Comment by digiown

7 days ago

Imo I don't trust ANY of these tools to run in non-isolated environments.

All of these tools are either

- created by companies powered by VC money that never face consequences for mishandling your data

- community vibecoded with questionable security practices

These tools also need to have a substantial amount of access to be useful so it is really hard to secure even if you try. Constantly prompting for approval leads to alert fatigue and eventually a mistake leading to exfiltration.

I suggest just stick to LXC or VM. Desktop (including linux) userland security is just bad in general. I try to keep most random code I download for one off tasks to containers.

4 comments

digiown

indigodaddy 6 days ago

I'm trying to put together an exe.dev-like self hosted solution using Incus/LXC. Early days but works as a proof of concept:

https://github.com/jgbrwn/shelley-lxc

JeremyNT 6 days ago
Incus is great for this use case, I did something similar. I volume mount specific stuff into the guests and let OpenCode loose with all tools enabled.
I used OpenCode to vibe code the shell script I use to manage it.
I actually use VMs rather than LXC, which makes it easier to run e.g. docker.
- indigodaddy 6 days ago
  
  Very cool. I think docker also runs fine inside of LXC, but haven't experimented too much with that specifically yet.
  
  1 reply →