Latest Towards A Secure Peer-to-peer App Platform For Clan 2025
While most of the existing Clan framework is dedicated to machine and service management, there’s more on the horizon. Our mission is to make sure peer-to-peer, user-controlled, community software can beat Big Tech solutions. That’s why we’re working on platform fundamentals that would open the way for our FOSS stack to match the usability and convenience of proprietary platforms.
Unfortunately, the FOSS world is still lagging behind commercial platforms in some important aspects:
So… What do we need to make it possible for communities to share apps install and load quickly, already pre-connected to network services; are isolated to a worry-free level of security, and yet allow for enough sharing via explicit permissions to make them useful?
The first piece of the puzzle is, unsurprisingly, Nix. The entire Clan project is built on Nix, and the future app platform is no exception. Nix makes it possible to quickly fetch and run any software – thanks to caching, as long as we steer everyone towards using very few common versions of the nixpkgs tree, most downloads could be almost as fast as web app loads.
Then we have to add a microVM hypervisor with Wayland and GPU virtualization and a side of D-Bus portals… and we can finally get a glimpse of the future!
Secure isolation is essential for any modern app platform. Hardware-based virtualization is a lot more confidence-inspiring than shared-kernel isolation mechanisms like Linux namespaces. But it’s not only a security measure. Running apps in VMs also improves environment consistency/reproducibility by ensuring everyone runs the same kernel — which can also give us portability, since it enables running on completely different host OSes as well.
If your experience with virtualization on desktop has only been with booting entire Linux distros under something like VirtualBox, you might be very skeptical of the same technology being involved in launching applications all the time. But that’s not at all inherent to the use of KVM!
Conventional VMs feel “heavy” —slow to launch, big RAM footprint, extra background CPU usage, fixed storage allocation, usually not very well integrated with the host desktop— only because their goal is to simulate a whole another computer within your existing computer. For app isolation, we don’t need that, so the whole stack can be vastly simplified and optimized for high performance and low overhead. The microVM idea was first popularized by AWS’s Firecracker on the server side
Source: HackerNews
