I'm also surprised that they considered it reasonable to turn so many features off. Seems like some of it could be configurable, like allowed external connections. I also think some secrets should be handled by a proxy, which would give more capability than just locking down.

I think that was a natural outcome of cheaper merges/conflict resolution in distributed version control. It became easier so there were more situations where it made sense.

Now LLM spam has made it harder, so now there are fewer situations where it makes sense, and projects are switching to a cathedral model.

I noticed this while programming with LLM assistance. It's easy to put effort in for the LLM because there is immediate positive feedback: improving the context gets better results. Folks have mentioned other reasons LLMs get better support like docs for humans don't get read and don't improve KPIs.

I think this might lead to more literate programming. The main challenge with LLMs is humans understanding the code, which lp helps with. Also, it includes the relevant context with the code itself. Both of these things help humans and LLMs.

I've been trying it myself and I think it's working pretty well. The only challenge right now is that it is difficult to get models to output code literate style. The output from LLMs tends to open a code block and put everything in it with a ton of long comments, rather than create several blocks with prose in between. [A caveat is that I don't have access to SOTA models.] My plan is to add an agent that just focuses on the style.

I am also surprised that capabilities weren't more widely implemented after mobile OSes demonstrated they are practical. I know Windows made a move in that direction with UAC but had to soften it due to user alert fatigue. So I guess having no legacy apps and a centralized repository helps.

I've recently been looking into Guix SD as a solution. Its package management is designed to keep programs independent of each other, so containers are cheap and lightweight. Trying out untrusted software is as easy as `guix shell --container --pure --no-cwd [program]`, which blocks access to the network, file system, and environment variables. Right now I'm adding more advanced capability management: limits on CPU, memory, storage space, network use, etc.

I use nix + bwrap, which gives a similar result. it works well enough, though I really ought to restrict reads to only the closure.

> I use nix + bwrap

In an automated way, or have implemented as hand-written wrappers? And regardless, have you published the code (and/or talked about how it works) anywhere? It'd be really nice to have a gentler onramp to sandboxing things, and nix should be well-placed for it.

an automated way, as part of a tree-based harness. I haven't published the code yet but should hopefully be able to soon!

Could you point me at a blog or github or something I can follow to see it if you do publish?