FRESH

Hacker News

Show HN: Nucleus – A security-hardened, Nix-native container runtime

32 points by 0kenx

by waterfisher

2 subcomments

Please, guys, I beg of you: even if you're going to let LLMs generate whole wheel-reinventing GitHub repositories for you (I've let them generate many!), at least write your Hacker News posts yourself. The ability to write a Hacker News post without LLM assistance non-trivially relates to the ability to develop good software, because it boils down to skills conceptualising the project in a way that makes sense to humans, such that the project is product-shaped, rather than loose-blob-of-proper-nouns shaped. It's just very difficult to invest trust in a piece of software doing the right thing when it's not clear someone on the other end has enough ability to express their own ends in writing to make clear what that right thing is.

by wallzero

2 subcomments

This is neat! Is it rootless? Could it pair with devenv?
I've just gone down a rabbit hole with Fedora atomic desktop (Kinoite), Flatpak Zed, devcontainers with podman compose using the Debian container and nix feature, and devenv.
It allows me to keep an immutable OS while still having an infrastructure as code development experience. Also team members on MacOS or Windows can choose to use devcontainers to wrap devenv or just skip devcontainers and the extra isolation. It's pretty portable.

by lavaman131

0 subcomment

Very cool to see more security focused tools being built here for the Nix ecosystem. What were some of the biggest roadblocks or challenges you hit when building this?

by alberand

1 subcomments

Isn't it the same as using systemd-nspawn? containers.<name> let you declare containers with nspawn. What's the difference?

by yjftsjthsd-h

1 subcomments

> rootfs attestation verifies a per-file SHA-256 manifest at startup;
What threat model does this protect against? Certainly nice, especially for free, but wondering about utility.

0 subcomment

by mediaman

0 subcomment