Hacker News new | ask | show | jobs
by monocasa 1030 days ago
> Sandboxing doesn't completely prevent supply-chain attacks.

Correct, it's more a defense in depth technique, not a complete defense.

> On all developer machines as well? No. Very few big orgs do this and only for mission-critical stuff.

All builds at Google for instance use the model I laid out including 'developer builds'.
1 comments
mmastrac 1030 days ago
Oh wow. I'd be very interested in hearing how they sandbox rust-analyzer. I found a discussion of supporting the analyzer itself by generating config files [1][2], but not how you can sandbox it.

That would be extremely useful as the analyzer is a pretty juicy target and also runs proc-macros/build.rs scripts.

[1] https://github.com/bazelbuild/rules_rust/pull/384

[2] https://bazelbuild.github.io/rules_rust/rust_analyzer.html

link
mike-cardwell 1029 days ago
Sandboxing rust-analyzer is fairly easy. Here's how I did it:

https://www.grepular.com/Sandbox_Rust_Development_with_Rust_...

Well, that's a bit out of date now as I use podman, to get around the sudo issues. But that's the basic idea.

link