It looks to me like what is called a "container escape" in this context isn't necessarily as bad as it seems. For example, in the advisory for CVE-2025-31133 affecting runc[1]:
> Container Escape: ...Thus, the attacker can simply trigger a coredump and gain complete root privileges over the host.
Sounds bad. But...
> this flaw effectively allows any attacker that can spawn containers (with some
degree of control over what kinds of containers are being spawned) to achieve
the above goals.
The attacker needs already to have the capability to spawn containers! This isn't a case of "RCE within the container" -> "RCE outside the container", which is what I would think prima facie reading "container escape".
I have always thought that running an untrusted image within an unprivileged container was a safe thing to do and I still believe so.
For those install scripts which allow changing the install prefix (e.g. autoconf projects---though involving a built step too), I've found GNU Stow to be a good solution to the uninstall situation. Install in `/usr/local/stow` or `~/.local/stow` then have Stow set up symlinks to the final locations. Then uninstall with `stow --delete`.
They just can't be. Concepts like the soul, the inherent dignity of man, and the orientation of humanity toward a single Good are incomprehensible in the framework of modern psychology or physiology. They are ruled out or at least set aside by the presuppositions used to simplify the world for scientific analysis. And these concepts do a lot of work in the note.
> This person mentioned Einstein, but Einstein was just the byproduct of a time when people had the balls to publish what could be perceived as extravagant theories.
As an outsider, while I can see many problems in academia today, I'm not sure that an exceptional fear to publish extravagant theories is one of them.
It seems to me that the opposite is true. The replication crisis is a symptom of a general unfriendliness towards uninteresting publications.
It's tough to gauge if someone's competent or not when they're speaking at a very high level in a domain you know nothing much about, and where very high level is at least an order of magnitude more difficult than high level. For this I've found myself leaking in corollaries such as Eric being able to have old time theoretical physicists on his podcast and having in-depth and flowing conversations with them.
> Container Escape: ...Thus, the attacker can simply trigger a coredump and gain complete root privileges over the host.
Sounds bad. But...
> this flaw effectively allows any attacker that can spawn containers (with some degree of control over what kinds of containers are being spawned) to achieve the above goals.
The attacker needs already to have the capability to spawn containers! This isn't a case of "RCE within the container" -> "RCE outside the container", which is what I would think prima facie reading "container escape".
I have always thought that running an untrusted image within an unprivileged container was a safe thing to do and I still believe so.
[1] https://github.com/opencontainers/runc/security/advisories/G...