> If you wish to install Sandstorm – or any software – without giving it full access to your system, you must install it on a dedicated machine, VM, or (perhaps, with caveats) user account. In fact, we highly encourage you to do so, for defense in depth. But, we know it’s more work than a lot of people want to deal with.
Are there instructions for an "installation on a dedicated user account"?
In any case, +1 from me for giving out a PGP-terifying alternative
isd has joined #sandstorm
isd has left #sandstorm [#sandstorm]
isd1 has joined #sandstorm
stdedos: re: dedicated user account, that's going to depend on the software, and probably won't do much good for Sandstorm, since it needs a fair amount of access anyway
(I think it's technically possible to run it without root using user namespaces, but it needs a bunch of APIs that we deny grains access to for a reason... so I'd be squeamish about relying on it).