The same isolation keeping Claude contained also kept host-based endpoint detection and response out. From the EDR's perspective, Claude Cowork is an opaque hypervisor process.
大多数人认为更强的隔离总是意味着更好的安全性,但作者指出过度的隔离会阻止安全监控工具(如EDR)发挥作用,创造出'安全盲点'。这一发现挑战了安全领域中'隔离越多越好'的普遍假设,强调了安全与可见性之间的平衡。
That's not how flatpack works; the executable is hidden in a container and you need to set up the whole environment to be able to call it. Delivering a well-isolated, not-to-be-run-from-outside environment is the whole point.
Some users download the DEB package and install it manually and manage upgrades completely manually. This is useful in situations such as installing Docker on air-gapped systems with no access to the internet.
Why did I put the kdb in the snap file system? Because the app is sandboxed, so I had no choice.
By design, snap apps have no access to /etc. They live in their own little world, but instead of a normal chroot, they are splatted all over the standard Linux filesystem layout. With other bits mounted hither and thither. Its a mess, and subject to change with each release.
The application is executed in an encapsulated, ring-fenced way, so its files can’t interfere with those on your computer. You can even install multiple versions of the same application, and they won’t cross-pollinate or fight amongst themselves.