Mastodawn

Reading this made me reconsider switching #Sydbox from GPL-3 to AGPL-3: https://www.onlyoffice.com/blog/2026/03/onlyoffice-flags-license-violations-in-euro-office-project-by-nextcloud-and-ionos WDYT? #exherbo #linux #security #poll

	GPL-3 > AGPL-3
	AGPL-3 > GPL-3
	No difference for a sandbox
	Strawberry fields forever

Poll ends at Apr 7 at 7:01pm.

ONLYOFFICE flags license violations in “Euro-Office” project

The “Euro-Office” initiative is an evident and material violation of ONLYOFFICE licensing terms and principles of international intellectual property law.

ONLYOFFICE Blog

alip 8h ago

#Sydbox is NOT hosted on #Github and this is an ethical decision. Main repository is the #Exherbo #Gitlab, we have mirrors on #Sourcehut and #Codeberg. Having said that, the code is GPL-3 and I can't legally prevent anyone from mirroring it on Github. I can just kindly ask not to...: https://github.com/tamaroning/sydbox/issues/1 #exherbo #linux #security

Please remove this repository · Issue #1 · tamaroning/sydbox

Dear kind people, I am Ali Polatel, the main author of Sydbox. I want to kindly ask you to remove this repository from Github. There's a reason I don't host code on Github. I don't want my code, my...

GitHub

alip 2d ago

Here is #rustlang bindings for Redis' #radix tree: https://crates.io/crates/redix New #sydbox uses this for path canonicalization which sufficiently reduces its userspace overhead. Let me know if sydbox-3.51.1 is too fast for you and I'll add some random sleeps around the code ;) #exherbo #linux #security

crates.io: Rust Package Registry

crates.io serves as a central registry for sharing crates, which are packages or libraries written in Rust that you can use to enhance your projects

alip 4d ago

#Sydbox has a new #tutorial: https://man.exherbo.org/sydtutorial.7.html #exherbo #linux #security

SYDTUTORIAL(7)

alip Mar 22

#Sydbox 3.51.0 is out: #Security update fixing multiple Crypt Sandboxing race conditions, an ioctl(2) truncation bypass, and a MIPS ptrace(2) bug. Force Sandboxing now uses the Kernel Crypto API (AF_ALG) for zero-copy hashing. #Landlock sandboxing is on by default. wordexp(3) confinement hardened. pandora 0.20.0 generates #Landlock rules. Sydbox is a rock solid application #kernel to sandbox applications on #Linux: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md?ref_type=heads#3510 #exherbo

ChangeLog.md · main · Sydbox / sydbox · GitLab

rock-solid application kernel

GitLab

alip Mar 18

News from #sydbox git: Force sandboxing (binary verification) now uses #Linux #kernel cryptography. You may use any hash algorithm your kernel supports and checksumming process happens with zero-copy without copying data into Syd's process space. This ensures performance and privacy. Syd is hash-algorithm agnostic and makes no choice of a default. Pandora learned to autoselect best avaliable algorithm. Refer to the manual page for more information: https://man.exherbo.org/syd.7.html#Force_Sandboxing #exherbo #security

SYD(7)

alip Mar 16

Is it a red flag that #sydbox is developed mainly by a single person in their free time rather than bigcorp? #exherbo #linux #security

Yes

6.7%

No

73.3%

Who cares if it's GPL?

20%

Why not MIT? Let bigcorp buy you!

Poll ended at Mar 17 at 11:45pm.

alip Mar 1

New hardening in #Sydbox 3.50.0: "Immutable Sticky Bit" where Syd enforces the immutability of the sticky bit at chmod(2) boundary for directories. Sticky bit on dirs such as /tmp is a critical security primitive that restricts file deletion/renaming to file/directory owner or root. This also helps raise the bar for trusted symlink bypasses. On by default, disable with trace/allow_unsafe_sticky:1. Refer to the manual page for more information: https://man.exherbo.org/syd.7.html#Immutable_Sticky_Bit #exherbo #linux #security

SYD(7)

alip Feb 24

#FreeBSD #Jail chroot escape via fd exchange with a different jail! Both #OpenBSD pledge(2) and #Sydbox prevent sending directory file descriptors over #unix sockets which prevents this vector: https://www.freebsd.org/security/advisories/FreeBSD-SA-26:04.jail.asc #exherbo #linux #security

alip Feb 20

News from #Linux #kernel: io_uring gains filtering support with _unprivileged_ cBPF which means unprivileged sandboxers such as #sydbox can selectively allow io_uring without any escape vectors going forward. cBPF is NOT eBPF and it's available to unprivileged processes on Linux. Filtering with cBPF is simple yet powerful. Cherry on the cake is you may filter on socket(2) domains, open(2)/openat(2) flags, and openat2(2) resolve flags: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=591beb0e3a03 #exherbo #security

Merge tag 'io_uring-bpf-restrictions.4-20260206' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux - kernel/git/torvalds/linux.git - Linux kernel source tree