Hacker News new | ask | show | jobs
by kstenerud 74 days ago
It actually runs git (with hooks disabled) to generate the diff. It happens on the host when using copy mode, and inside the sandbox when using overlay mode.

The above example doesn't specify workdir mounting mode, so it would be copy, not overlay.
1 comments
creata 74 days ago
If it runs inside the sandbox and the guest is compromised, can't the guest just lie?
link
kstenerud 74 days ago
Absolutely. That's why overlay is not the default.
link
creata 74 days ago
That's... uh, an interesting approach to security.
link
kstenerud 74 days ago
What is? Defaulting to the most secure method?
link