The original pass is just a single shell script. It's short, pretty easy to read and likely in part because it's so simple, it's also very stable. The only real dependencies are bash, gnupg and optionally git (history/replication). These are most likely already on your machine and whatever channel you're getting them from (ex: distribution package manager) should be much more resilient to supply chain vulnerabilities.

It can also be used with a pgp smartcard (in my case a Yubikey) so all encryption/decryption happens on the smartcard. Every attempt to decrypt a credential requires a physical button press of the yubikey, making it pretty obvious if some malware is trying to dump the contents of the password store.

Also another vote for Splendor Duel. The original Splendor is probably my favorite game and Duel is the better version for two players.

Also, it can absolutely be done with cheaper. My partner and I finished a 4800 mile trip last year. I used a second hand cyclocross bike that I got off craiglist for ~500 a few years ago. She had a road bike that she bought for 200 from the local bike project.

If it mapped to root outside the container, you could just use podman to create setuid scripts owned by root for very trivial privelege escalation.

If you listened to the original talk from Lennart, you're really just giving examples of one of his major points. Because /etc/passwd wasnt flexible enough to accomodate arbitrary user properties, user configuration has organically spread out over time into all these "side car" configuration files. Some are scattered around /etc so not easily portable while others are in the user's home directory and suffer from exactly the scenario you've mentioned. One of the goals of systemd-homed is to add a portable, extensible format for a user record external to the home directory which would mean that systemd-homed rather than causing, could actually lead to a solution for the issue you've highlighted.

Even on a single user workstation, having an encrypted root filesystem doesn't do as much good if your laptop is left booted up with the root filesystem unlocked most of the time. Systemd-homed in that scenario is supposed to make it easier to automatically unmount/mount on locking/unlocking the workstation.

You've definitely convinced me to take a good look at LXC/LXD though. Thanks for the thorough response!

I only just recently discovered podman and I've been pretty excited. Having never used LXD and only understanding the high level differences between the two, I'm curious how it compares with regards to security and usability.

What's not okay is for me to build a house and add recording devices all around and then sell it to you without informing you. Using your house example, that's the most direct comparison and would 100% be illegal.

There's obviously a trade off most users are willing to make between privacy and functionality, but I do believe the exchange should be 100% in the open and a conscious decision made by the user.