Kagami

There is also [Subgraph OS](https://subgraph.com/sgos/graph/index.en.html) and their [oz wrapper](https://github.com/subgraph/oz) which planned to implement exactly what I wanted with `kagome`.

Hi. Not so much lately. It's just a small experimental project where I tried few ideas. I recommend you to look at [firejail](https://github.com/netblue30/firejail), [subuser](https://github.com/subuser-security/subuser) or [x11-docker](https://github.com/mviereck/x11docker) for a more polished...

Yeap, sure. I'm also not quite satisfied with most current solutions and want to investigate further once I will have enough time for that.

I'm mostly interested in WebM-related stuff. Feel free to contribute ;)

Note that access to OpenGL can allow attacker to break sandbox guarantees. E.g. it's possible to get contents of host windows by fetching GPU textures AFAIK. Check notes on OpenGL...

Pretty simple fix is just use separate computer for that. Or second GPU, GPU passthrough is quite popular now.

Don't know, I have only experience with Docker. From security point of view important pieces are seccomp-bpf, SELinux/AppArmor profiles, user namespaces. Maybe also some modern technics, haven't followed that topic...

Solution similar to proposed by @troglobit ```yaml - name: Release nightly uses: softprops/action-gh-release@v1 with: prerelease: true name: nightly tag_name: nightly files: file.txt fail_on_unmatched_files: true ``` And instruct your users to...

Solution similar to @eine See: https://github.com/actions/upload-artifact/issues/51#issuecomment-1893927846

:+1: would be nice to have.