proposal: sandboxed builds

[git-bruh]

Add an optional mechanism for sandboxed builds which only makes available the listed dependencies in the depends file

Advantages

• Accurate depends file - no missing make depends
• Possibility to restrict network access
• Packages can't modify filesystem due to misbehaving build scripts
• Fixes annoying issues like https://github.com/kiss-community/community/issues/1269

Disadvantages

• Breaks the current fragile / hacky system of optionally enabled deps like libglvnd for mesa used by a few packages (Obsoleted by #88)
• Only portable to as many platforms as the implementation will be written for

Caveats

* SUID binary vs user namespaces vs landlock vs whatever proot does vs ...

• Identification of the providers of core packages like the toolchain, libc and coreutils

Landlock POC - https://codeberg.org/kiss-community/kiss-ng/src/branch/sandbox/src/sandbox.c

[sdsddsd1]

Where do the packages inside the sandbox come from, do the dependencies have to be built each time from scratch?

[git-bruh]

Where do the packages inside the sandbox come from, do the dependencies have to be built each time from scratch?

It's just going to bind mount all required files (or restricting access to them in case of landlock) from the host -- not rebuild anything.

Not sure of the performance implications of constructing such a sandboxed rootfs with thousands of bind mounts (can't mount directories as they'll pull in extra libs) but that's what I've come up with till now

[git-bruh]

https://codeberg.org/kiss-community/repo/issues/108