The bubblewrap readme mentions containers as binaries with binctr; I guess without overlayfs or other file-level re-deduplication due to the container fs in the binary.
Perhaps similarly, also TIL
UKI are easier for UEFI Secure Boot to check signatures on than (kernel, initrd) pairs
pydantic/monty, vercel-labs/just-bash, amla sandbox, csl-core, microsandbox, workerd, wasmtime-mte
containers/bubblewrap: https://github.com/containers/bubblewrap#sandboxing
The bubblewrap readme mentions containers as binaries with binctr; I guess without overlayfs or other file-level re-deduplication due to the container fs in the binary.
Perhaps similarly, also TIL UKI are easier for UEFI Secure Boot to check signatures on than (kernel, initrd) pairs