| ▲ | jcheng 8 hours ago | |
For that purpose I think most people are using bubblewrap or seatbelt/sandbox-exec with CPython. | ||
| ▲ | westurner 3 hours ago | parent [-] | |
From https://news.ycombinator.com/item?id=47171887 re: [agent] sandboxing : pydantic/monty, vercel-labs/just-bash, amla sandbox, csl-core, microsandbox, workerd, wasmtime-mte containers/bubblewrap: https://github.com/containers/bubblewrap#sandboxing The bubblewrap readme mentions containers as binaries with binctr; I guess without overlayfs or other file-level re-deduplication due to the container fs in the binary. Perhaps similarly, also TIL UKI are easier for UEFI Secure Boot to check signatures on than (kernel, initrd) pairs | ||