So activityPub uses push architecture to push to other servers / instances, but it doesn't push to users does it? I would imagine from instance to user, it is still pull based.
So effectively it's a load distributer thing, I suppose, right?
Bubblewrap seemed much less user friendly than nsjail, I assume because it is intended to be a lower level application used by libraries like flatpak. It is also more tailored to desktop applications and GUIs, whereas nsjail is focused on server apps (though I did see the author mentioning adding better support for GUIs years ago, but I did not check if that happened).
I'm not an expert, but I'll try my best to compare it to docker:
You can think of nsjail as a lightweight frontend for kernel isolation features like namespaces, sys call filtering, and the like.
Docker is also a frontend for some of those kernel features, but its original goal was not security isolation, but rather isolation for the sake of reproducibility. This isn't to say that docker isn't secure, they did add those features eventually, but they are less intuitive to change and mess with, and you have some added complexities. Whereas nsjail stays as close to the system as possible. As far as I'm aware, there's no concept of an image, and its not necessary for every app to have an entire OS user land with it (although you can if you want to).
If your goal is security, docker's defaults are reasonably good, but also made to not get in the way of most applications. This might be good enough for many. However, docker's security is more difficult to customize and less straightforward if you need to change it.
If your goal is security, and more so than docker's defaults, nsjail gets you there muchhh more easily. Whether nsjail has more security features than docker, I don't know.
It does require some effort to manage, but I would argue it's easier to keep all packages (including dependencies) up-to-date across the system, which is a huge security benefit imo.
The permission system, once you set it up, you never need to change it unless you're changing something.
A fellow gentoo user in the wild! Do you have any thoughts on using containers with gentoo? It pains me the idea of foregoing all the awesome features of portage by using containers.
What exactly does SE Linux provide over users / groups?
I really wish there was a system wide package manager for docker containers, which would update software in all your containers at once similar to how a typical package manager would.
I did not completely rule out docker, but I wonder if I can obtain most of its benefits without this major con with package management. I mean I know it's possible, since its mostly kernel features, but it would be difficult to simulate and the tooling is probably lacking (maybe nsjail can get me closer).
I've looked into this a lot actually. There see many options. I'll highlight the pros and cons of each option.
Lua: extremely lightweight, but standard library is lacking, and doesn't include stuff like map or fold. But that would be easy to fix.
Python: thicc standard library, but is not lightweight by any means. There are modifications made to be more shell like, such as xonsh
Rash: based on scheme, very much functional but if you're not used to lisp style, might take a bit to get used to it. This is actually my favorite option. It has a cli interpreter, and really pleasant to use. Cons is... Well it's not very common
You can honestly use any language. Even most compiled languages have a way to run immediately.
So activityPub uses push architecture to push to other servers / instances, but it doesn't push to users does it? I would imagine from instance to user, it is still pull based.
So effectively it's a load distributer thing, I suppose, right?