Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> That seems a bit excessive to sandbox a command that really just downloads arbitrary code you are going to execute immediately afterwards anyways?

I won't execute that code directly on my machine. I will always execute it inside the Docker container. Why do you want to run commands like `vite` or `eslint` directly on your machine? Why do they need access to anything outside the current directory?



I get this but then in practice the only actually valuable stuff on my computer is... the code and data in my dev containers. Everything else I can download off the Internet for free at any time.


No.

Most valuable data on your system for a malware author is login cookies and saved auth tokens of various services.


Maybe keylogging for online services.

But it is true that work and personal machines have different threat vectors.


Yes, but I'm willing to bet most workers don't follow strict digital life hygiene and cross contaminate all the time.


You don't have any stored passwords? Any private keys in your `.ssh/`? DB credentials in some config files? And the list goes on and on.


I don't store passwords (that always struck me as defeating the purpose) and my SSH keys are encrypted.


This kind of mentality, and "seems a bit excessive to sandbox a command that really just downloads arbitrary code", is why the JS ecosystem is so prone to credential theft. It's actually insane to read stuff like that said out loud.


Right but the opposite mentality winds up putting so much of the eggs in the basket of the container that it defeats a lot of the purpose of the container.


It's weird that it's downvoted because this is the way


maybe i'm misunderstanding the "why run anything on my machine" part. is the container on the machine? isn't that running things on your machine?

is he just saying always run your code in a container?


> is the container on the machine?

> is he just saying always run your code in a container?

yes

> isn't that running things on your machine?

in this context where they're explicitly contrasted, it isn't running things "directly on my machine"


it annoys me that people fully automate things like type checkers and linting into post commit or worse entirely outsourced to CI.

Because it means the hygiene is thrown over the fence in a post commit manner.

AI makes this worse because they also run them "over the fence".

However you run it, i want a human to hold accountability for the mainline committed code.


I run linters like eslint on my machine inside a container. This reduces attack surface.

How does this throw hygiene over the fence?


Yes in a sibling reply, i was able to better understand your comment to mean "run stuff on my machine in a container"




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: