HackerLangs
TopNewTrendsCommentsPastAskShowJobs

kernc

no profile record

comments

kernc
·3 месяца назад·discuss
Why would they care to empower competitors?
kernc
·4 месяца назад·discuss
`sandbox-venv` is a small shell script that sandboxes Python virtual environments in separate Linux namespaces using Bubblewrap (and soon using only command `unshare`, bringing the whole script down to effectively 0 deps).

https://github.com/sandbox-utils/sandbox-venv
kernc
·4 месяца назад·discuss
Did you also manage to enable menu icons?
kernc
·4 месяца назад·discuss
Let everyone be reminded how joyful GIMP 2.10 menus used to look ...

https://i.imgur.com/nVyMQBt.png
kernc
·5 месяцев назад·discuss
Probably not. Maybe Bubblewrap and sandbox-run. It's an anything-is-already-way-better-than-nothing type of thing.

[0]: https://github.com/containers/bubblewrap

[1]: https://github.com/sandbox-utils/sandbox-run
kernc
·5 месяцев назад·discuss
As a heads up and affirmation that the approach is correct, here's a small shell bubblewrap wrapper that boils the command line down to `sandbox-run claude --dangerously-skip-permissions`.

https://github.com/sandbox-utils/sandbox-run
kernc
·5 месяцев назад·discuss
Other actionable insights are:

- Merge amendments up into the initial prompt.

- Evaluate prompts multiple times (ensemble).
kernc
·6 месяцев назад·discuss
It being deprecated and all, didn't feel like wrapping it, but macOS supposedly has a similar `sandbox-exec` command ...
kernc
·6 месяцев назад·discuss
> Linux-only

What other dev OSs are there?

> once privileges are dropped [...] it doesn't appear to be possible to reinstate them

I don't understand. If unprivileged code could easily re-elevate itself, privilege dropping would be meaningless ... If you need to communicate with the outside, you can do so via sockets (such as the bind-mounted X11 socket in one of the readme Examples).
kernc
·6 месяцев назад·discuss
Since everyone tends to present their own solution, I bid you mine:

    sandbox-run npx @anthropic-ai/claude-code
This runs npx (...) transparently inside a Bubblewrap sandbox, exposing only the $PWD. Contrary to many other solutions, it is a few lines of pure POSIX shell.

https://github.com/sandbox-utils/sandbox-run
kernc
·7 месяцев назад·discuss
I wrote myself a handy and generalized bwrap-wrapping script: https://github.com/sandbox-utils/sandbox-run
kernc
·8 месяцев назад·discuss
No.1: Run untrusted code in a sandbox! https://github.com/sandbox-utils/sandbox-venv
kernc
·8 месяцев назад·discuss
Now that everyone is kindly on board, IBM can finally bury this standard. /s
kernc
·8 месяцев назад·discuss
What are the reasons for Snapchat? :.
kernc
·8 месяцев назад·discuss
> alias npm=...

I use sandbox-run: https://github.com/sandbox-utils/sandbox-run

The above simple alias may work for node/npm, but it doesn't generalize to many other programs available on the local system, with resources that would need to be mounted into the container ...
kernc
·9 месяцев назад·discuss
Local-first (on Lunix), POSIX shell: https://github.com/sandbox-utils/sandbox-run
kernc
·9 месяцев назад·discuss
A simple zero-config alternative using Linux-native containers seems to be sandbox-venv [1] for Python and sandbox-run [2] for npm ...

[1]: https://github.com/sandbox-utils/sandbox-venv [2]: https://github.com/sandbox-utils/sandbox-run
kernc
·9 месяцев назад·discuss
> This might be a red flag for Persona service itself as it might contain serious flaws and security vulnerabilities that Cyber criminals are relying on

Persona seems to rely solely on NFC with a national passport/ID, so simply stolen documents would work for a certain duration ...
kernc
·9 месяцев назад·discuss
You can use special a Unicode strikethrough glyphs such as available in https://efck-chat-keyboard.github.io
kernc
·10 месяцев назад·discuss
Is exactly why I composed bubblewrap-based sandbox-venv for Python: https://github.com/kernc/sandbox-venv

Dangerous times we live in.