<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: eperot</title><link>https://news.ycombinator.com/user?id=eperot</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Fri, 03 Jul 2026 06:42:53 +0000</lastBuildDate><atom:link href="https://hnrss.org/user?id=eperot" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[New comment by eperot in "Reduce GVisor Cold Starts with GPU Snapshotting"]]></title><description><![CDATA[
<p>gVisor is open-source, and `cuda-checkpoint` is freely available.<p>gVisor's `runsc checkpoint` subcommand supports a `--save-restore-exec-argv` which lets you specify a program to execute before gVisor starts taking the process snapshot.<p>You can fill in the blanks from there.</p>
]]></description><pubDate>Wed, 01 Jul 2026 18:30:08 +0000</pubDate><link>https://news.ycombinator.com/item?id=48751239</link><dc:creator>eperot</dc:creator><comments>https://news.ycombinator.com/item?id=48751239</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48751239</guid></item><item><title><![CDATA[New comment by eperot in "Reduce GVisor Cold Starts with GPU Snapshotting"]]></title><description><![CDATA[
<p>Wrong headline order, right? Should read "Reduce GPU Cold Starts with gVisor Snapshotting".</p>
]]></description><pubDate>Wed, 01 Jul 2026 18:26:57 +0000</pubDate><link>https://news.ycombinator.com/item?id=48751186</link><dc:creator>eperot</dc:creator><comments>https://news.ycombinator.com/item?id=48751186</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48751186</guid></item><item><title><![CDATA[New comment by eperot in "MicroVMs: Run isolated sandboxes with full lifecycle control"]]></title><description><![CDATA[
<p>Ah, I see the distinction. In my case, I was using the PulseAudio client+server with a network sink running in-sandbox, producing a set of audio samples that are then replayed by a PulseAudio client in the out-of-sandbox Rust application receiving these samples. Exposing the socket directly to the sandbox is dangerous, e.g. it would let the sandbox record the host's microphone directly.<p>My goal was for the sandbox to only have access to a single dumb playback sink and no other access by default, and to gate any further access (e.g. microphone access) in something the out-of-sandbox software can catch and ask the user about before it is granted to the sandbox.</p>
]]></description><pubDate>Mon, 29 Jun 2026 23:07:25 +0000</pubDate><link>https://news.ycombinator.com/item?id=48726513</link><dc:creator>eperot</dc:creator><comments>https://news.ycombinator.com/item?id=48726513</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48726513</guid></item><item><title><![CDATA[New comment by eperot in "MicroVMs: Run isolated sandboxes with full lifecycle control"]]></title><description><![CDATA[
<p>That's the approach I initially took, but experienced some combination of noticeable stuttering and latency regardless of which buffering strategy I tried... Had to switch to a shared memory ring buffer, along with some adaptive playback speed shenanigans  (sometimes imperceptibly speeding up playback when falling behind production of audio samples, sometimes imperceptibly slowing down when there's less than a few milliseconds' worth of samples left in the ringbuffer), in order to achieve actually-gapless playback.</p>
]]></description><pubDate>Sat, 27 Jun 2026 00:11:50 +0000</pubDate><link>https://news.ycombinator.com/item?id=48693672</link><dc:creator>eperot</dc:creator><comments>https://news.ycombinator.com/item?id=48693672</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48693672</guid></item><item><title><![CDATA[New comment by eperot in "MicroVMs: Run isolated sandboxes with full lifecycle control"]]></title><description><![CDATA[
