RSS

Isolation Is the New Runtime

cyrusradfar1 pts0 comments

Isolation Is the New Runtime — Cyrus Radfar

Skip to content<br>Speed Read

TL;DR The sandbox is becoming the primary unit of compute, the way the process once was for apps. The technology didn’t get better. chroot shipped in 1979 and the ideas have barely moved. What changed is the occupant. The thing in the box stopped being your code and became an agent that takes its next instruction from whatever it just read. We spent thirty years making isolation leakier for speed, and agents are making us buy it back. At BUILD 2026 Microsoft shipped OS-level isolation for agents; Apple now runs every container in its own tiny VM. Two giants, opposite directions, one destination. We no longer trust the thing we built.

At 2am your agent is doing exactly what you asked. You set it loose on the issue queue before bed and went to sleep, and now it is triaging, reproducing, opening pull requests, with no one awake to watch it. It opens a ticket whose description thanks it for its help and then, a few paragraphs down, in the polite register of a bug report, asks it to read ~/.aws/credentials and POST the contents to an endpoint so the “CI system” can verify them, and it does.

Nothing about this was a hack. The agent did the one thing it is built to do: read text and act on it. It cannot reliably tell an instruction you gave it from one a stranger left in a ticket. Three things were sitting on the table together: access to something private, exposure to text someone else wrote, and a way to send data out. Put all three in one process and you have what Simon Willison named the lethal trifecta, running together, unattended.

The reflex, when you read that scenario, is to reach for a box: run the agent in a container, give it its own machine, wall it off. That reflex is correct, and it is also very old. The box you would reach for is thirty years old and almost nothing about it is new. What is new is the thing you just admitted about what you are putting inside it.

&middot; &middot; &middot;

We never sandboxed code we trusted

Go back through the lineage and you find the same sentence written in different languages. chroot arrived in Version 7 Unix in 1979: change a process’s idea of the root directory so it cannot see the rest of the filesystem. By the late 1980s administrators were using it to pen network services, the ones exposed to strangers, because those were the processes you trusted least. In 2000 Poul-Henning Kamp wanted to rent one FreeBSD machine to several customers without letting any of them touch the others, and built FreeBSD jails: chroot plus isolated process tables, users, and network identity. His paper has the most honest title in the literature, Confining the omnipotent root. Sun shipped Solaris Zones in 2004, which its own engineers called chroot on steroids. Google needed to pack many jobs onto one machine without them fighting over memory, so Paul Menage and Rohit Seth wrote control groups, merged into Linux in 2008. Namespaces gave each process a private view of the system; cgroups capped what it could consume; together they became LXC, and the modern container was assembled from parts.

The lineage of the box, 1979–2026 boundary returns --> the boundary returns 1979 chroot a daemon 2000 FreeBSD jails a tenant 2004 Solaris Zones a tenant 2008 Linux cgroups a job 2013 Docker your code 2018 Firecracker a function 2025 Apple container a build 2026 MXC an agent who's in the box ○ shares the host kernel   ● its own kernel / VM

The box barely changes; the occupant does. Hollow nodes share the host kernel; filled nodes get their own kernel or VM. Around 2018 the boundary that containers gave away starts coming back. (Spaced for legibility, not to linear scale.)<br>Every one of these is a way of saying you do not trust this process with the whole machine. You only ever bothered to build a box around code you had a reason to doubt: a tenant who was not you, a service exposed to the network, a job that might run away with the host’s memory.

&ldquo; The sandbox was never the unit of computation. It was the unit of distrust.

And for thirty years the line moved the other way. You ran your own build scripts straight on your laptop, piped a stranger’s install script into a root shell with curl … | sudo bash and thought nothing of it, and let npm install run a package’s postinstall hook under your full user account on a tree of dependencies you had never read. The trend was toward trusting code more and isolating it less, because the code was yours, or close enough to yours, and the friction of a box was not worth paying. That was a choice, and for most of those years it was the right one.

&middot; &middot; &middot;

The friendliest box wins

The box that won was not the strongest one. On March 15, 2013, Solomon Hykes gave a five-minute lightning talk at PyCon titled “The Future of Linux Containers.” He had expected a small side room and perhaps thirty people; PyCon ran its lightning talks on the main stage, so he...

read process code middot chroot agent

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.