i keep reading about these shaihalud npm supply chain attacks, so, i built a containerized dev workflow that quarantines npm completely. per-project images, isolated dependency volumes. nothing touches the host!
Comments
naikrovek•28m ago
I really wish Plan9 got more attention when it came out.
All processes in Plan9 are given their own namespace. By mounting things to or unmounting things from the namespace, you grant or disable access to specific parts of the filesystem. And because everything is a file in Plan9, the filesystem is the filesystem, the audio device is part of the filesystem, the video device is part of the filesystem, network interfaces are exposed via the filesystem, etc.
Isolation by default.
In 1995.
Docker would never have been needed if operating systems adopted this feature. The kraken known as Kubernetes might never have been needed if Plan9s features were adopted.
It’s too late to change how things are, but it’s never too late to set things right.
We need an operating system which isolates child processes from their parent and from siblings, and from everything else unless access to specific things is granted at launch time.
We’ve built so much crap on top of our old operating systems that we view it as normal. We should not need docker or virtualization to have isolation. There is no technical need for those things, and they are each another layer on a stack that is maybe already too tall. They are points of failure and if operating systems were capable, we would not need them.
The source code and design of Plan9 can fit entirely inside one mind. It isn’t a huge behemoth. It takes single digit seconds to compile.
It could be the basis of something supreme.
If I were rich, among my other altruistic endeavors, I would be hiring folks to develop this OS into something a little more current and a little more fit for the environment we see in 2025 and beyond.
My point: one should not need docker to do what you have done. Default per-process isolation should be a core feature of the operating system.
neechoop•25m ago
plan9 were always ahead of its time
Yasuraka•10m ago
> The kraken known as Kubernetes might never have been needed if Plan9s features were adopted.
Which Plan9 features exactly give me a unified API layer to handle workload scheduling incl. fault tolerance, flat networking across a cluster or service discovery?
Containers are an implementation detail and not what Kubernetes is fundamentally about.
elmerfud•10m ago
I'm not sure, at the end of the day, it would have made that much difference. Those who are security and separation aware still are and plan9 would have been a much easier tool for those people.
Those people who are not, still would not be, and having that separation ability wouldn't help. You see this with apps and other things that have the ability to limit their access but you want the app and you just click through without reading what permissions it wants. So those who just want to use something without understanding the danger of it still fall prey to nefarious actors.
naikrovek•28m ago
All processes in Plan9 are given their own namespace. By mounting things to or unmounting things from the namespace, you grant or disable access to specific parts of the filesystem. And because everything is a file in Plan9, the filesystem is the filesystem, the audio device is part of the filesystem, the video device is part of the filesystem, network interfaces are exposed via the filesystem, etc.
Isolation by default.
In 1995.
Docker would never have been needed if operating systems adopted this feature. The kraken known as Kubernetes might never have been needed if Plan9s features were adopted.
It’s too late to change how things are, but it’s never too late to set things right.
We need an operating system which isolates child processes from their parent and from siblings, and from everything else unless access to specific things is granted at launch time.
We’ve built so much crap on top of our old operating systems that we view it as normal. We should not need docker or virtualization to have isolation. There is no technical need for those things, and they are each another layer on a stack that is maybe already too tall. They are points of failure and if operating systems were capable, we would not need them.
The source code and design of Plan9 can fit entirely inside one mind. It isn’t a huge behemoth. It takes single digit seconds to compile.
It could be the basis of something supreme.
If I were rich, among my other altruistic endeavors, I would be hiring folks to develop this OS into something a little more current and a little more fit for the environment we see in 2025 and beyond.
My point: one should not need docker to do what you have done. Default per-process isolation should be a core feature of the operating system.
neechoop•25m ago
Yasuraka•10m ago
Which Plan9 features exactly give me a unified API layer to handle workload scheduling incl. fault tolerance, flat networking across a cluster or service discovery? Containers are an implementation detail and not what Kubernetes is fundamentally about.
elmerfud•10m ago
Those people who are not, still would not be, and having that separation ability wouldn't help. You see this with apps and other things that have the ability to limit their access but you want the app and you just click through without reading what permissions it wants. So those who just want to use something without understanding the danger of it still fall prey to nefarious actors.