alt Hacker NewsI'm supportive of going further - like restricting what a library is able to do. e.g. if you are using some library to compute a hash, it should not make network calls. Without sub-processes, it would require OS support.
I'm supportive of going further - like restricting what a library is able to do. e.g. if you are using some library to compute a hash, it should not make network calls. Without sub-processes, it would require OS support.
Which exists: pledge in OpenBSD.
Making this work on a per-library level … seems a lot harder. The cost for being very paranoid is a lot of processes right now.