Just a tip, if you guys want to containerize games such Epic Games, GoG, or other Windows apps, there is a program called Bottle which lets you do this. Can be a great added layer of security and containerization:
https://usebottles.com/
However there is Lutris and Heroic for easier to use alternatives that do not offer containerized security.
It doesn’t use any seperate layers of containerization other than flatpak. So if you don’t install it via flatpak, it won’t be sandboxed.
There is also no proper instance containerization (you can enable it in Bottles’s settings, but it’s marked as experimental and I’ve been unable to run a single application with it on), so an app installed on one instance in Bottles will have access to all other instances’ files.
I could be wrong but i don’t think the wine instances themselves are containerized. Maybe he’s confusing it with flatpak sandboxing, since that is the only officially supported way of using it.
I don’t know much about it. I tried using it to set it up with Epic Games. There was a lot more manual work than say Heroic or Lutris, but all was able to be done through a UI.
I needed to select my dependencies of C# versions, C++ versions, XInput software, Direct X version, various other stuff. This was done within a single bottle, so I’m guessing they’re separate from the others.
To be honest, I managed to get Epic Games running, but had trouble signing it. Not sure what else I was missing.
It also lets you take snapshots of your Bottles state. And provides you with a Task Manager, command line, Registry Editor, Windows compatibility versions (e.g., 10 or 11), toggle OBS screen capture, gamescope, Wayland (experimental), other graphic stuff,
Its got Launchers for many things, like also: Battle. Net, Enlisted, EVE, FL Studio, AutoDesk, Guild Wars 2, MEGA sync, Origin, PlayStation Plus, QOBUZ, Star Citizen, Ubisoft Connect, Wargaming. NET (World of Tanks, Warplanes, Battleships), the GOG Galaxy official launcher.
They show the ratings for the various launchers from within the app, to show its score for compatibility.
I think because people no longer trust you because you confidently said that something does something, and then when questioned, you said that you don’t really know much about it.
It gives your comments a low trustability factor. People will think that anything else you have to say on the matter could be misleading.
That’s fair. Looking back, I shouldn’t have used the word containerized. Isolated may have been what I should have used instead since I’m not sure if its “containerized”, a “VM”, or as @[email protected] said “bubblewrap”…
It doesn’t have any containerization between instances. There is an experimental opt-in setting for it but it’s completely broken. It’s just sandboxed because of flatpak.
The reason I’m asking is that separate wineprefixes will look like a “different wine instance” to a layman, but they’re not the same thing as a sandbox. Wine mounts the host filesystem under the Z: drive, and even beyond that there are probably ways to escape the Wine environment. For true sandboxing some additional layers will be required.
From a security standpoint, yes they can be broken out of, just like a docker or a virtual machine , but they use bubblewrap to isolate environments just like flatpaks. Malicious content aside they are just as isolated and sandboxed as a docker image or vm
Just a tip, if you guys want to containerize games such Epic Games, GoG, or other Windows apps, there is a program called Bottle which lets you do this. Can be a great added layer of security and containerization: https://usebottles.com/
However there is Lutris and Heroic for easier to use alternatives that do not offer containerized security.
Is Bottles actually containerized in any meaningful way? Last I checked it just managed wineprefixes, and Wine is not a sandbox.
It doesn’t use any seperate layers of containerization other than flatpak. So if you don’t install it via flatpak, it won’t be sandboxed.
There is also no proper instance containerization (you can enable it in Bottles’s settings, but it’s marked as experimental and I’ve been unable to run a single application with it on), so an app installed on one instance in Bottles will have access to all other instances’ files.
I could be wrong but i don’t think the wine instances themselves are containerized. Maybe he’s confusing it with flatpak sandboxing, since that is the only officially supported way of using it.
I don’t know much about it. I tried using it to set it up with Epic Games. There was a lot more manual work than say Heroic or Lutris, but all was able to be done through a UI.
I needed to select my dependencies of C# versions, C++ versions, XInput software, Direct X version, various other stuff. This was done within a single bottle, so I’m guessing they’re separate from the others.
To be honest, I managed to get Epic Games running, but had trouble signing it. Not sure what else I was missing.
It also lets you take snapshots of your Bottles state. And provides you with a Task Manager, command line, Registry Editor, Windows compatibility versions (e.g., 10 or 11), toggle OBS screen capture, gamescope, Wayland (experimental), other graphic stuff,
Its got Launchers for many things, like also: Battle. Net, Enlisted, EVE, FL Studio, AutoDesk, Guild Wars 2, MEGA sync, Origin, PlayStation Plus, QOBUZ, Star Citizen, Ubisoft Connect, Wargaming. NET (World of Tanks, Warplanes, Battleships), the GOG Galaxy official launcher.
They show the ratings for the various launchers from within the app, to show its score for compatibility.
Why the downvotes? This is useful information…
I think because people no longer trust you because you confidently said that something does something, and then when questioned, you said that you don’t really know much about it.
It gives your comments a low trustability factor. People will think that anything else you have to say on the matter could be misleading.
That’s fair. Looking back, I shouldn’t have used the word containerized. Isolated may have been what I should have used instead since I’m not sure if its “containerized”, a “VM”, or as @[email protected] said “bubblewrap”…
Thanks for responding.
Yes, it has different wine instances for each installed application, it uses a flatpak style separation to prevent them from accessing each other.
It doesn’t have any containerization between instances. There is an experimental opt-in setting for it but it’s completely broken. It’s just sandboxed because of flatpak.
The reason I’m asking is that separate wineprefixes will look like a “different wine instance” to a layman, but they’re not the same thing as a sandbox. Wine mounts the host filesystem under the Z: drive, and even beyond that there are probably ways to escape the Wine environment. For true sandboxing some additional layers will be required.
From a security standpoint, yes they can be broken out of, just like a docker or a virtual machine , but they use bubblewrap to isolate environments just like flatpaks. Malicious content aside they are just as isolated and sandboxed as a docker image or vm