HackerLangs
TopNewTrendsCommentsPastAskShowJobs

kernc

no profile record

comments

kernc
·3 months ago·discuss
Why would they care to empower competitors?
kernc
·4 months ago·discuss
`sandbox-venv` is a small shell script that sandboxes Python virtual environments in separate Linux namespaces using Bubblewrap (and soon using only command `unshare`, bringing the whole script down to effectively 0 deps).

https://github.com/sandbox-utils/sandbox-venv
kernc
·4 months ago·discuss
Did you also manage to enable menu icons?
kernc
·4 months ago·discuss
Let everyone be reminded how joyful GIMP 2.10 menus used to look ...

https://i.imgur.com/nVyMQBt.png
kernc
·5 months ago·discuss
Probably not. Maybe Bubblewrap and sandbox-run. It's an anything-is-already-way-better-than-nothing type of thing.

[0]: https://github.com/containers/bubblewrap

[1]: https://github.com/sandbox-utils/sandbox-run
kernc
·5 months ago·discuss
As a heads up and affirmation that the approach is correct, here's a small shell bubblewrap wrapper that boils the command line down to `sandbox-run claude --dangerously-skip-permissions`.

https://github.com/sandbox-utils/sandbox-run
kernc
·5 months ago·discuss
Other actionable insights are:

- Merge amendments up into the initial prompt.

- Evaluate prompts multiple times (ensemble).
kernc
·6 months ago·discuss
It being deprecated and all, didn't feel like wrapping it, but macOS supposedly has a similar `sandbox-exec` command ...
kernc
·6 months ago·discuss
> Linux-only

What other dev OSs are there?

> once privileges are dropped [...] it doesn't appear to be possible to reinstate them

I don't understand. If unprivileged code could easily re-elevate itself, privilege dropping would be meaningless ... If you need to communicate with the outside, you can do so via sockets (such as the bind-mounted X11 socket in one of the readme Examples).
kernc
·6 months ago·discuss
Since everyone tends to present their own solution, I bid you mine:

    sandbox-run npx @anthropic-ai/claude-code
This runs npx (...) transparently inside a Bubblewrap sandbox, exposing only the $PWD. Contrary to many other solutions, it is a few lines of pure POSIX shell.

https://github.com/sandbox-utils/sandbox-run
kernc
·7 months ago·discuss
I wrote myself a handy and generalized bwrap-wrapping script: https://github.com/sandbox-utils/sandbox-run
kernc
·8 months ago·discuss
No.1: Run untrusted code in a sandbox! https://github.com/sandbox-utils/sandbox-venv
kernc
·8 months ago·discuss
Now that everyone is kindly on board, IBM can finally bury this standard. /s
kernc
·8 months ago·discuss
What are the reasons for Snapchat? :.
kernc
·8 months ago·discuss
> alias npm=...

I use sandbox-run: https://github.com/sandbox-utils/sandbox-run

The above simple alias may work for node/npm, but it doesn't generalize to many other programs available on the local system, with resources that would need to be mounted into the container ...
kernc
·9 months ago·discuss
Local-first (on Lunix), POSIX shell: https://github.com/sandbox-utils/sandbox-run
kernc
·9 months ago·discuss
A simple zero-config alternative using Linux-native containers seems to be sandbox-venv [1] for Python and sandbox-run [2] for npm ...

[1]: https://github.com/sandbox-utils/sandbox-venv [2]: https://github.com/sandbox-utils/sandbox-run
kernc
·9 months ago·discuss
> This might be a red flag for Persona service itself as it might contain serious flaws and security vulnerabilities that Cyber criminals are relying on

Persona seems to rely solely on NFC with a national passport/ID, so simply stolen documents would work for a certain duration ...
kernc
·9 months ago·discuss
You can use special a Unicode strikethrough glyphs such as available in https://efck-chat-keyboard.github.io
kernc
·10 months ago·discuss
Is exactly why I composed bubblewrap-based sandbox-venv for Python: https://github.com/kernc/sandbox-venv

Dangerous times we live in.