janvhs, 25 days ago

@dottorblaster actually reworking it / writing a cli to use bubblewrap and on mac sandbox-exec, so you can use your native host :D

dottorblaster, 25 days ago

@janvhs only grrr reactions at mac os

janl, 25 days ago

@dottorblaster @janvhs macOS can do this natively, no containers required. https://github.com/berstend/node-safe (apologies for linking to a thing with a maga slogan)

janvhs, 25 days ago

@janl @dottorblaster yeah that’s using “sandbox-exec”. Basically the same thing as bubblewrap just using scheme as config lol

janl, 25 days ago

@janvhs @dottorblaster yeah I laughed out hard when I saw the config. Somebody at Apple must be reeeeeally proud of themselves. And I applaud them for getting this shipped ;D

My unsubstantiated theory is that they have some sort of static theory prover for this, so they can prove their rules are safe.

janvhs, 25 days ago

@janl @dottorblaster yeah haha I just love seeing S-expressions in random places. That’s a really good theory, especially because it feeds into my theory, why you can’t statically link executables on mac.

janl, 25 days ago

@janvhs @dottorblaster that’s something else tho. You can totally statically link, just not against system libs.

janvhs, 25 days ago

@janl @dottorblaster nope, there is no crt0.a, so everything has to link against libSystem or what it’s called. @engler and I learned that the hard way haha

(sure you can link libraries statically but not a completely static executable)

janl, 25 days ago

@janvhs @dottorblaster @engler ah, that’s what you mean. Yup yup yup.