<p>Thanks. We're working on rootless network setup to make `runsc do --rootless` work with networking enabled when `passt` is installed right now. See issue #13337 (yes that's a cool issue number) which should unblock this.<p>The tty issue is known, should be fixed soon too, though contributions welcome as it sounds like it should be simple fix and we love more contributions :)<p>FWIW, X11 apps work well, I have a personal hacky project in which I've been running Librewolf in gVisor, with the window being reflected as a native Wayland window. It uses `Xvfb -fbdir` aimed at a bound tmpfs mount to get a shared memory region containing the window's pixel data which can be read directly from out of the sandbox, has Pulseaudio audio passthrough, and a socket server passing through mouse/keyboard events to make the window interactive. Works smoothly even for YouTube playback, and I successfully played a game of Unreal Tournament 2004 at 24fps in it, with no noticeable mouse/keyboard latency :)
We're basically making baby steps to get there less hackily.<p>Thanks for the feedback!</p>
]]></description><pubDate>Fri, 26 Jun 2026 22:41:00 +0000</pubDate><link>https://news.ycombinator.com/item?id=48692923</link><dc:creator>eperot</dc:creator><comments>https://news.ycombinator.com/item?id=48692923</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48692923</guid></item><item><title><![CDATA[New comment by eperot in "MicroVMs: Run isolated sandboxes with full lifecycle control"]]></title><description><![CDATA[
<p>Any reason why you wouldn't use gVisor's bwrap interface yet? We're working on it precisely to make DIY sandboxing on Linux as easy as possible in order to get Linux-sandboxing-at-home to mature beyond the current syscall-filter-and-namespaces duct tape stage, so I'm curious to know what you'd like to see.</p>
]]></description><pubDate>Fri, 26 Jun 2026 21:23:12 +0000</pubDate><link>https://news.ycombinator.com/item?id=48692152</link><dc:creator>eperot</dc:creator><comments>https://news.ycombinator.com/item?id=48692152</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48692152</guid></item><item><title><![CDATA[New comment by eperot in "Magi: Multi-Agent GVisor Isolation"]]></title><description><![CDATA[
<p>An overkill fully-local multi-agent setup with gVisor sandboxing.
Hope some folks here can appreciate the Evangelion vibes :)</p>
]]></description><pubDate>Wed, 15 Apr 2026 21:29:54 +0000</pubDate><link>https://news.ycombinator.com/item?id=47785508</link><dc:creator>eperot</dc:creator><comments>https://news.ycombinator.com/item?id=47785508</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47785508</guid></item><item><title><![CDATA[Magi: Multi-Agent GVisor Isolation]]></title><description><![CDATA[
<p>Article URL: <a href="https://gvisor.dev/blog/2026/04/15/magi-multi-agent-gvisor-isolation/">https://gvisor.dev/blog/2026/04/15/magi-multi-agent-gvisor-isolation/</a></p>
<p>Comments URL: <a href="https://news.ycombinator.com/item?id=47785501">https://news.ycombinator.com/item?id=47785501</a></p>
<p>Points: 7</p>
<p># Comments: 1</p>
]]></description><pubDate>Wed, 15 Apr 2026 21:29:08 +0000</pubDate><link>https://gvisor.dev/blog/2026/04/15/magi-multi-agent-gvisor-isolation/</link><dc:creator>eperot</dc:creator><comments>https://news.ycombinator.com/item?id=47785501</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47785501</guid></item><item><title><![CDATA[New comment by eperot in "Computer use, a new Claude 3.5 Sonnet, and Claude 3.5 Haiku"]]></title><description><![CDATA[
<p>I have been [working on one](<a href="https://github.com/EtiennePerot/safe-code-execution">https://github.com/EtiennePerot/safe-code-execution</a>)! The library is in [src/safecode/sandbox.py](<a href="https://github.com/EtiennePerot/safe-code-execution/blob/master/src/safecode/sandbox.py">https://github.com/EtiennePerot/safe-code-execution/blob/mas...</a>).</p>
]]></description><pubDate>Thu, 24 Oct 2024 02:42:18 +0000</pubDate><link>https://news.ycombinator.com/item?id=41931411</link><dc:creator>eperot</dc:creator><comments>https://news.ycombinator.com/item?id=41931411</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=41931411</guid></item></channel></rss>