that “sandboxed” applications can do things like reading your SSH keys, dumping your keyring or escaping the sandbox via write to .bashrc (so most of the attacks you’d want to prevent). This is presumably done because without /home access you wouldn’t be able to write to the filesystem and without /run access you can’t even display a graphical window, which would make the packages quite useless.

    XDG Desktop Portal solves this by allowing filtered dbus access controlled by package metadata (/.flatpak-info), and then having sandboxed applications use portals to access files, secrets and other resources. The metadata is a major flaw in Flatpaks design (note that a lot of the most popular Flatpaks want full $HOME access), but it’s also what allows Flatpak to be useful. In this project, there’s no metadata since the packages just come from Alpine repositories.

    • Nobody@lemmy.worldOP
      3·
      6 hours ago

      Correct, that’s what I meant by calling it a lightweight sandbox that’s mainly used to isolate dependencies.

      Though the cool thing about cold brew is that it’s simply a shell script. Not even a crazy long one at that. It would not be difficult to modify the bubblewrap flags to increase security.

      Though filesystem isolation is not its goal, it’s meant to emulate that homebrew use which is unsandboxed.