It’s been about a month since I introduced Tempest, so as promised, it’s time for another post.
The big news is that the sandbox is more or less finished at this point; Tempest’s ability to isolate apps is at least on par with Sandstorm’s, and any app should work if:
- It works on Sandstorm with
ALLOW_LEGACY_RELAXED_CSP=falseandUSE_EXPERIMENTAL_SECCOMP_FILTER=trueset insandstorm.conf. The plan has always been for these to become the default in Sandstorm, so there are no plans to implement the legacy sandbox settings in Tempest. - It doesn’t need WebDAV HTTP methods.
- It doesn’t depend on Sandstorm-specific APIs, beyond the HTTP
glue code used by
sandstorm-http-bridge.
Right now apps are told the user has the minimum permissions to access them at all, so some apps have limited functionality because of this.
Likely my next task is to fix the permissions issue. There’s also a very rough roadmap in the repository now.