Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you weren't aware, containers aren't a security boundary. Things like bubblewrap are.


Semantics make hard assertions about "containers" worthless. It depends on what one means by a container exactly, since Linux has no such concept and our ecosystem doesn't have a strict definition.


What to you think bubblewrap is, if not a container runtime?


bubblewrap is actually worse - there are known escapes in there that haven't been fixed for years


It is the most widely used sandbox layer for pretty much everything. What escapes are you talking about? Are we supposed to take your word for it? Come on


Wait. What? What escapes? Is it that bubblewrap not faithfully implement the policy you give it or that there are surprising gaps in the kernel's namespace isolation?




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: