t0m5k1 @ t0m5k1 @lemmy.world

🤞🏻🇺🇦 ✌🏻🙏🏻 🤜🏻👈🏿 🐧🖥

---

Read more

Posts

3

Comments

178

Joined

2 yr. ago

Valid response, but why do you need to protect the OS from the browser when the browser (Brave) is already sandboxing and the browser is not an attack vector that can be directly exploited to gain access/root on your OS?

What I mean is that the tabs themselves are sandboxed to protect accounts that are opened in each from being breached, the bowser itself is obfuscating your fingerprint and blocking known bad actor sites etc so this leaves only what you manually download and here the browser will warn you if a given download has the potential to harm.

So unless you are downloading files from very questionable locations I can't see the need for a containerised browser.

Containers are good and yes have flaws but the main purpose of them is to add another layer between the application and the OS so if application is exploited the attacker has to break another wall/layer to get to the real root.

I know in April 2021 the was a PoC that used JavaScript to reverse the effect of a patch which allowed an attacker to break out of the chromium sandbox, but that was never used and if it was the attacker would first need to breach a site to deploy the code that you would then execute by visiting the site or it would be fed to you via a phishing attempt. Both of these delivery methods would need to be very stealthy and fast. currently there are 4 known CVEs for brave: (sorry for long link)

https://www.cvedetails.com/vulnerability-list.php?vendor_id=16266&product_id=36540&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&cweid=0&order=1&trc=3&sha=74c1df28c6d85bd121726a90109559ec94ea3549

None of these provide an attack vector that will allow access.

To check all the repo's you're going to have to use something more than pacman, maybe a perl or python script that uses libalpm_databases to get the info you need, man libalpm_databases will help you get an idea of how to interact with it.

Question: Why do you think need such high security for a browser?

Clam av on access scan: https://wiki.archlinux.org/title/ClamAV#OnAccessScan

ClamFS: https://github.com/burghardt/clamfs

Man you've gone down a security worm hole that makes me wonder if you should really be running qubes-OS rather than Fedora 🤣.

Seriously if you need more than the chromium sandbox for brave and want simplicity just use firejail.

The article you linked to is a wonderfully detailed write up but it is more geared towards those using containers that will be providing services (web, sql, etc) if you just want a browser in a secure container then any of the implementations will be fine for you. The browser is not a vector used to gain access to your OS directly but what you download potentially is so with that in mind your downloads folder should really be a CLAMFS folder or a target folder for on-access scanning by clamav.

Yes, I could say come to arch but you seem happy in fedora 😉

I've not used GNOME for over a decade and have not used GNOME web(epiphany) for even longer lol. I'll stick with brave as it fits my needs.

I use arch-btw so I get brave from aur, on other Linux distros the way to get brave is via flatpak if the provided repos are borked for you.

I mentioned Brendan specifically because people like to lump in his flaws as reasons for not using brave in these discussions.

Yes I was referring to pwa's, ssb's, app windows, whatever you want to call them. Firefox used to have xulrunner and prism to provide them but now Firefox doesn't provide a way other than a JavaScript popup via bookmarklet.

I've used brave since it came out. I use tampermonkey, edit this cookie and bitwarden extensions. Additionally I use pihole/unbound+roothints.

I tend not to let Brendan's controversies affect my choice because if I did I'd have to avoid JavaScript.

Brave provides me with a more secure chrome with extra bells and whistles. I'm a heavy user of app windows as I refuse to use electron based apps due them being pure chrome. When other browsers do this with the same protection as brave I'll consider moving.

The site you visit only sees the VPNs info. Which is how you maintain some anonymity while browsing.

A VPN just changes your IP, all your browser info is still visible to the website.

My Sav (F7) asks to be let outside to our small back garden to eat some grass every morning. All I need to do is call her and she comes back in.

we used to grow rye grass in a small flat planter but she stopped eating that and prefers the grass in the garden.

Manic street preachers : if you tolerate this your children will be next

https://m.youtube.com/watch?v=cX8szNPgrEs

Yes, with a tunnel: https://starlinkhow.com/starlink-ipv6/

I get what you're trying to say but nobody in their right mind will Nat ipv6, you either allow it or disable it.

Starlink are slowly rolling it out but you van use ipv6 tunnel should you need it: https://starlinkhow.com/starlink-ipv6/

The reason why people think nix has a larger repo is because nix has only 1 repo for everything, were arch has 3 main and 4 testing and then the aur. If arch lumped everything into one repo it too could say it has 80k+ packages.

Have you checked the source git repo to see if that was updated?

If the app you speak of is a -git type then the aur page will have an old date but the repo where the source is will be new and current.

It could also be that the app you speak of is abandoned, try sending a msg to the maintainer.

Great quote there and totally right.

Absolute twat yet some lap up his words and fall to lick his boots.

I purchase from the cheapest and use he.net for my nameservers.