[ansible]

I like all these ideas.

> Long-term, maybe some kind of sandbox for dependencies could make sense. Lots of dependencies don't need disk or network access.

Just like with Android permissions, we could audit the crate sources to list out what functions it uses (out of the standard library or where ever) and provide an indication of that this particular crate is capable of.

[dane-pgp]

For what it's worth, this Principle Of Least Authority / object-capability model is being attempted in the JavaScript ecosystem with SES (Secure ECMAScript).

https://agoric.com/blog/technology/ses-securing-javascript/

https://medium.com/agoric/pola-would-have-prevented-the-even...

[UncleMeat]

This is a strategy, but it typically falls apart against clever attackers who are targeting you specifically. Hackers have been performing return-to-libc attacks forever where they don't actually get to write any code at all, just sequence code that already exists in your binary.

Java also tried this in a slightly more rigorous manner with the SecurityManager and that just ended up being a botch.

[Ajedi32]

Yeah that's why I said it really depends on the host language to make such sandboxing feasible. If you're using a language that lets code write arbitrary data to arbitrary memory locations, implementing a secure sandbox is going to be pretty tricky.