Twey
commented
5 months ago Maybe we could sandbox all our tests? Rust code is no less capable than bash code of wreaking havoc :)
Open ma2bd opened 5 months ago
Twey
commented
5 months ago Maybe we could sandbox all our tests? Rust code is no less capable than bash code of wreaking havoc :)
Currently,
cargo test readmeextracts BASH scripts from readme files and run them without sandboxing. This is ok but also a bit scary. We may want to use some (light) sandboxing depending on the execution platform.https://github.com/containers/bubblewrap
https://www.karltarvas.com/macos-app-sandboxing-via-sandbox-exec.html https://github.com/ocaml/opam/blob/master/src/state/shellscripts/sandbox_exec.sh