this post was submitted on 20 Apr 2026
59 points (98.4% liked)

Linux

64769 readers
474 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
nooter692@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
59
Coldbrew package manager (gitlab.postmarketos.org)
submitted 1 day ago* (last edited 1 day ago) by nobody_1677@lemmy.world to c/linux@lemmy.ml
5 comments fedilink hide all child comments
 

Coldbrew is a "brew" style package manager for Linux distributions that offers the full power of the Alpine Linux aports repository with no root access required

Coldbrew is a bit of a mix of flatpak and homebrew. It uses a very lightweight sandbox (bubblewrap) mainly as a means of isolating dependencies. It aims to server a similar goal as homebrew, but without the PATH issues homebrew brings (see: https://invent.kde.org/kde-linux/kde-linux/-/merge_requests/408)

Example Usage:

coldbrew install neovim # install the package
coldbrew run nvim       # run nvim
coldbrew wrap nvim      # create a wrapper to type less
nvim                    # run nvim
you are viewing a single comment's thread
view the rest of the comments
[–] Oinks@lemmy.blahaj.zone 6 points 1 day ago* (last edited 1 day ago) (2 children)

This is interesting, but I wouldn't consider this to be at all comparable to Flatpak. From what I can see the only purpose of using bubblewrap here is the dependency isolation (without having to recompile the world ala Nix), which does have some value but it feels misleading to even call it a sandbox.

It mounts /home and /run into the ~~sandbox~~ chroot, which means that "sandboxed" applications can do things like reading your SSH keys, dumping your keyring or escaping the sandbox via write to .bashrc (so most of the attacks you'd want to prevent). This is presumably done because without /home access you wouldn't be able to write to the filesystem and without /run access you can't even display a graphical window, which would make the packages quite useless.

XDG Desktop Portal solves this by allowing filtered dbus access controlled by package metadata (/.flatpak-info), and then having sandboxed applications use portals to access files, secrets and other resources. The metadata is a major flaw in Flatpaks design (note that a lot of the most popular Flatpaks want full $HOME access), but it's also what allows Flatpak to be useful. In this project, there's no metadata since the packages just come from Alpine repositories.

[–] nobody_1677@lemmy.world 4 points 1 day ago

Correct, that’s what I meant by calling it a lightweight sandbox that’s mainly used to isolate dependencies.

Though the cool thing about cold brew is that it’s simply a shell script. Not even a crazy long one at that. It would not be difficult to modify the bubblewrap flags to increase security.

Though filesystem isolation is not its goal, it’s meant to emulate that homebrew use which is unsandboxed.

[–] excel@lemming.megumin.org 0 points 1 day ago (2 children)

So in other words, it fixes all of the shit that makes Flatpak broken and useless?

[–] Allero@lemmy.today 2 points 1 hour ago

Rather, removes all the security elements, forcing you to risk your system because you never learned permissions.

[–] Oinks@lemmy.blahaj.zone 3 points 23 hours ago

In the sense that allowing a malicious application to steal your SSH keys is "fixing", yes.