That's not a realistic solution. Nobody is going to stop using their machine for development just to get some security gains, it's way too much of a pain to do that.

It's 100% realistic because *I've been doing it off-and-on for the last 25 years.*

When I was developing server software for Windows, the first time I was able to setup a development environment by simply cloning a VM instead of spending a day-and-a-half with a lap full of MSDN CDs/DVDs, I never went back.

Prior to that, I was happily net-booting *BSD/Solaris servers all over my house/apartment.

Nowadays, we have so many tools to make this trivial. Your contention doesn't stand up to basic scrutiny of the available data.

If you are downloading software from untrusted sources (e.g. NPM, pip, and others) and running it on your primary working machine, or personal machine, then you are simply begging for trouble.

The way to sell it isn't vague security somethings, but in making it easier to reproduce the build environment "from scratch". If you build the Dockerfile as you go, then you don't waste hours at the end trying to figure out what you did to get it to build and run in the first place.

You are right, if it's a pain no one is going to do it. So the thing that needs to happen is to make it not a pain.

Wake up and smell the codespaces/workspaces/vagrant/so many other tools that make this not a pain. Some of these tools have been around for AGES. Nowadays, with VSCode Remote, you can even use a "modern" IDE environment with a local fat client observing your remote runtime. Other folks do this quite happily, with tremendous tooling, using emacs or *vim.

its not particularly painful to develop in a container. Maybe docker is a nuisance (although I know people do do develop within docker) but something like firejail or bubblewrap is pretty easy to use.

It is a realistic solution.

Taking this more seriously than it perhaps deserves: if that’s true, why isn’t widespread adoption of this approach growing?

Whether or not it’s a good idea, “realistic” implies practicality, which could presumably be measured by whether people find it worthwhile to do the thing.

I suppose it depends on what you're protecting, who's out there to get you, and how boring and time consuming it is to clean up after a breach (can't that take weeks or months), etc.

Aren't you're a bit asking "When X transportation method isn't used by everyone, can it really be any good?" :-)

Are people actually using UTM to do local development?

Im genuinely curious because I casually looked into it so that i could work on some hobby stuff over lunch on my work machine.

However I just assumed the performance wouldn't be too great.

Would love to hear how people are setup…

When I had a Macbook from work, I set up an Arch Linux VM using their basic VM image [1], and followed these steps (it may differ, since is quite old): https://www.youtube.com/watch?v=enF3zbyiNZA

Then, I removed the graphical settings, as I was aiming to use SSH instead of emulated TTY that comes ON by default with UTM (at that time).

Finally, I set up some basic scripting to turn the machine on and SSH into it as soon as sshd.service was available, which I don't have now, but the script finished with this:

(fish shell)

    while not ssh -p 2222 arch@localhost; sleep 2; end;

Later it evolved in something like this:

    virsh start arch-linux_testing && virsh qemu-monitor-command --hmp arch-linux_testing 'hostfwd_add ::2222-:22' && while not ssh -p 2222 arch@localhost; sleep 2; end;

I also removed some unnecessary services for local development:

    arch@archlinux ~> sudo systemctl mask systemd-time-wait-sync.service 
    arch@archlinux ~> sudo systemctl disable systemd-time-wait-sync.service

And done, performance was really good and I could develop on seamlessly.

[1]: https://gitlab.archlinux.org/archlinux/arch-boxes/-/packages...

It works incredibly well with Linux VMs, my daily driver. I plug in a USB keyboard, external monitor and Can't Believe It's Not Linux. Only occasionally when I need to use the laptop screen/keyboard does macOS bother me and remind of it real self.

There's around 10-15% performance penalty for VMs (assuming you use arm64 guests), but the whole system is just so much faster and well built than anything Intel-based to day, that it more than compensates.

For Windows, it's lacking accelerated video drivers, but VMWare Fusion is an ok free alternative - I can totally play AAA games from last decade. Enjoy it until broadcom kills it.

With remote development (vscode and remote extension in jetbrains with ssh to VM) performance is good with headless VM in UTM. Although it always (?) uses performance cores on Apple Silicon Macs, so battery drain is a problem

I started using UTM last week on my Macbook just to try out NixOS + sway and see if I could make environment that I liked using (inspired by the hype around Omarchy).

Pretty soon I liked using the environment so much that I got my work running on it. And when I change the environment, I can sync it to my other machine.

Though NixOS is particularly magical as a dev environment since you have a record of everything you've done. Every time I mess with postgres hb_conf or nginx or pcap or on my local machine, I think "welp, I'll never remember that I did that".

I used to have a separate account on my box for doing code for other people, one for myself and another for surfing the web. Since I have an Apple TV hooked up to one of my monitors I don’t have a ton of reasons for hopping credentials between accounts so I think I’ll be going back to at least that.

The fact I use nvm means a global install won’t cross accounts.