Why not just use nix? It also can be sandboxed using bwrap.
In my opinion focus should be on GUI for nix, brew.
This is interesting, but I wouldn't consider this to be at all comparable to Flatpak. From what I can see the only purpose of using bubblewrap here is the dependency isolation (without having to recompile the world ala Nix), which does have some value but it feels misleading to even call it a sandbox.
It mounts /home and /run into the ~~sandbox~~ chroot, which means that "sandboxed" applications can do things like reading your SSH keys, dumping your keyring or escaping the sandbox via write to .bashrc (so most of the attacks you'd want to prevent). This is presumably done because without /home access you wouldn't be able to write to the filesystem and without /run access you can't even display a graphical window, which would make the packages quite useless.
XDG Desktop Portal solves this by allowing filtered dbus access controlled by package metadata (/.flatpak-info), and then having sandboxed applications use portals to access files, secrets and other resources. The metadata is a major flaw in Flatpaks design (note that a lot of the most popular Flatpaks want full $HOME access), but it's also what allows Flatpak to be useful. In this project, there's no metadata since the packages just come from Alpine repositories.
Correct, that’s what I meant by calling it a lightweight sandbox that’s mainly used to isolate dependencies.
Though the cool thing about cold brew is that it’s simply a shell script. Not even a crazy long one at that. It would not be difficult to modify the bubblewrap flags to increase security.
Though filesystem isolation is not its goal, it’s meant to emulate that homebrew use which is unsandboxed.
So in other words, it fixes all of the shit that makes Flatpak broken and useless?
In the sense that allowing a malicious application to steal your SSH keys is "fixing", yes.
Rather, removes all the security elements, forcing you to risk your system because you never learned permissions.
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0