zlacker

[return to "Fly's Sprites.dev addresses dev environment sandboxes and API sandboxes together"]
1. vivzke+uo[view] [source] 2026-01-10 03:57:03
>>simonw+(OP)
as a guy who is not in loop with all these sandbox developments, I apologize for this extremely stupid question. Why do we need any of these sandboxes? Why cant we use docker? I thought it was a solved problem 10 yrs ago?
◧◩
2. m-hodg+3q1[view] [source] 2026-01-10 15:34:08
>>vivzke+uo
See: A field guide to sandboxes for AI¹ on the threat models.

> I want to be direct: containers are not a sufficient security boundary for hostile code. They can be hardened, and that matters. But they still share the host kernel. The failure modes I see most often are misconfiguration and kernel/runtime bugs — plus a third one that shows up in AI systems: policy leakage.

¹ https://www.luiscardoso.dev/blog/sandboxes-for-ai

[go to top]