[M1m1c]

I relate to this. As someone currently in high school, messing around with web proxies and code deployment sights, and web-based IDE's trying to run Dwarf Fortress in my school browser has taught me more about computers and networks then just about anything else. It is painfully easy to get around school filters these days. I've never really messed with unenrollment because you do need enrollment to access the testing websites but I've been trying to get into Developer Mode to get linux apps, but the IT guys must have thought ahead on that one.

[westurner]

Chromebooks don't even have a Terminal for the kids. Vim's great, but VScode with Jupyter Notebook support would make the computers we bought for them into great offline calculators, too.

VSCode on a Chromebook requires VMs and Containers which require "Developer Tools" and "Powerwash"; or the APK repack of VSCodium that you can't even sideload and manually update sometimes (because it's not on the 15-30% cut, and must use their payment solution, app store with static analysis and code signing at upload).

AFAIU, Chromebooks with Family Link and Chromebooks for Education do not have a Terminal, bash, git, VMs (KVM), Containers (Docker/Podman/LXC/LXD/gvisor), third-party repos with regular security updates, or even Python; which isn't really Linux (and Windows, Mac, and Linux do already at present support such STEM for Education use cases).

From https://news.ycombinator.com/item?id=30168491 :

> Is WebVM a potential solution to "JupyterLite doesn't have a bash/zsh shell"? The current pyodide CPython Jupyter kernel takes like ~25s to start at present, and can load Python packages precompiled to WASM or unmodified Python packages with micropip: https://pyodide.org/en/latest/usage/loading-packages.html#lo...

There's also MambaLite, which is part of the emscripten-forge project; along with BinderLite. https://github.com/emscripten-forge/recipes (Edit: Micropip or Mambalite or picomamba or Zig. : "A 116kb WASM of Blink that lets you run x86_64 Linux binaries in the browser" https://news.ycombinator.com/item?id=34376094 )

It looks like there are now tests for VScode in the default Power washable 'penguin' Debian VM that you get with Chromebook Developer Tools; but still the kids are denied VMs and Containers or local accounts (with kid-safe DoH/DoT at lesat) and so they can't run VScode locally on the Chromebooks that we bought for them.

Why do I need "Developer Tools" access to run VScode and containers on a Chromebook; but not on a Windows, Mac or Linux computer? If containers are good enough for our workloads hosted in the cloud, they should be good enough for local coding and calculating in e.g. Python. https://github.com/quobit/awesome-python-in-education#jupyte...

[swhan]

Good point. Wasn't aware of the Family Link restrictions. Will see what can be done here.

Disclaimer: I work on ChromeOS.

[westurner]

VSCode + containers + the powerwash feature would enable kids to STEM.

Are flatpaks out of the question? Used to be "Gnome and Chrome" on ~Gentoo.

Shouldn't the ChromiumOS host be running SELinux, if the ARC support requires extended filesystem attributes for `ls -alz` and `ps -aufxz` to work?

Chromium and Chrome appear to be running unconfined? AppArmor for Firefox worked years ago?

https://www.google.com/search?q=chromium+selinux ; chrome_selinux ?

It seems foolish to have SELinux in a guest VM but not the host.

[westurner]

Task: "Reprovision" the default VMs and Containers after "Powerwash" `rm -rf`s everything

`adb shell pm list packages` and `adb install` a list of APKs and CRXs.

Here's chromebook_ansible: https://github.com/seangreathouse/chromebook-ansible/blob/ma...

Systemd-homed is portable. Still, "Reprovision" the broken userspace for the user.

Local k8s like microshift that does container-selinux like RH / Fedora, with Gnome and Waydroid would be cool to have for the kids.

Podman-desktop (~Docker Desktop) does k8s now.

K8s defaults to blocking containers that run as root now, and there's no mounting thee --privileged docket socket w/ k8s either. Gitea + DroneCI/ACT/ci_runner w/ rootless containers. Gvisor is considered good enough for shared server workloads.

Repo2docker + caching is probably close to "kid proof" or "reproducible".

VScode has "devcontainer.json". Scipy stacks ( https://jupyter-docker-stacks.readthedocs.io/en/latest/using... ) and Kaggle/docker-python (Google) take how many GB to run locally for users < 13 who we don't afford cloud shells with SSH (Colab with SSH, JupyterHub (TLJH w/ k8s),) for either.

Task: Learn automated testing, bash, git, and python (for Q12 K12CS STEM)

[westurner]

> It seems foolish to have SELinux in a guest VM but not the host.

- [ ] task manager: optionally show SELinux contexts like `ls -alz`

[westurner]

>> *Is WebVM a potential solution to "JupyterLite doesn't have a bash/zsh shell"?"

"ENH: Terminal and Shell: BusyBox, bash/zsh, git; WebVM," https://github.com/jupyterlite/jupyterlite/issues/949

[M1m1c]

I actually use a Web Assembly port of VIM on my school computer.

[westurner]

Nice. TIL about vim.wasm: https://github.com/rhysd/vim.wasm

Jupyter Notebook and Jupyter Lab have a web terminal that's good enough to do SSH and Vim. Mosh Mobile Shell is more resilient to internet connection failure.

Again though, Running everything in application-sandboxed WASM all as the current user is a security regression from the workload isolation features built into VMs and Containers (which Windows, Mac, and Linux computers support in the interests of STEM education and portable component reuse).