How I would recommend to host coding agents is:
1. Have something granular in detail but simple (e.g. like Landstrip or Anthropic's own sandbox runtime). This is for protecting files in your home directory for the most part.
2. Wrap that with a container with a disposable rootfs and passwordless sudo. This protects the system from damage that you statiscally will get when being ignorant. The statistics are not on your side in this over long period of time.
For the latter, using Google's gVisor is overall great and secure option. I made a example/reference of this container setup: https://github.com/puavo-org/container-agent
1. Have something granular in detail but simple (e.g. like Landstrip or Anthropic's own sandbox runtime). This is for protecting files in your home directory for the most part.
2. Wrap that with a container with a disposable rootfs and passwordless sudo. This protects the system from damage that you statiscally will get when being ignorant. The statistics are not on your side in this over long period of time.
For the latter, using Google's gVisor is overall great and secure option. I made a example/reference of this container setup: https://github.com/puavo-org/container-agent
0
0
1
Jarkko Sakkinen
jarkko
Landstrip 0.3.0 now fully implements Anthropic's file system policy with Landlock rules, and most of the network policy with Landock network rules and a simple seccomp broker that processes bind() and connect() system calls.
The only feature that is missing is allow and deny lists for domains.
I wanted to see where Landlock scales also in order to consider whether root namespace kernel patch set makes sense or not.
https://crates.io/crates/landstrip/
I already was a bit skeptic about rootns in Februrary but agent-as-an-adversary scenarios require more airtight security. It's not the smartness, which is worrying, it's the reaction time to the environment. Races cannot exist.
The only feature that is missing is allow and deny lists for domains.
I wanted to see where Landlock scales also in order to consider whether root namespace kernel patch set makes sense or not.
https://crates.io/crates/landstrip/
I already was a bit skeptic about rootns in Februrary but agent-as-an-adversary scenarios require more airtight security. It's not the smartness, which is worrying, it's the reaction time to the environment. Races cannot exist.
1
0
0
Jarkko Sakkinen
jarkko
Edited 17 days ago
Building GNOME was already hard but creating installer is exceptionally hard :-) And to make sure vanilla state with the build, each trial requires 2h of wait.
I use Python and https://textual.textualize.io/, which I found and seems to do its job.
Installation works like that the live version copies its live bootc image to the target system i.e., it literally duplicates. Based on composefs and ostree.
For hardware capabilities I have detection and capabilty tags consumed by k3s, which uses them to configure Helm threads correctly. It gives quite robust and easy way to run local vLLM payloads without extra configuration.
I have both discrete and unified memory hardware available to make sure things are not overall wrong. I have enabled e.g., also NVLink and ConnectX but all of this is untested given lack of gear basically.
Relevant repositories for this Buildroot fork (technically not, it's in-fact br2-external) will eventually be:
1. https://codeberg.org/puu/puu
2. https://quay.io/puu/puu
Really don't know yet when as this last 1% takes its time :-) Puu literally can turn a gaming PC a dedicated local LLM appliance with gotcha that it uses "dedicated/appliance" approach. I think it is important to make things better and less harmful. This is from my side more like harm reduction than promoting the technology itself.
I use Python and https://textual.textualize.io/, which I found and seems to do its job.
Installation works like that the live version copies its live bootc image to the target system i.e., it literally duplicates. Based on composefs and ostree.
For hardware capabilities I have detection and capabilty tags consumed by k3s, which uses them to configure Helm threads correctly. It gives quite robust and easy way to run local vLLM payloads without extra configuration.
I have both discrete and unified memory hardware available to make sure things are not overall wrong. I have enabled e.g., also NVLink and ConnectX but all of this is untested given lack of gear basically.
Relevant repositories for this Buildroot fork (technically not, it's in-fact br2-external) will eventually be:
1. https://codeberg.org/puu/puu
2. https://quay.io/puu/puu
Really don't know yet when as this last 1% takes its time :-) Puu literally can turn a gaming PC a dedicated local LLM appliance with gotcha that it uses "dedicated/appliance" approach. I think it is important to make things better and less harmful. This is from my side more like harm reduction than promoting the technology itself.
