Claude has a sandbox mode that uses bubblewrap to build a lightweight filesystem sandbox that only exposes the project directory: https://code.claude.com/docs/en/sandboxing
It's disabled by default though, and in general (especially with other agents) you very much still have to get out of your way to get any sort of reasonable access control indeed.
In principle though, just running the agent CLI in something like firejail would get you very far if you know what you're doing.
> NixOS is very impressive but the marketing around it feels misleading. The reproducible claim needs a giant asterisk due to link rot.
It's a valid concern, though perhaps worth mentioning you will be able to restore your 10-year old config as long as the files downloaded from now-broken links are still in the Nix cache. Of course in practice, this is only useful to large organizations that have resources to invest in bespoke infrastructure to ensure supply chain integrity, since any `nix store gc` run will immediately wipe all downloads :(
For me, it has been ready as a daily driver for more than a year. Battery life is shorter than macos but still long enough that I don't have to think about it (which I can't say about any x86 laptops, even when they use iGPUs).
The notable missing features are external displays (an experimental kernel branch is publicly available though) and the fingerprint sensor. That's about it, though. Given the amount of polish combined with the hardware, it's arguably the most polished Linux laptop experience you'll get.
> - the pandemic tracking app without which you can’t enter an airport
Not sure if airports specifically used another mechanism, but the Android contact tracing APIs were actually reimplemented in microG, allowing these apps to work even on custom roms.
Your other examples don't hold universally either (banking apps are compatible with un-rooted custom ROMs more often than not, and not sure how many sports event apps use integrity checks), but your general point stands that it may come with trade-offs.
Signal has profiles nowadays that can be used to connect with people without sharing phone numbers. The latter are only used for signup and discarded immediately after.
Yes. The phone number is just for activation, once activated, you can swap the SIM and carry on. Or have the SIM that receives the activation text in another phone, or be virtual, or whatever.
Most of the features in the article are already opt-in. It's not like Firefox just automatically translates articles against your will, for example.
Mozilla is mainly responding to inflammatory comments like yours by adding additional toggles to disable any sort of trace in the UI about those features even existing.
It's not integrated in Nannou specifically, but they're showing off Bevy and ratatui in that demo, both very popular frameworks in the Rust world. (In fact, Nannou is in the process of being rebuilt on top of Bevy.)
I don’t know if something is wrong with my mental model, but it seems weird to me that it would take hundreds of milliseconds to patch a function pointer.
It's disabled by default though, and in general (especially with other agents) you very much still have to get out of your way to get any sort of reasonable access control indeed.
In principle though, just running the agent CLI in something like firejail would get you very far if you know what you're doing.
reply