Hey Guix, Here's a small tip for how you can create graphically isolated containers with Guix and Xpra.
First we create a Xpra server, with no clipboard access. $ xpra start --clipboard=no :200 Next we switch to an empty tmp directory, and start a Guix container that has access to the X200 socket only. $ cd tmp $ guix environment -C --ad-hoc coreutils gedit --expose=/home/$USER/.Xauthority --expose=/tmp/.X11-unix/X200 -- env DISPLAY=:200 XAUTHORITY=/home/$USER/.Xauthority gedit On a different terminal (or over SSH) you can now access the Xpra server. $ xpra attach :200 Note that in order to be fully isolated the container should not be able to access even abstract sockets. You can either run the container without the -N switch, or create a new network namespace with a veth or something like that. With the following command you can check the sockets. No X11 sockets other than the Xpra one should be shown. $ ss | grep X11 Once Wayland becomes widely used this will probably be redundant, since the isolation in Wayland is far better than X11. But this might still be useful.
pgpsWK15Ggxdt.pgp
Description: OpenPGP digital signature
