rusty-snake

xdg-dbus-proxy does not run in a sandbox (I has access to a "execute this shell command please" socket after all). It does however run in a bubblewrap-container. While x-d-p reads...

So to summarize a few thoughts: - disabling user-ns by default is good because of increased attack surface to the kernel - allowing user-ns for some program can be of...

> Firefox cited performance issues if they switch to flatpak-spawn, they need to tweak something first. To expand on this, currently Firefox just forks (`clone(CLONE_...)`) which gives them CoW for...

Moving portals to a better approach than `/.flatpak-info` is much appreciated, good and great work. Nevermind it does not help us here. First, portals do not use `/.flatpak-info` of the...

> Where is this? Portals have to read .flatpak-info or WebKit will break, but we can probably change WebKit to use any newer mechanism. https://github.com/flatpak/flatpak/pull/5656

> Can you create PID namespaces without root privileges in the current user namespace? root privileges are never required to unshare a namespace. Instead you need `CAP_SYS_ADMIN` in your current...

> User namespaces allows Chromium to configure the other types of namespaces without [] `CAP_SYS_ADMIN`. User namespaces are exactly the mechanism Chromium uses to gain `CAP_SYS_ADMIN`. Technically it would be...

I would vote for 3. Would it be better and possible to have the zig zag line between the hand and the button?

Some have just the default message, but others show additional information why it is an expert quest. I find this very useful.

Your usecase it to enable all SCEE quests?