I was curious, so I dug a bit.<p>Under the hood it's effectively running:<p><pre><code> docker run --rm -w $PWD:/workspace \
python:3.11-slim \
pip install -q patchpal && \
<command>
</code></pre>
Which cool, great, I sure love "pip install"ing every time instead of just baking a single container image with it already installed.<p>This isn't any sort of fancy or interesting sandboxing, this is shelling out to "docker run", and not even using docker as well as it could.<p>Quoting from the linked page:<p>> The tradeoff is ~5-10 seconds of container startup overhead<p>Sure, maybe it's 5-10 seconds if you use containers wrong. Unpacking a root filesystem and spinning up a clean mount namespace on linux is a few ms, and taking more than a second means something is going wrong, like "pip install"ing at runtime instead of buildtime for some reason.<p>I can spin up a full linux vm and run some code in quicker than 5 seconds.