Informative post.

The bubblewrap readme currently still says that it uses setuid instead of userns, so it surprised me to read here that “bubblewrap runs containers as a non-root user, using user namespaces”. Reading bubblewrap.c I see that, contrary to its readme, nowadays it actually can use either of setuid or userns.