Skip to content
Better HN
Top
Best
Ask
Show
New
Jobs
Search
⌘K
0 points
kstenerud
2mo ago
0 comments
Save
Share
It actually runs git (with hooks disabled) to generate the diff. It happens on the host when using copy mode, and inside the sandbox when using overlay mode.
The above example doesn't specify workdir mounting mode, so it would be copy, not overlay.
0 comments
3 comments · 1 top-level
top
newest
oldest
creata
2mo ago
· 2 in thread
If it runs inside the sandbox and the guest is compromised, can't the guest just lie?
kstenerud
OP
2mo ago
Absolutely. That's why overlay is not the default.
creata
2mo ago
That's... uh, an interesting approach to security.
1 more reply
j
/
k
navigate · click thread line to collapse
