Hacker News new | ask | show | jobs
by necovek 1018 days ago
While I applaud your effort and thinking of privacy issues, I will continue to do these in a terminal and Python REPL for all the reasons you bring up.

It would certainly be nice to get something ala F-droid for free software extensions like yours (which guarantees source code matches built package IIRC), as a response to your question 3.

I am sure one can create an alternative extensions store in FF and change some config in about:config to use it, though it's likely non-trivial.
2 comments
matusfaro 1018 days ago
Agreed, and to be honest, this extension is more for myself as I would be extremely skeptical if someone else made it especially with the permissions it requires.

It would probably be more successful as a feature added to an existing trusted extension such as Temporary Containers.

link
nix0n 1018 days ago
> I will continue to do these in a terminal and Python REPL for all the reasons you bring up.

Do you have a way to prevent terminal utilities from accessing the network?

link
5e92cb50239222b 1018 days ago 

  $ bwrap --unshare-net --dev-bind / / bash
  $ curl google.com
  curl: (6) Could not resolve host: google.com
Or you could use firejail, or do it manually with `unshare`, or with any of the container runtimes (docker, podman).

https://wiki.archlinux.org/title/Bubblewrap

https://wiki.archlinux.org/title/Firejail

link
matusfaro 1018 days ago
Interesting options, wasn't aware of those.

The only minor counter-argument would be laziness as a security threat: the more difficult you make the process, the more likely the user will skip seemingly useless steps, thus compromising security.

link
necovek 1017 days ago
I generally avoid non-trusted utilities altogether. I am most likely to load up data (for the use cases mentioned in the extension description) into a Python shell and deal with it using json, base64, pprint and similar modules.

Some things I can do with regular POSIX and GNU tools directly from the CLI, so I'd trust those too on my Debian/Ubuntu systems (where there is usually a guarantee you can get the source code for the binary you are running). It's definitely possible Debian/Ubuntu experience a supply chain attack too, but it's significantly less likely than a random library from github IMO.

link