Exactly, the same usage for cpu and astonishingly also for memory. It's no virtual machine but a contained program that doesn't access your host system. Even X11 forward is secure with Xpra X11 bridge.
Okay, but ... what is being gained here?
The ability to package programs so they run on a computer without you worrying about it?
That is an ability we had since the 1960s, that people gave up for "reasons" that are questionable at best.
Someday people will realize they don't have to make their computers orders of magnitude slower just in order to get back capabilities that used to come automatically.
The problem at hand is actually a pet peeve of mine and I really don't get why it's still the default to grant programs access to all our personal data. There is a lot wrong with mobile OSs, but in this regard they are actually ahead of the curve.
I run into this daily with programs packaged as flatpaks. Almost all of them can access the entire home directory. This can be changed with the flatpak-override command or the graphical software Flatseal.
> The problem at hand is actually a pet peeve of mine and I really don't get why it's still the default to grant programs access to all our personal data.
That's because our data has become a commodity relatively recently, and desktop technology still hasn't fully caught up yet. Regardless, it seems in general it's companies that run web services that are a bigger problem than desktop applications.
Either way, I'm glad projects like these exist, including snapd, flatpak, and this. The likes of flatpak and snapd may not be perfect, but it's progress.
I've heard here on HN that the problem with Snap is that it doesn't enforce restrictions, and that most used programs on snap ask for all permissions, including access to all of your files.
Flatpak and snapd seem to have some similar goals but aren't mentioned in the related projects section?
I would have thought it would now be more performant to do something like this using Wayland and, if the app uses X11, multiple isolated xwayland instances somehow. That way you might be able to get GPU acceleration, which I don’t think is possible through xpra?
Windows based containers do exist. Docker for Windows can run both Linux (a VM) and Windows applications. If I'm not mistaken, both are implemented via HyperV.
This seems really interesting. A somewhat related project is x11docker[0] which attempts to make it easier to run gui applications through docker.
It works pretty well with docker, though I've not used it since I switched to podman as there wasn't any support for it at the time. I've not tried recently.
It does seem this project is at a dead end based on the recent development activity in recent months.
More or less, though LXC (and LXD using the LXC backend) are focused on system containers rather than single services. Basically lightweight VMs with a full init and the usual set of set of system daemons.
Their "subuser standard" has the following license [1]:
> Creative Commons Zero, public domain
> With the following exception:
> Only standards documents identical to those released by Timothy V Hobbs(timthelion) or another person or party whom he nominates may be presented as defining “the subuser standard”. In other words: you cannot edit this document and then claim that your new standard is the official one.
That's legally incoherent. You cannot have public domain with an exception. Either something is in the public domain (no copyright) or it is not (copyrighted). If it is copyrighted, then you can license it under "X with the following exception". Most commonly, those exceptions grant extra rights compared to the base license (e.g. Classpath exception), occasionally they aim to take away rights compared to the base license (e.g. the notorious "Commons Clause"). But you can only have an exception to a copyright license if there is a copyright to be licensed, and putting something in the public domain means there isn't.
CC0 is a bit of a hybrid in that it contains both a public domain dedication for those jurisdictions which recognise that, and a permissive fallback copyright license for those jurisdictions that don't (e.g. Germany). The author claiming to make an exception to CC0, it makes sense for the later but not for the former. Does this mean the exception is only legally binding in the jurisdictions in which the fallback license applies? Or does the attempt to impose an exception nullify the public domain dedication? I don't know, IANAL. (But I imagine many lawyers won't know the answer either.)
Now, what the author aims to do here could be achieved by trademark law – claiming (or registering) "subuser standard" as a trademark, and then saying that even though the copyright of the standard is relinquished to the public domain, the trademark is only licensed under certain conditions. But while that would legally make sense, it isn't what the author has actually done.
I really like the premise, and already use containers as ingredient in my isolation techniques, however, subuser development didn't seem particularly active, is it just because it's considered in a feature complete state?
All these containerization "solutions" are just the fever symptoms of the future shock from the extremely rapid rate of features and improvement in the underlying libraries (glibc, c++?, etc) used by programmers, and the programmer's tendency to use those fancy new features asap. It makes compiling, or even running, something written today on the dev environment of a 5 year old linux distro pretty darn difficult and worse with time.
They are a terrible idea for the desktop or academia. They're fine for server environments.
