And if a machine is already exploited, it's too late to do just that. You need to rebuild the whole disk image because anything on it could be compromised.

Their website also added this page since I posted that comment: https://web.archive.org/web/20260411112604/https://tboteproj... where they claim their website is under "surveillance" because it got a few thousand requests from Google Cloud et al, most of them to a single page. This shows how low their standards are.

What do you mean by that? They can't possibly stop using Linux/Kubernetes/Chrome (including Edge)/almost all programming languages/nginx/...

I ran the exploit in rootless Podman, and predictably it doesn't escape the container.

They also claim their script "roots every Linux distribution shipped since 2017.", but only tested four; and it doesn't work on Alpine

WASM isn't a magic bullet for sandboxing. CI environments assume a full Linux. So you need to either ran a VM (with the attack surface that implies) or a write an x86 emulator in WASM (which would be very slow).

You also need anti-abuse to stop bitcoin miners from using your system. GitHub probably have full-time employees working on it.

> Like bitcoin mining, there could be some competition between 3 parallel builds to pick the winner if the output is the same.

It's a lot more complicated because many builds are not deterministic, you need to store artefacts, build secrets, etc.

Companies like golem.network or iex.ec have been working on this problem for a decade and they are still not easy to use.

It doesn't look like this app can generate "justificatifs de domicile", only substitutes for an identity card or passport.

> Why do the put three stats about trains on your linked page?!

I was wondering about that too