For the best experience on desktop, install the Chrome extension to track your reading on news.ycombinator.com
Hacker Newsnew | past | comments | ask | show | jobs | submit | history | tssuser's commentsregister

Privileged containers in docker have a different meaning [1]. A lot of work has gone into trying to harden the default docker container options against container escape, even when the process is running as root. This includes dropping some capabilities, blocking syscalls with seccomp, shadowing sensitive procfs and sysfs paths, hiding most devices, and some LSM hardening [2]. Even with all that it is far more effective to just run as non-root, but hopefully that gives some context for why vulnerabilities like this are treated as high severity.

[1] https://docs.docker.com/engine/reference/commandline/run/#fu... [2] https://docs.docker.com/engine/security/non-events/


Yes.


Let me give a concrete example of how I've been personally impacted by the lack of generics. My project makes liberal use of pointers to represent "optional" fields, since they need to be distinguished from the zero-type. Alternatives would be to have a boolean associated with every field, but that clutters the API and still faces a lot of the problems with using pointrs, such as:

- Easy to forget to check that pointer != nil

- Overloaded semantics: it's unclear whether a pointer represents an optional type, or is being used to pass-by-refrence (i.e. unclear whether a value should be treated read-only)

- Need to deep copy every struct, which is easy to forget and inefficient (at least the reflect version)

There are solutions to each of these points, but they all add complexity (e.g. generating code), and most take a lot of extra effort. With generics I could have Optional<T>, With a Get() function returning 2 values: the value type, and present (i.e. the way maps work). The caller is forced to handle both returns, making it much harder to forget to check it.

A lot of arguments for generics focus on higher-level functional programming abstractions, but this is a simple and extremely common use-case, and the lack of a solution is responsible for many real-world bugs.


    type Optional struct {
        stuff interface{}
        present bool
    }
    
    func (o Optional) Get() (interface{}, bool) {
        return o.stuff, o.present
    }

    func NewOptional(stuff interface{}) {
        return Optional(stuff, true)
    }


A lot of the remaining work is being tracked at https://github.com/kubernetes/kubernetes/issues/8262 and https://github.com/kubernetes/kubernetes/issues?q=is%3Aopen+...


My solution: 3 security tiers:

high (email, banking): Just memorize a unique password for each

medium (sites that might have my credit card info): Lastpass + salt, which I memorize and manually insert (last pass doesn't have it)

low (everything else, e.g. hacker news): I trust lastpass (w/ 2f) for these sites.

I feel that this strikes a good balance between security and convenience for me, without putting too much trust in the central store. I don't think LastPass is the weak point in this system (I am).


This is identical to how I approach passwords.

Super interesting to hear I'm not alone. I'm finding it works extraordinarily well, and even in situations where my Lastpass details are compromised (like today), it's not necessarily a disaster, just an inconvenience. But in return, almost complete peace of mind and liberation from passwords.


Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search:

HN For You