frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Using bubblewrap to add sandboxing to NetBSD

https://blog.netbsd.org/tnf/entry/gsoc2025_bubblewrap_sandboxing
39•jaypatelani•4h ago

Comments

jmclnx•2h ago
Always nice to see NetBSD posts here, that nice OS gets hardly any press.
lovegrenoble•2h ago
bubblewrap popping )) https://brainteaser.top/bubblespop.html
aborsy•1h ago
I experimented bubblewrap as a better alternative to firejail. Unfortunately there are scripts for few applications. It’s tool for developers. Users are better off flatpaks powered by bubblewrap .
johnisgood•1h ago
I have been using firejail for a long time now. It seem to work well for me. At times I have to write my own profiles, yeah.
aborsy•41m ago
The situation with firejail is different. There are a lot of profiles, and they are easier to customize and write.

But firejail needs root privilege, so there are arguments that it may actually reduce the security, because even though it sandboxes some applications, non-privilege processes may gain privilege if there is a flaw in the fire jail itself.

Firejail is also criticized for complexity.

qwertox•14m ago
Bubblewrap is a really interesting project, really worth checking out.

https://github.com/containers/bubblewrap

It's the base for Flatpack, the thing that makes Flatpack be sandboxed.

I use it to run Claude Code / Codex / Gemini CLI, to make sure that they have a limited / fake view of my system.

You can bind directories into it, or overlay them into it, restrict other kinds of access.

If Docker is a thing in a scale between a VM and your OS, Bubblewrap is a thing a scale between Docker and your OS. You use your OS, instead of installing and managing an OS like you do with Docker, but you get filesystem and process isolation like with Docker.

Though I had an issue where I cannot use `--new-session`, which is kind of dangerous to not use, but you can get around it if you use seccomp to block ioctl calls, and ptrace.

DeathArrow•11m ago
I would have loved to see something like OCI containers.

The Manuscripts of Edsger W. Dijkstra

https://www.cs.utexas.edu/~EWD/
71•nathan-barry•2h ago•13 comments

Samsung Family Hub fridges will start showing adds to "Elevate" Home Ecosystem

https://news.samsung.com/us/samsung-family-hub-2025-update-elevates-smart-home-ecosystem/
189•janandonly•2h ago•165 comments

Montana Becomes First State to Enshrine 'Right to Compute' into Law

https://montananewsroom.com/montana-becomes-first-state-to-enshrine-right-to-compute-into-law/
98•bilsbie•4h ago•52 comments

AI isn't replacing jobs. AI spending is

https://www.fastcompany.com/91435192/chatgpt-llm-openai-jobs-amazon
172•felineflock•2h ago•60 comments

The Principles of Diffusion Models

https://arxiv.org/abs/2510.21890
16•Anon84•1h ago•0 comments

Reviving Classic Unix Games: A 20-Year Journey Through Software Archaeology

https://vejeta.com/reviving-classic-unix-games-a-20-year-journey-through-software-archaeology/
80•mwheeler•4h ago•25 comments

Zensical – A modern static site generator built by the Material for MkDocs team

https://squidfunk.github.io/mkdocs-material/blog/2025/11/05/zensical/
54•japhyr•4h ago•8 comments

Visualize FastAPI endpoints with FastAPI-Voyager

https://www.newsyeah.fun/voyager/
76•tank-34•5h ago•12 comments

Bumble Berry Pi – A Cheap DIY Raspberry Pi Handheld Cyberdeck

https://github.com/samcervantes/bumble-berry-pi
7•MakerSam•1h ago•0 comments

Email verification protocol

https://github.com/WICG/email-verification-protocol
78•sgoto•1w ago•47 comments

Marble Fountain

https://willmorrison.net/posts/marble-fountain/
6•chris_overseas•1h ago•0 comments

When Your Hash Becomes a String: Hunting Ruby's Million-to-One Memory Bug

https://mensfeld.pl/2025/11/ruby-ffi-gc-bug-hash-becomes-string/
34•phmx•5d ago•7 comments

Ask HN: I underestimated how lonely building solo can be

40•paulwilsonn•6d ago•25 comments

Using bubblewrap to add sandboxing to NetBSD

https://blog.netbsd.org/tnf/entry/gsoc2025_bubblewrap_sandboxing
39•jaypatelani•4h ago•7 comments

I Am Mark Zuckerberg

https://iammarkzuckerberg.com/
879•jb1991•11h ago•323 comments

Ironclad – formally verified, real-time capable, Unix-like OS kernel

https://ironclad-os.org/
323•vitalnodo•18h ago•91 comments

About KeePassXC's Code Quality Control

https://keepassxc.org/blog/2025-11-09-about-keepassxcs-code-quality-control/
63•haakon•2h ago•11 comments

Reverse engineering Codex CLI to get GPT-5-Codex-Mini to draw me a pelican

https://simonwillison.net/2025/Nov/9/gpt-5-codex-mini/
121•simonw•13h ago•58 comments

Largest cargo sailboat completes first Atlantic crossing

https://www.marineinsight.com/shipping-news/worlds-largest-cargo-sailboat-completes-historic-firs...
337•defrost•21h ago•232 comments

Alive internet theory

https://alivetheory.net/
113•manbitesdog•5h ago•47 comments

The overengineered solution to my pigeon problem (2022)

https://maxnagy.com/posts/pigeons/
51•cyb0rg0•6d ago•36 comments

Ask HN: How would you set up a child’s first Linux computer?

104•evolve2k•6h ago•143 comments

Marko – A declarative, HTML‑based language

https://markojs.com/
330•ulrischa•22h ago•161 comments

How to get the GOT address from a PLT stub using GDB

https://rafaelbeirigo.github.io/cybersec-dojo/research/2025/11/01/how-to-get-the-got-address-from...
12•rafaelbeirigo•1w ago•2 comments

Toolkit to help you get started with Spec-Driven Development

https://github.com/github/spec-kit
53•mooreds•6d ago•23 comments

Genetically Engineered Babies Are Banned. Tech Titans Are Trying to Make One

https://www.wsj.com/tech/biotech/genetically-engineered-babies-tech-billionaires-6779efc8
24•nradov•2h ago•22 comments

Open-source communications by bouncing signals off the Moon

https://open.space/
226•fortran77•1w ago•61 comments

Study identifies weaknesses in how AI systems are evaluated

https://www.oii.ox.ac.uk/news-events/study-identifies-weaknesses-in-how-ai-systems-are-evaluated/
389•pseudolus•1d ago•183 comments

How Airbus took off

https://worksinprogress.co/issue/how-airbus-took-off/
123•JumpCrisscross•16h ago•106 comments

Defeating KASLR by doing nothing at all

https://googleprojectzero.blogspot.com/2025/11/defeating-kaslr-by-doing-nothing-at-all.html
83•aa_is_op•5d ago•7 comments