HabrApr 29

Telegram Mini App для PWA-приложения: как я перешёл с TWA для RuStore и что выяснил по дороге

Я разрабатываю PWA для голосовой практики английского. Несколько раз пытался опубликовать его в RuStore через Trusted Web Activity (TWA) — Google-обёртку, которая упаковывает PWA в подписанный Android AAB. После четырёх отказов модерации я понял, что для моего класса приложений TWA в RuStore не работает, и за день переключился на Telegram Mini App. Эта статья — не история стартапа, а разбор технических решений:

https://habr.com/ru/articles/1029400/

#telegram_mini_app #twa #trusted_web_activity #rustore #bubblewrap #pwa #android #hmac #авторизация

Telegram Mini App для PWA-приложения: как я перешёл с TWA для RuStore и что выяснил по дороге

Я разрабатываю PWA для голосовой практики английского. Несколько раз пытался опубликовать его в RuStore через Trusted Web Activity (TWA) — Google-обёртку, которая упаковывает PWA в подписанный Android...

Хабр
mid_kidApr 24

Wrote a silly script to showcase how to use unshare + chroot/pivot_root in order to manually enter a #linux #chroot / #container without needing #root privileges:

https://gist.github.com/mid-kid/9293f4f0617052b9c3aa45422fb89f90

I rarely see anyone mention how this can be done without needing to reach for #bubblewrap or systemd-nspawn, and I think it's important to see how you can leverage the primitives that drive container technology.

The script can be simplified, but not without sacrificing correctness. I hope the comments help.

Create and enter a chroot without root permissions, using unshare + pivot_root

Create and enter a chroot without root permissions, using unshare + pivot_root - chrootless

Gist
alipApr 24
It's 2026 and people still use suid sandboxes: https://github.com/containers/bubblewrap/security/advisories/GHSA-xq78-7hw4-5jvp #linux #security #bubblewrap
CVE-2026-41163: Privilege escalation in setuid mode via ptrace

### Impact If bubblewrap is installed in setuid mode then the user can use ptrace to attach to bubblewrap and control the unprivileged part of the sandbox setup phase. This allows it the attacker ...

GitHub
motmanniskaApr 20

Maybe not-so-hot take: the AI agents we have cannot be trusted, and must be put in a cage.

https://metallapan.se/blog/2026-04-27-agent-in-prison/

#claude_code #bubblewrap #llm

AI agents belong in prison

Last Friday, Opus, which I had allowed `terraform plan` permissions to help troubleshoot some integration, suddenly asked to do `terraform apply` even though the plan showed that a production database would get deleted and recreated (😱), even if I had explicitly instructed it to help me investigate only, and change nothing. Because it at least asked, catastrophe was averted, but it did get my pulse up. The problem of course is not really the model, any model can go off the reservation. The problem was that I had given the agent (part of) my own access for a bit of convenience - and if you run your LLM with access to ~/.ssh, ~/.config/gcloud, ~/.aws, and your kubeconfig, it may hallucinate your production env away.

Metallapan AB
Gea-Suan LinMar 6

https://blog.gslin.org/archives/2026/03/07/12921/macos-%e4%b8%8a%e7%94%a8-sandbox-exec-%e9%9a%94%e9%9b%a2/

macOS 上用 sandbox-exec 隔離

#agent #app #apple #bubblewrap #bwrap #coding #design #exec #guide #linux #macos #sandbox #SandboxExec #security

macOS 上用 sandbox-exec 隔離

上上禮拜看到「sandbox-exec: macOS's Little-Known Command-Line Sandboxing Tool (via)」這個感到興趣,主要是因為有跑 coding agent 的需求,在 Linux 上可以透過 bubblewrap 隔離 (參考「Linux 下用 bubblewrap (bwrap) 跑 Claude Code」),但 macOS 上沒有 bubblewrap,所以需要另外找工具,看起來就是這個了。 Hacker News 上有人提到 deprecated 的問題,從 2017 年就已經是 deprecated 了...

Gea-Suan Lin's BLOG
UrlRouletteFeb 20

Our Weekly Update #62 is live! 🎥✨

Watch now: https://youtu.be/1NfNykcpIks
Don’t forget to subscribe & hit the bell 🔔!

Subscribe to our weekly newsletter!
👉 https://urlroulette.net/newsletter/subscribeform 🚀

#bubblewrap #homepage #comics #virtualracing #flighttracker

🔗 UrlRoulette TV Episode #62! 🌟

YouTube
Show threadYann Büchau Feb 18

Now I'm thinking about a new strategy:

- stop service
- make #btrfs snapshot (seconds at max)
- restart service
- run #borgBackup from snapshot, but via #bubbleWrap so it sees it as the original path and inodes for consistency&performance!
- run as many borg backups as desired to any remote, even in parallel, as the service is running again

Thoughs?

#nixos

Gea-Suan LinFeb 16

https://blog.gslin.org/archives/2026/02/16/12894/linux-%e4%b8%8b%e7%94%a8-bubblewrap-bwrap-%e8%b7%91-claude-code/

Linux 下用 bubblewrap (bwrap) 跑 Claude Code

#bubblewrap #bwrap #claude #code #linux #security

Linux 下用 bubblewrap (bwrap) 跑 Claude Code

避免 Claude Code 在全自動模式下 (--dangerously-skip-permissions) 爆炸的時候把一堆東西給弄炸,一般會用 container 環境包起來,不過在 Linux 下可以用 bubblewrap 這樣更清量的工具限制,調整了一陣子,算是穩下來了,我會包一個 ~/bin/claude...

Gea-Suan Lin's BLOG
AI SparkupFeb 7

AI 에이전트 코드 실행의 딜레마, 샌드박싱으로 안전하게 해결하는 법

AI 에이전트가 생성한 코드를 안전하게 실행하는 샌드박싱 기법. bubblewrap 로컬 격리와 Deno Sandbox의 네트워크 제어·시크릿 보호를 소개합니다.

https://aisparkup.com/posts/8954

UrlRouletteFeb 5

🔗 UrlRoulette URL of the Day #430! 🌟

Virtual bubble wrap - burst them all!
Online bubble wrap popping, a stress-relief satisfying web app. Pop bubbles non-stop.

This is our URL of the day 👉 https://urlroulette.net/ui/3m46tG3xrpCW 🚀

#bubblewrap

UrlRoulette - Link of the Day

Submit URL for the next visitor and be redirected to the previous visitor's URL! Subscribe to our newsletter and get top URLs delivered to your email address!

UrlRoulette