Readit News logoReadit News
secure commented on Sandboxing AI Agents in Linux   blog.senko.net/sandboxing... · Posted by u/speckx
aflag · 6 days ago
I don't know if I want to create an ad-hoc list of permissions. What I would like would be something like take a snapshot of my current workspace in a VM. Run claude there and let it go wild. After the end of the session, kill the box. The only downside is potentially syncing the claude sessions/projects. But I don't think that'd be too difficult.
secure · 6 days ago
I recently blogged about how I do this using MicroVMs on NixOS: https://michael.stapelberg.ch/posts/2026-02-01-coding-agent-...
secure commented on Coding Agent VMs on NixOS with Microvm.nix   michael.stapelberg.ch/pos... · Posted by u/secure
clawsyndicate · 8 days ago
we run ~10k agent pods on k3s and went with gvisor over microvms purely for density. the memory overhead of a dedicated kernel per tenant just doesn't scale when you're trying to pack thousands of instances onto a few nodes. strict network policies and pid limits cover most of the isolation gaps anyway.
secure · 8 days ago
Yeah, when you run ≈10k agents instead of ≈10, you need a different solution :)

I’m curious what gVisor is getting you in your setup — of course gVisor is good for running untrusted code, but would you say that gVisor prevents issues that would otherwise make the agent break out of the kubernetes pod? Like, do you have examples you’ve observed where gVisor has saved the day?

Posted by u/secure 8 days ago
Coding Agent VMs on NixOS with Microvm.nixmichael.stapelberg.ch/pos...
secure commented on The browser is the sandbox   aifoc.us/the-browser-is-t... · Posted by u/enos_feedler
simonw · 14 days ago
This is an entry on my link blog - make sure to read the article it links to for full context, my commentary alone might not make sense otherwise: https://aifoc.us/the-browser-is-the-sandbox/
secure · 14 days ago
You might want to add a little note to that effect to your link blog :)

I have added year indicators to my blog (such that old articles have a prominent year name in their title) and a subscribe note (people don’t know you can put URLs into a feed reader and it’ll auto-discover the feed URL). Each time, the number of people who email me identical questions goes down :)

Anyway, thanks for blogging!

secure commented on The Holy Grail of Linux Binary Compatibility: Musl and Dlopen   github.com/quaadgras/grap... · Posted by u/Splizard
amelius · 14 days ago
Is there a tool that takes an executable, collects all the required .so files and produces either a static executable, or a package that runs everywhere?
secure · 14 days ago
https://github.com/gokrazy/freeze is a minimal take on this
secure commented on Can I start using Wayland in 2026?   michael.stapelberg.ch/pos... · Posted by u/secure
edu4rdshl · a month ago
It's fun how most of the complaints are like "it works fine on Gnome but I will still blame Wayland because my tiling WM doesn't support it". So maybe try using a proper Wayland implementation

The Chrome crashes when resizing a window doesn't makes any sense, apart from being a WM fault. The Xwayland scaling, again, has native scaling support on Gnome. Same for the monitor resolution problem (which he acknowledged). Same for font rendering. Idk.

secure · a month ago
GNOME’s “proper wayland implementation” also does not work with my monitor, as I explained in the article:

> By the way, when I mentioned that GNOME successfully configures the native resolution, that doesn’t mean the monitor is usable with GNOME! While GNOME supports tiled displays, the updates of individual tiles are not synchronized, so you see heavy tearing in the middle of the screen, much worse than anything I have ever observed under X11. GNOME/mutter merge request !4822 should hopefully address this.

secure commented on Can I start using Wayland in 2026?   michael.stapelberg.ch/pos... · Posted by u/secure
jeffbee · a month ago
The way this article styles the name of the GPU company "nVidia" is really distracting! The company has always referred to itself in all capitals, as in NVIDIA, and only their logos have stylized a lowercase initial n, which leads to perhaps nVIDIA if you want, or nᴠɪᴅɪᴀ for those with skills or, for normal people, just nvidia. But "nVidia" is a mixture of mistakes.
secure · a month ago
No, the company has not always referred to itself in all capitals.

https://forums.tomshardware.com/threads/nvidias-name-change....

When I got to know their products, they were nVidia.

secure commented on Can I start using Wayland in 2026?   michael.stapelberg.ch/pos... · Posted by u/secure
diath · a month ago
> But rather quickly, after moving and resizing browser windows, the GPU process dies with messages like the following and, for example, WebGL is no longer hardware accelerated:

Is this specific to the WM he used or does HW acceleration straight up not work in browsers under Wayland? That to me seems like a complete deal breaker.

secure · a month ago
Probably not specific to Sway, but specific to the nVidia driver.
secure commented on Can I start using Wayland in 2026?   michael.stapelberg.ch/pos... · Posted by u/secure
dotancohen · a month ago
That's easy to say in hindsight. It is only with the specific failures of Wayland that we see which lessons it could have learned from X11.
secure · a month ago
No, the lesson of “separate display server from window manager” was very clear when Wayland was started. People have been discussing this over the years ever since. (See also “client-side decorations” for another part of this issue that was heavily discussed.)
secure commented on Can I start using Wayland in 2026?   michael.stapelberg.ch/pos... · Posted by u/secure
przmk · a month ago
I would venture to say that there is little overlap between X11 users and people with high-DPI screens.
secure · a month ago
I’ve been using X11 with high-DPI screens since 2013, but with integer scaling (200% or 300%), never fractional scaling.
s

u/secure

KarmaCake day5250July 12, 2011View Original