Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Can I also get the security/isolation benefits that a duly configured docker/podman can provide (container can only act on mounted volume, non-root user, other seccomp settings?).

I feel better doing my "npm install"s in such an environment (of course it's still not a VM – but that's another topic).

When I read about nix, reproducibility is a goal, but security/isolation is a non-goal.



> When I read about nix, reproducibility is a goal, but [...] isolation is a non-goal.

Generally, yes.

But you can use or put together something like this to run Nix inside a devcontainer instead of locally: https://github.com/xtruder/nix-devcontainer

So you can use them in conjunction (or alternation, if for some projects you're okay running without a container) without having to specify your development environments twice.

> I feel better doing my "npm install"s in such an environment (of course it's still not a VM – but that's another topic).

There are basically two kinds of integration you can do for a project with Nix, which I'll call deep and shallow. In shallow integration, you just have Nix provide the toolchain and then you build the project (manually, with a script, with a Makefile, whatever). This is pretty common and pretty easy, and gives you no protection from malicious NPM build scripts.

For deep integration, you can actually have Nix build your whole project. This has some downsides, like that it can't really handle incremental builds. It also imposes restrictions, like no network access by anything but Nix at build time, all packages are built by special build users with no homedirs and no perms to access anything, etc. When you do that kind of build/install, you do get some protection from crypto miners lurking in the NPM registry or PyPI or whatever.


You can generate fully reproducible OCI/docker containers with devenv, so yes I think.

https://devenv.sh/containers/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: