03:56 <ocdtrekkie> I just can't help myself with chatting in GitHub issues. :/

03:59 <ocdtrekkie> Hiding comments makes me feel better about it though, still easy for people to expand and read.

18:43 <stdedos> Hello there! I am reading https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-pgp-verified-install, and I was wondering about this part:

18:44 <stdedos> > If you wish to install Sandstorm – or any software – without giving it full access to your system, you must install it on a dedicated machine, VM, or (perhaps, with caveats) user account. In fact, we highly encourage you to do so, for defense in depth. But, we know it’s more work than a lot of people want to deal with.

18:44 <stdedos> Are there instructions for an "installation on a dedicated user account"?

18:54 <stdedos> Also, for the sake of the article above, the following links https://news.ycombinator.com/item?id=12766350, https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/ might interest you to somehow look at them for the sake of completeness

18:54 <stdedos> In any case, +1 from me for giving out a PGP-terifying alternative

20:53 <isd1> stdedos: re: dedicated user account, that's going to depend on the software, and probably won't do much good for Sandstorm, since it needs a fair amount of access anyway

20:54 <isd1> (I think it's technically possible to run it without root using user namespaces, but it needs a bunch of APIs that we deny grains access to for a reason... so I'd be squeamish about relying on it).

21:32 <stdedos> isd1 ... aka docker then?