Hacker News new | ask | show | jobs
by overfeed 26 days ago
I'm more worried about my `~/.aws` and `~/.ssh` folders. People who use IDE-based AI tooling with IDEs that support dev-containers have no excuse for not leveraging dev containers, both for preventing agents losing your data and defending against secrets-harvesting supply-chain attacks
1 comments
l23k4 25 days ago
Using containers as a security boundary is inexcusable.
link
overfeed 25 days ago
That entirely depends on one's threat-model. Also, containerization is 100x better than rawdogging.
link
l23k4 24 days ago
> That entirely depends on one's threat-model

I think not, virtualization has such low overhead now that there's just no excuse. It's generally trivial to switch from containers to VMs.

link
koolala 25 days ago
It is excusable if all you care about is blocking sudo access while letting the ai use a pseudo sudo.
link
rafterydj 25 days ago
Could you elaborate on this?
link
l23k4 24 days ago
The cost-benefit ratio of using VMs over containers is very high. You trade negligible overhead for an actual security boundary.

Containers don't provide good isolation and tend to be trivial to break out of.

link