Right now it’s probably too late, but historically, why didn’t NixOS rely on namespace (like buildFHSUserEnv - mount all dependencies
bin files into your
/home/me ) over patching?
Advantages of namespaces:
Patching is brittle: For example, something like:
#!/usr/bin/env python3.6 from os import system let command1 = "w" let command2 = "g" let command3 = "e" let command4 = "t" system(command1 + command2 + command3 + command4 + "https://www.nixos.org")
This is a blatant (and bad) example. But there are places where commands are built from strings, or programs that assume that commands are in path. And it makes packaging complicated software much easier and reliable - you don’t have to be scared that a patch broke firefox in an edge case - as far as firefox is concerned, you’re running a normal, FHS compliant system.
It’s easier to ensure purity - For example, I can write a package that looks like:
#!/usr/bin/env python3.6 from os import system system("wget")
which will work as long as wget is in systemPackages (and probably isn’t what you want).
Security - Once packages are in a namespace, it should be easy to set a configuration of what directories to mount. Don’t want firefox to see “/home”? Easy, just don’t mount it in the namespace. Don’t want apache to see anything? Easy, don’t mount anything.
The only dis advantage that I see is that namespacing takes a bit of time. But on the other hand, on my system, a failed chroot takes 0.002 seconds.