Alex Pyrgiotis

Yeah, it's a shame that the PEP-517 process is the one that's biting us now. Granted, it's the newest one introduced, and we can hack our way around it with...

> Even “worse”! The way files are packaged into wheels is not standardized in general! > > You just didn’t notice so far, since “find a file matching the path...

# Suggestions We'll take each requirement we mentioned and try to suggest a protective measure that can aid in it: ## 1. The attacker must not gain control of a...

# Further reading * Center for Internet Security (CIS) [[3rd-party link](https://edu.anarcho-copy.org/GNU%20Linux%20-%20Unix-Like/Docker/CIS_Docker_Benchmark_v1.3.1_PDF.pdf)]: Has a pretty nice write-up on how to harden the containers, from the image creation to the runtime. There...

My take on shred-resistant filesystems and devices, in the context of Docker Desktop is this: 1. On Linux, we can rest assured that tmpfs mounts will work, so the discussion...

That's because we currently don't use any of the `--tmpfs` / `--mount type=tmpfs` options. My understanding is that once we pass one of these flags, it will work. Might be...

Oh. I hadn't realized that gVisor [emulates](https://pkg.go.dev/gvisor.dev/gvisor/pkg/sentry/fsimpl) various filesystem types. That's _really_ awesome. As for the `mlock()` solution, it does seem the most sensible one. However, I just realized that...

Just wanted to point out, all the above gives us a lot of food for thought, once we decide to tackle this issue. One question that immediately spawned from the...

Thanks a lot for the explanation Etienne. I think we have a reasonable path forward here, once we decide to implement this feature :slightly_smiling_face:

Thanks for the amendments Ro. From what I understand, you're introducing one more dimension in this problem, whether the qube can trust the capabilities that another qube presents. Truth is,...