1
0
0
Jarkko Sakkinen
jarkko
Edited 17 days ago
The DGX Spark that I have in my use to develop an operating system (my employers property) has raised value circa ~1000 since purchase.
0
0
1
Jarkko Sakkinen
jarkko
Edited 17 days ago
Free or overly subsidized subscriptions means always some way of sucking value from the customers.
This is has how world has always worked, and I have doubts that anything would have changed.
This is why I e.g., pay money for my email account.
This is has how world has always worked, and I have doubts that anything would have changed.
This is why I e.g., pay money for my email account.
1
0
2
Jarkko Sakkinen
jarkko
I have to say that the thing that Arjan vibecoded appeals me: https://github.com/fenrus75/turbostar2
It also shows the difference of someone actually having the deep understanding of software and hardware using these tools :-) I don't have to browse many files to see that the code has nice and lean structure, and feels right overall.
It also shows the difference of someone actually having the deep understanding of software and hardware using these tools :-) I don't have to browse many files to see that the code has nice and lean structure, and feels right overall.
0
0
2
Jarkko Sakkinen
jarkko
This version of reality is like inverse version of the movie "The Revenge of the Nerds"
0
0
2
Jarkko Sakkinen
jarkko
It's good to remind that markdown skills etc. are already being applied as attack vectors. They are the new macro virus.
0
0
1
Jarkko Sakkinen
jarkko
Goose and Gstack are the technological innovations from which I remember 2026.
0
0
1
@oleksandr @vbabka and the year of middle managers on psychosis who think that there is actually someone "on the other side", robocalypse and whatnot.
0
0
1
Jarkko Sakkinen
jarkko
@oleksandr @vbabka This year I'm worried to publish anything at all as it is the year of slop copies not new amaziing software done with AI :-) This is what I'm seeing at least.
1
0
1
Jarkko Sakkinen
jarkko
@vbabka It's actually somewhat stable :-) It's built on top of syntax tree macros, so that crate's Rust code itself reads almost like a spec and there's very small surface of code that needs to be changed if architecture is reconsidered.
Test harness is basically live capture dumps that I collect as bugs show themselves but it works incredibly.
Test harness is basically live capture dumps that I collect as bugs show themselves but it works incredibly.
0
0
1
Jarkko Sakkinen
jarkko
Refurbished zerocopy code from Fall and rebased it on top of tpm2-protocol main branch.
https://docs.rs/tpm2-protocol/0.17.0/tpm2_protocol/
I.e. 0.17.0 casts in-wire data instead parsing.
Rest of the related components are still using previous version of the crate (and will likely be for while).
It's the single best crate available to process TPM2 protocol data.
https://docs.rs/tpm2-protocol/0.17.0/tpm2_protocol/
I.e. 0.17.0 casts in-wire data instead parsing.
Rest of the related components are still using previous version of the crate (and will likely be for while).
It's the single best crate available to process TPM2 protocol data.
1
0
0
Jarkko Sakkinen
jarkko
Edited 18 days ago
There's now partial network sandboxing with a combination of Landlock rules and seccomp notify.
The irony is that I don't even have Claude Code installed. I had an account early Spring, which I asked my employer to remove later during Spring because, other reasons aside, I don't fully trust the company providing this great service. If something is way below the market price, that alone should rise suspicions, or at least it does for me.
As per sandbox, I just made the logical conclusion that it is best to pick the widest spread. And also make Landstrip "repeal and replace fit" to Anthropic's sandbox is one of the goals.
2027 is the year when there's no text to scan and further it is already feedback loop. Scanning images and videos is sort of like multiplying everything collected and required compute with an astronomical number. That year is like the expiration date of frontier LLMs in a way.
The irony is that I don't even have Claude Code installed. I had an account early Spring, which I asked my employer to remove later during Spring because, other reasons aside, I don't fully trust the company providing this great service. If something is way below the market price, that alone should rise suspicions, or at least it does for me.
As per sandbox, I just made the logical conclusion that it is best to pick the widest spread. And also make Landstrip "repeal and replace fit" to Anthropic's sandbox is one of the goals.
2027 is the year when there's no text to scan and further it is already feedback loop. Scanning images and videos is sort of like multiplying everything collected and required compute with an astronomical number. That year is like the expiration date of frontier LLMs in a way.
0
0
1