alt Hacker NewsThat's why I wrote my own sandbox. Everyone hand waives these concerns.
Further, I don't know why docker is weak security on Linux. Are you telling me that one can exploit docker?
That's why I wrote my own sandbox. Everyone hand waives these concerns.
Further, I don't know why docker is weak security on Linux. Are you telling me that one can exploit docker?
dockerd is a massive root-privileged daemon just sitting there, waiting for its moment. For local dev it’s often just unnecessary attack surface - one subtle kernel bug or namespace flaw, and it’s "hello, container escape". bwrap is much more honest in that regard: it’s just a syscall with no background processes and zero required privileges. If an agent tries to break out, it has to hit the kernel head-on instead of hunting for holes in a bloated docker API