What turns me off is software that insists on running with unreasonable privileges. Rootless podman containers are the way to go – you can decide the privileges of the user account running the container, and the container image is inspectable (and tweakable if you find something you don’t like). And for the devs, maintaining (just) a container image is way less overhead than managing distribution-specific packages for 5 different package managers and dozens of distributions
Funny part is I’m responsible for some software which needs just a little privilege.
The direct install option runs as a broadly unprivileged user, thanks to systemd service for imparting one, surgical ambient capability to the process.
A team that wraps it in a container however demands it be run privileged, because they say the container runtimes dont support the same granularity, so the container users end up with unreasonable privileges while the direct install users are almost completely running unprivileged.
What turns me off is software that insists on running with unreasonable privileges. Rootless podman containers are the way to go – you can decide the privileges of the user account running the container, and the container image is inspectable (and tweakable if you find something you don’t like). And for the devs, maintaining (just) a container image is way less overhead than managing distribution-specific packages for 5 different package managers and dozens of distributions
Funny part is I’m responsible for some software which needs just a little privilege.
The direct install option runs as a broadly unprivileged user, thanks to systemd service for imparting one, surgical ambient capability to the process.
A team that wraps it in a container however demands it be run privileged, because they say the container runtimes dont support the same granularity, so the container users end up with unreasonable privileges while the direct install users are almost completely running unprivileged.