alt.hn

6/9/2026 at 11:03:40 PM

Show HN: Nucleus – A security-hardened, Nix-native container runtime

 https://github.com/sig-id/nucleus

by 0kenx

6/10/2026 at 3:08:17 AM

Please, guys, I beg of you: even if you're going to let LLMs generate whole wheel-reinventing GitHub repositories for you (I've let them generate many!), at least write your Hacker News posts yourself. The ability to write a Hacker News post without LLM assistance non-trivially relates to the ability to develop good software, because it boils down to skills conceptualising the project in a way that makes sense to humans, such that the project is product-shaped, rather than loose-blob-of-proper-nouns shaped. It's just very difficult to invest trust in a piece of software doing the right thing when it's not clear someone on the other end has enough ability to express their own ends in writing to make clear what that right thing is.

by waterfisher

6/10/2026 at 3:12:36 AM 

    If your mental model is "run my image instead of docker run," this won't fit. If it's "run untrusted or ephemeral workloads with stronger, auditable isolation on a single host," that's the target.
This in particular is barely coherent.

by mpalmer

6/10/2026 at 6:08:27 AM

This is neat! Is it rootless? Could it pair with devenv?

I've just gone down a rabbit hole with Fedora atomic desktop (Kinoite), Flatpak Zed, devcontainers with podman compose using the Debian container and nix feature, and devenv.

It allows me to keep an immutable OS while still having an infrastructure as code development experience. Also team members on MacOS or Windows can choose to use devcontainers to wrap devenv or just skip devcontainers and the extra isolation. It's pretty portable.

by wallzero

6/10/2026 at 8:24:32 AM

>>> devcontainers with podman compose using the Debian container and nix feature, and devenv.

Can you expand on that please?

by lifeisstillgood

6/10/2026 at 7:55:55 AM

Very cool to see more security focused tools being built here for the Nix ecosystem. What were some of the biggest roadblocks or challenges you hit when building this?

by lavaman131

6/10/2026 at 7:47:51 AM

Isn't it the same as using systemd-nspawn? containers.<name> let you declare containers with nspawn. What's the difference?

by alberand

6/10/2026 at 5:51:54 AM

> rootfs attestation verifies a per-file SHA-256 manifest at startup;

What threat model does this protect against? Certainly nice, especially for free, but wondering about utility.

by yjftsjthsd-h

6/10/2026 at 12:57:36 AM

[flagged]

by mediaman