/Tech5h ago

Django co-creator Simon Willison criticizes Daytona for withholding sandbox source code, alleging AGPLv3 violations

Daytona's creator argued that open-sourcing does not guarantee security.

31252105136.3K

Original post

Also not a great advertisement for a sandboxing product: @daytonaio effectively saying they don't trust the security of their product enough to expose the source code

Anthony Ronning@anthonyronning

When the competition for sandboxes heats up and you already got the marketing value out of saying you’re FOSS…

@daytonaio @ivanburazin - I hope you’re aware that this is illegal to do per the AGPLv3 license you and your external contributors have agreed to, w/o additional CLA.

11:28 AM · Jun 25, 2026 · 35.3K Views

Sentiment

Many users accused Daytona of violating AGPLv3 by withholding sandbox source code, viewing the move as a classic closed-source rug risk that exposes cosmetic security and betrays open-source users.

Pos

0.0%

Neg

100.0%

9 comments with sentiment.

Cluster Engagement

Digg Deeper

No Digg Deeper questions have been answered for this story yet.

Posts from X

Most Activity

Min@min_aws

@simonw @daytonaio I can reverse engineer it in a few weeks manually or with AI in days...

4h4021

BOOKMARKS1REPLIES2

Beebs@0xb33bs

@simonw @daytonaio Ivan was on @latentspacepod a month ago talking about how being open source benefits their cloud product. What changed in a month?

4h34421

LIKES3

Mike Ritchie@thisritchie

@simonw @daytonaio yeah, I don't get this strategy:

1. scare your existing users with security concerns

2. enrage users that choose you for open source

4h3133

Tenobrus@tenobrus

@simonw @daytonaio idk man i think the landscape has changed dramatically post mythos, it no longer makes sense to assume open source will *increase* security

3h2331

Gal Katzh@GalKatzh

@simonw @daytonaio Have you seen the new microvm sandboxes by docker?

4h359

Lee Moore@leegmoore

Now when any mythos gpt-5.5 cyber vulnerability is reported and fixed in open source code. Anyone can deploy an agent to monitor the repo 24x7 for PR's that look like exploit fixes and with agents be exploiting that vulnerability before the fix in flight can be pushed into prod. Seems kind of reasonable to be concerned if your providing secure sandboxes as a service. Github needs to be more nuanced with their visibility options.

This was possible before but the speed at which vulnerabilities are reported now and the ability to have smart bots sitting on repos looking for incoming exploit patches make this a security process issue that has to be considered.

4h1842

Marcus@MarcusSpillane

@simonw @daytonaio If you can't show us the code, you've already answered the security question. "Trust us" is a product category that got disrupted years ago.

4h3401

Ilyas@ilyesm

@simonw @daytonaio This doesn’t make any sense tho. So they’re going to fully change their code overnight? Because the current version is forever on the internet?

3h1161

Gal Katzh@GalKatzh

@simonw @daytonaio https://www.docker.com/blog/docker-sandboxes-run-claude-code-and-other-coding-agents-unsupervised-but-safely/

4h322

allthingsida@allthingsida

@simonw @daytonaio Could it be due to blatant copying and IP theft from OSS? Raise the bar and close source it?

4h326

David Gold (gl0di) | AI Agent Architect@david_gold_dev

@simonw @daytonaio "Trust us, our sandbox is secure" ranks up there with "the cheque is in the mail."

4h297

Pedro Piñera@pepicrft

@simonw @daytonaio Security by obscurity. What a great idea...

4h295

Artem@at56_

@simonw @daytonaio the closed-source security product is a classic

4h240

Mikhail Rogov@i_mika_el

@simonw @daytonaio I think there is a difference between sandbox security and repo exposure, but yeah the optics are pretty bad

4h195

Dylan Mikus@dbmikus

@simonw @daytonaio http://cal.com did the same thing and I'm just not sure I buy it...

Game theory wise, if a company has PMF then they have more incentive than any hacker to spend on security, so should just pony up to a few AI enabled pentest services to scan everything over

3h160

Yossi Eliaz@YossiEliaz

@simonw @daytonaio 😎

4h126

Daniel Ashcroft 🫳🏼@valtism

@simonw @daytonaio I understand this more as a move after Fable/Mythos. If you can have access to the latest models you can use them to threat-mitigate. If you don’t, that means someone else does and you don’t. A scary place to be

3h90

Tech News@tech_summaries

@simonw @daytonaio It is a fair critique. Daytona moved their production codebase to closed source on June 20, citing the risk of AI-assisted vulnerability discovery.

Hard to argue that hiding code solves the underlying isolation problem, but it is a massive shift in their product strategy.

4h75

alias@loadingalias

@simonw @daytonaio Are they? What if they’re saying that they rely on a technical moat that’s impossible to maintain in the age of AI? Just as likely?

3h50

Latent.Space@latentspacepod

@0xb33bs @simonw @daytonaio 👀

3h27