I’m just at the beginning of the self-host adventure.
I understand (sort of) how Docker keeps things safe by using containers. A hacker that gets into your app is trapped in the container, limiting what harm they can do.
What technology or approach does Yunohost use to maintain security? Does each app belong to a limited user group? I figure there must be some particular approach since I’m not hearing about any major breaches.
YunoHost is based on Debian, which already gives a lot of tools to sensibly configure your system. Not relying on a containers merely forces us to be watchful about said configuration:
user and groups: apps systematically get a system user and group for file ownership and binary execution
systemd sandboxing options to prevent processes from accessing sensitive parts of the system
To monitor the packaging habits, all apps are subject to a code linter and automated tests. Packagers not following good practices will have their apps’ scores lowered. Low-scored apps will not be displayed in the catalog by default.