Hacker Newsnew | past | comments | ask | show | jobs | submit | simonw's commentslogin

I'm mainly addressing sandboxing by running stuff in Claude Code for web, at which point it's Anthropic's problem if they have a sandbox leak, not mine.

It helps that most of my projects are open source so I don't need to worry about prompt injection code stealing vulnerabilities. That way the worst that can happen would be an attack adding a vulnerability to my code that I don't spot when I review the PR.

And turning off outbound networking should protect against code stealing too... but I allow access to everything because I don't need to worry about code stealing and that way Claude can install things and run benchmarks and generally do all sorts of other useful bits and pieces.


hey fren, try this: https://github.com/smol-machines/smolvm

I already have a couple folks using it for claude: https://github.com/smol-machines/smolvm/discussions/3


If you could make your tool work with PVM that would be amazing

Tool is already configured with paravirtualization on the linux path

Unfortunately, the ecosystem and tooling is not there for macOS full paravirtualization yet


This is my favorite yet of the genre of "OK, coding agents got good in November" posts. It starts with relatively simple examples (YouTube metadata scraping) and by the end Max is rewriting Python's skikit-learn framework in Rust and making it way faster.

I disagree with this section about WebAssembly:

> But the practical limitation is language support. You cannot run arbitrary Python scripts in WASM today without compiling the Python interpreter itself to WASM along with all its C extensions. For sandboxing arbitrary code in arbitrary languages, WASM is not yet viable.

There are several versions of the Python interpreter that are compiled to WASM already - Pyodide has one, and WASM is a "Tier 2" supported target for CPython: https://peps.python.org/pep-0011/#tier-2 - unofficial builds here: https://github.com/brettcannon/cpython-wasi-build/releases

Likewise I've experimented with running various JavaScript interpreters compiled to WASM, the most popular of those is probably QuickJS. Here's one of my many demos: https://tools.simonwillison.net/quickjs (I have one for MicroQuickJS too https://tools.simonwillison.net/microquickjs )

So don't rule out WASM as a target for running non-compiled languages, it can work pretty well!


Can you clarify what your disagreement is? The statement you're responding to seems to be that you can't necessarily run arbitrary code in arbitrary languages because it's only possible if the runtime is supported, and you're giving examples of two specific languages that had explicit extra work done to support them, which sounds pretty much exactly like what they're stating.

From what I can tell, the point they're making is that if you want a sandbox that you can put whatever you want into and have it work without it having explicit support provided for that language in the form of recompiling the runtime, it's not going to work. If someone is expecting to be able to throw stuff they already have into a sandbox as-is and have it work, WASM is not what they're looking for (at least not today).


I also disagree with that.

Wasmer can run now Python server-side without any restrictions (including gevent, SQLAlchemy and native modules!) [1] [2]

Also, cool things are coming on the JS land running on Wasmer :)

[1] https://wasmer.io/posts/greenlet-support-python-wasm

[2] https://wasmer.io/posts/python-on-the-edge-powered-by-webass...


Is the support for Python code provided as a Rust library by any chance, where you could do something like pass in a simple python function, run it in wasmer, and then get back the result? I know a lot of complications would come into play around supporting C-based dependencies and support for the WASM APIs for stuff like I/O, but I recently was looking into this for a use case where the goal is to be able to prevent stuff like direct use of I/O in favor of only supporting a few specific APIs provided directly to a WASM engine for the code it's executing, and the conclusion I reached was that the only viable options for that currently available would require either shelling out to something external or manually loading in a WASM-compiled interpreter and implementing the glue code to use that to execute Python myself.

Not right now but we would love to provide it.

We have been super busy lately, but when we have a chance we will work on it!


Without any restrictions except, well, performance, and still a fair amount of library choices. It’s just easier to use Go (TinyGo, actually) instead.

Wasmer looks v cool. I must check it out

That is a good call out and I missed to consider the options you pointed. When I am back on keyboard I will add an updated note with a link to your comment. Thank you!

That's from this comment here: https://github.com/tldraw/tldraw/issues/8082#issuecomment-39...

Well that's embarrassing! I reported it as if it wasn't a joke. I thought the joke issue was this one about translating everything to Chinese: https://github.com/tldraw/tldraw/issues/8092


If it was a joke (the test suite issue), then it was a really shit joke. It reads more like backtracking, I don't think _you_ should feel any embarrassment.

The gag started on Twitter after Cloudflare vibe coded a nextjs replacement clone.

If you know that context and the tweet I feel this is more obvious that it is a joke.

Just because you didn't get the joke, does not make it a really shit joke. The funniest jokes rely on context.


Sorry Simon, I honestly didn't expect this to be posted anywhere https://x.com/just_be_dev/status/2026419663505072195

happens to the best of us. these days, we need to double and triple check everything before we react.

AI does have positive contributions to society after all.

Did any of the blockchain initiatives ever go anywhere? I understood that's why they renamed the company to Block, but did that end up a similar rebrand to Facebook -> Meta?

They are heavily invested in Bitcoin and still offer and improve their Bitcoin services. It’s not really “blockchain.” They’re not a crypto company. They are ideologically dedicated to Bitcoin.

I don't think so. I know a couple people that worked in TBD (the bitcoin org) and everyone said it was directionless. Eventually the CTO ~abandoned that org and took on that Goose AI project.

The bought $170m of bitcoin at $50k a pop when their stock was $250, now it’s $67k and their stock is $67 (in after hours trading), so I guess it went pretty far in that respect.

The only thing it served was to distract Jack from building real products.

A fun hobby I picked up during Covid was trying to cook food from countries I had never been to - since traveling anywhere wasn't an option.

Pick a country, research what food it has that you've never tried, find a few online recipes and YouTube guides and give it a go.

This was a ton of fun. I have no idea if anything I cooked was even remotely like the authentic original, but it was still a very rewarding exercise.

If you live somewhere with a lot of international supermarkets (the SF Bay Area is great for those) it also gives you an excuse for a shopping adventure for ingredients.

(My favorite recipe we tried with this was Doubles from Trinidad https://www.africanbites.com/doubles-chickpeas-sandwich/)


Yeah, doing a small thing daily can add up so fast.

When I started my niche-musueums.com website I bootstrapped it by posting a new museum I had been to every day for a month. It took 15-30 minutes a day and within a few weeks I had a site I was really proud of.

I think the key is to give yourself permission to stop without feeling guilty about it. Any time I start a new streak like this I deliberately tell myself that it's not going to be forever and I can stop any time for any reason.


I love your website! Your url has a typo, here's it fixed in the meantime https://www.niche-museums.com

The title of the linked article is "Vibe Coding and the Maker Movement" but the title on Hacker News is "Will vibe coding end like the maker movement?" - I think the original title should be restored.

updated the title of the linked article instead :)

Incompatibilities don't matter much provided your error messages are actionable - an LLM can hit a problem, read the error message and try again. They'll also remember that solution for the rest of that session.

I don't think the current incompatibilities can be worked around.

Also, huge waste of tokens. And the waste is not even worth it, the sandbox seems insufficient.

Again, good luck to the developers. I just don't think it's ready.


Performance of the tools doesn't really matter when you have a full LLM inference loop in between each tool call.

I still find it revolting they're writing this stuff in typescript.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: