HN Reader

I think they explain a compelling problem about typical commerical software vs FOSS, then they dive into their GPU accelerated VM solution. I don't see how it helps solve the original problem.

Is is that FOSS needs a standard sandbox and they think some kind of peer to peer app store that disturbes images for VMs is the way to do it?

Is clan some kind of p2p server config management framework based on Nix?

Flatpak is the only foss solution close to building compartmentalisation?

Last I checked, docker was FOSS? Containerisation is built in in Linux, does that not compartmentalise enough?

What am I missing here, the article seems wildly inaccurate, surely I've misunderstood something?

I'm not understanding the need for this? I cant believe i'm parroting corporate lobbyists, but this seems like a solution in search of a problem.

It sounds more like a way to take freedom away from people. Commercial systems are designed in such a way that offering that convenience is at the expense of control and ownership. Just because people trade freedoms for this level of ease, doesn't make it right.

for the private networking problem, openziti (apache 2.0) is now integrated with Nix:

https://github.com/NixOS/nixpkgs/pull/453502

Yet another reminder that Nix does not sign commits, does not sign reviews, allows any maintainer to merge their own code, does not compile all packages from source, and Hydra admins can absolutely tamper with builds at any time. It is a massive supply chain attack waiting to happen.

The Nix team is aware of all of this and made these tradeoffs intentionally to maximize package support and reduce contributor friction. Nix, for all its good design choices, landed on a supply chain integrity threat model that unfortunately makes it suitable only as hobby OS that must not be used to protect anything of value.

Guix at least signs commits, but individual maintainers are still trusted so it is not much better, so there really is no production safe nix based package tree I am aware of.

Nothing should advertise itself as secure while being based on nix.

Just because something is popular, does not make it safe.