it's a lot nicer word than AI at least :-) such a horrible combination to pronounce on any language.
i'd replace word AI with Goose if had such power to decide 100%
i'd replace word AI with Goose if had such power to decide 100%
0
0
0
Jarkko Sakkinen
jarkko
AI has a shitcoin brand. "expensive" and "AI" never fit together. All the culture, most of "industry" etc. are like ... nobody respects that shit, nobody. There's zero appeal because there really isn't anything exclusive, or anything with value.
This is the cost-investment problem with the whole crap and why so much money is going to be lost. It's fun to build these sandboxes and tackle the problem but the whole situation is so stupid :-D it's not that far a way what Zuckerberg got out of VR (VR **** industry). Yeah, and the same vibe too... I mean think about X...
This is the cost-investment problem with the whole crap and why so much money is going to be lost. It's fun to build these sandboxes and tackle the problem but the whole situation is so stupid :-D it's not that far a way what Zuckerberg got out of VR (VR **** industry). Yeah, and the same vibe too... I mean think about X...
1
0
1
Jarkko Sakkinen
jarkko
People who can actually write code are coming back in fashion as tokens get more expensive. Even when applying AI, the maximum efficiency can be only reached with great human engineers who know how to write some awesome code that makes miracles :-)
This was just "middle-managers strike back" episode. Looks better than yesterday.
This was just "middle-managers strike back" episode. Looks better than yesterday.
1
0
1
Jarkko Sakkinen
jarkko
Edited 6 days ago
goosedump can show, compact, grep and rank conversations with appropriate categorizations.
it's foresincs tool but can be used also as a compactor in a place of LLM based compactor.
scaveneges opencode, pi, goose and crush atm. i have neither claude code nor codex so thus no support for them but happy to acquire backends for them.
it's foresincs tool but can be used also as a compactor in a place of LLM based compactor.
scaveneges opencode, pi, goose and crush atm. i have neither claude code nor codex so thus no support for them but happy to acquire backends for them.
0
0
0
@jmorris With coding agents, we're in a situation where we have bad behaving processes by design. So they need sandboxing, but it is in the level of preventing them going "over the top". I.e. a different scenario where you have actor that proactively tries to exploit your system :-) What I'm trying to do is to get a single binary that can address that level of brickwalls for agents, with a cross-os compatible policy - not to be the "IMAX prison".
To make something meaningful I thought that being Anthropic policy format driven but with a more serious sandbox implementation is pretty good way to move forward on hardening this ecosystem.
To make something meaningful I thought that being Anthropic policy format driven but with a more serious sandbox implementation is pretty good way to move forward on hardening this ecosystem.
0
0
1
Jarkko Sakkinen
jarkko
@zygoon Yeah so how you actually should wrap these coding agent bastards is with at least two layers.
1. Within agent a working tool sandboxing implementation (Claude Code has broken).
2. Wrap the environment into a container or VM with disposable rootfs.
Most people will never implement 2 :-) It does not play with AI psychosis in yolo mode but yeah that is the safe play.
Google's gVisor (runsc) is a great option for wrap 2 when used together with Docker or Podman.
1. Within agent a working tool sandboxing implementation (Claude Code has broken).
2. Wrap the environment into a container or VM with disposable rootfs.
Most people will never implement 2 :-) It does not play with AI psychosis in yolo mode but yeah that is the safe play.
Google's gVisor (runsc) is a great option for wrap 2 when used together with Docker or Podman.
1
0
0
@zygoon And while I don't likeAnthropic at all, I thought its JSON policy is useful to base tool level sandboxing. It's the most wide spread format that people most likely can cope with. Much better for adaptation than making my own perfect security policy format :-) And it gives limitations so that project does not blow out of proportions.
1
0
0
@zygoon My use use case more generically, outside of AI slop:
1. You have program, let's say file manager.
2. It has external commands.
3. You might give each a differnet permission to do shit.
4. Landlock is perfect from on-the-fly wrap that external command run into a sandbox.
1. You have program, let's say file manager.
2. It has external commands.
3. You might give each a differnet permission to do shit.
4. Landlock is perfect from on-the-fly wrap that external command run into a sandbox.
0
0
0
Jarkko Sakkinen
jarkko
@zygoon One thing that is sort of "racy" but I find it more like security property is that I do recursive sweep to address "deny list" policy. When Landlock activates obviously anything done to subtree done outside of scan will not reflect and that is great.
As far ar AppArmor goes I don't really see benefit of using Landlock as system MAC. For my use case it is easiest tool available., AppArmor is much better for what AppArmor does.
So for that use case, not it's not a great choice :-)
As far ar AppArmor goes I don't really see benefit of using Landlock as system MAC. For my use case it is easiest tool available., AppArmor is much better for what AppArmor does.
So for that use case, not it's not a great choice :-)
2
0
1
Jarkko Sakkinen
jarkko
pi-landstrip sandboxes per tool command making it possible to re-evaluate Landlock policy also in that granularity. This allows permission dialogs, which are quite useful :-)
I find this tool command concept and related sandboxing a good one, and would use it outside of this context e.g., to limit external commands in email application or file manager.
And despite inheriting from such an unorthodox reality, Landstrip itself is just a polished sandboxing tool with real and relevant use cases.
I find this tool command concept and related sandboxing a good one, and would use it outside of this context e.g., to limit external commands in email application or file manager.
And despite inheriting from such an unorthodox reality, Landstrip itself is just a polished sandboxing tool with real and relevant use cases.
1
0
0
Jarkko Sakkinen
jarkko
https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/commit/?h=for-next-keys&id=9feb0bb3468e863b2b82a2eabfaeec4c7c44b90c
I had issues with checkpatch until I realized that it does not like headings to have "---". Makes sense but had not experienced before :-) i guess I've used "===" in the past.
I had issues with checkpatch until I realized that it does not like headings to have "---". Makes sense but had not experienced before :-) i guess I've used "===" in the past.
0
0
0