[nix0n]

> I will continue to do these in a terminal and Python REPL for all the reasons you bring up.

Do you have a way to prevent terminal utilities from accessing the network?

[5e92cb50239222b]

  $ bwrap --unshare-net --dev-bind / / bash
  $ curl google.com
  curl: (6) Could not resolve host: google.com

Or you could use firejail, or do it manually with `unshare`, or with any of the container runtimes (docker, podman).

https://wiki.archlinux.org/title/Bubblewrap

https://wiki.archlinux.org/title/Firejail

[matusfaro]

Interesting options, wasn't aware of those.

The only minor counter-argument would be laziness as a security threat: the more difficult you make the process, the more likely the user will skip seemingly useless steps, thus compromising security.

[necovek]

I generally avoid non-trusted utilities altogether. I am most likely to load up data (for the use cases mentioned in the extension description) into a Python shell and deal with it using json, base64, pprint and similar modules.

Some things I can do with regular POSIX and GNU tools directly from the CLI, so I'd trust those too on my Debian/Ubuntu systems (where there is usually a guarantee you can get the source code for the binary you are running). It's definitely possible Debian/Ubuntu experience a supply chain attack too, but it's significantly less likely than a random library from github IMO.