> The easiest way would be usermode package managers like Nix, Guix, or Homebrew.
The insanity of the usermode packagers is that they're not popular enough to be easy to hire for (probably excepting Homebrew, though I've never seen it on Linux). I can grab a random resume from a stack and be almost positive that they know how to install and upgrade software with apt/yum.
I would bet the percentage of candidates who can compile Postgres and use outweigh the number that can install and use Postgres from Nix.
> I'm not sure what you mean, but you don't need root to use user namespaces (sandboxing) on any remotely recent Linux kernel.
> The same product my employer just rolled out for managing this on Windows has a native Linux version. I assume it must have competitors.
I'd be curious how that works. I've seen things in the space that have tried via intercepting kernel syscalls (SELinux, AppArmor), but those seem like failed projects to me. I've never worked anywhere that has them turned on, though maybe that's sampling bias.
> No it does not. It lets the Windows people use Windows and the Linux people still have to use Windows, and a fucked up Linux VM that can't access their hardware, has to contend with Windows broken-ass networking stack, operates extemely slowly on files that are stored where the corporation wants people to store source code (i.e., on the Windows side), etc.
I'm not saying it's perfect, but I'll take it over being forced to use Windows or Mac natively. At least it's familiar, even if it is slow.
> Why? Don't all of the material issues w/r/t endpoint management (data exfiltration, update management, anti-virus, idk) recur inside the VM anyway?
Some do, some don't. You can prevent people from plugging in a 4G dongle to exfil data. You can force VM traffic to go through the host networking stack so it gets scanned by endpoint protection. For a lot of compliance stuff, it's enough that the software works on the physical host even if it can't do anything with the VM. E.g. compliance might say that all hosts have to run anti-virus, but the physical machine is the "host" so it's okay if the guest VM doesn't run anti-virus. Same with software auditing; it's enough for the procurement people that it runs on the Windows host.
Most of the pragmatic issues recur inside the VM, but a lot of organizationally imposed ones go away. I'm not saying it's logical, but I've yet to win an argument with compliance.
> The insanity of the usermode packagers is that they're not popular enough to be easy to hire for (probably excepting Homebrew, though I've never seen it on Linux). I can grab a random resume from a stack and be almost positive that they know how to install and upgrade software with apt/yum.
True and very unfortunate. Hopefully this changes as (tools like) Nix and Guix continue to grow and develop! They're really well-suited to this.
> I would bet the percentage of candidates who can compile Postgres and use outweigh the number that can install and use Postgres from Nix.
I think installing and using Postgres from Nix is definitely easier, although sure, fewer devs might already know that they can easily do it.
> I'm not saying it's perfect, but I'll take it over being forced to use Windows or Mac natively. At least it's familiar, even if it is slow.
Yeah, I think we're agreed. I'm just feeling especially frustrated with the setup lately.
> Most of the pragmatic issues recur inside the VM, but a lot of organizationally imposed ones go away. I'm not saying it's logical, but I've yet to win an argument with compliance.
The insanity of the usermode packagers is that they're not popular enough to be easy to hire for (probably excepting Homebrew, though I've never seen it on Linux). I can grab a random resume from a stack and be almost positive that they know how to install and upgrade software with apt/yum.
I would bet the percentage of candidates who can compile Postgres and use outweigh the number that can install and use Postgres from Nix.
> I'm not sure what you mean, but you don't need root to use user namespaces (sandboxing) on any remotely recent Linux kernel.
Nah, it's not user namespaces, it's some kind of Electron sandboxing that it wants setuid root for (I have no idea why). https://stackoverflow.com/questions/66816019/how-to-run-star... has the error in question.
> The same product my employer just rolled out for managing this on Windows has a native Linux version. I assume it must have competitors.
I'd be curious how that works. I've seen things in the space that have tried via intercepting kernel syscalls (SELinux, AppArmor), but those seem like failed projects to me. I've never worked anywhere that has them turned on, though maybe that's sampling bias.
> No it does not. It lets the Windows people use Windows and the Linux people still have to use Windows, and a fucked up Linux VM that can't access their hardware, has to contend with Windows broken-ass networking stack, operates extemely slowly on files that are stored where the corporation wants people to store source code (i.e., on the Windows side), etc.
I'm not saying it's perfect, but I'll take it over being forced to use Windows or Mac natively. At least it's familiar, even if it is slow.
> Why? Don't all of the material issues w/r/t endpoint management (data exfiltration, update management, anti-virus, idk) recur inside the VM anyway?
Some do, some don't. You can prevent people from plugging in a 4G dongle to exfil data. You can force VM traffic to go through the host networking stack so it gets scanned by endpoint protection. For a lot of compliance stuff, it's enough that the software works on the physical host even if it can't do anything with the VM. E.g. compliance might say that all hosts have to run anti-virus, but the physical machine is the "host" so it's okay if the guest VM doesn't run anti-virus. Same with software auditing; it's enough for the procurement people that it runs on the Windows host.
Most of the pragmatic issues recur inside the VM, but a lot of organizationally imposed ones go away. I'm not saying it's logical, but I've yet to win an argument with compliance.