Exe.dev - Hacker News

Posted by achairapart 12/26/2025

https://blog.exe.dev/meet-exe.dev

457 points | 297 commentspage 3

notepad0x90 12/27/2025|

unlike others, i like the site and the initial prompt.

Lost me at "verify email" though. Why get so creative, yet limit yourself to archaic "email". Why do *YOU* the provider need me to have an email or a phone?

Look, mullvad can provide vpn services without email or all that nonsense. If you want people who will use ssh to order things, these are the same people that would get your service because you're not asking for dumb things like email. It's the first thing you ask of potential users, and it's an obstacle preventing them from giving you their money!

You can issue users a recovery/access key and/or let them user their ssh public key and trust they know how to manage that on their own. If you have messages for them, display that when they login. This sort of stuff differentiates your service, ssh does too, but it's cosmetic and gimmicky. I would prefer a rest-api over ssh anyways, but ssh is cool too.

jeremyjh 12/27/2025||

You can’t host compute for anonymous users. I mean you can, but you won’t for long due to the abuse that will inevitably come with it. That you are responsible for. And anyway, it’s not always going to be free.

notepad0x90 12/28/2025|||

What are the abuse risks of compute versus vpn? Mullvad is doing it already. Their payment information doesn't need to be "anonymous". I have hosted websites while paying for the domain, vps hosting and all that it entails entirely with BTC, not once using payment information associated with me. But you know what was required of me even then? A damn email address!!

jeremyjh 12/28/2025||

Compute opens vast surface area for abuse that VPN does not. You could use it control bot networks, host CSAM, host phishing sites and more.

notepad0x90 12/28/2025||

Yet, anonymous compute providers exist. Either way, if all you want is to identify who your users are, that's fine. Email hardly helps. It's not hard to setup a temporary mailbox. Anyone can sign up to protonmail without identifying themselves too much. All you're doing is making it inconvenient for the opportunistic an lazy potential criminals (and legit users alike). Simply not accepting crypto payment goes a long way. Furthermore, even if your users are 100% innocent & legitimate, they could and do get compromised (happens a LOT).

I think it's just something people do because "everyone else" is doing it. Lots of familiarity around email. "it's just not done" as they say.

trollbridge 12/27/2025|||

Getting a usable e-mail and phone is a few cents spent on one of the many shady SMS-reception services.

jeremyjh 12/27/2025||

Yes, that is why they always require a credit card as well. I'm sure exe.dev will be no different soon but they are trying this in alpha to get feedback and traction; just hoping they won't attract the notice of the barbarian hordes right away.

qudat 12/27/2025|||

I run https://pico.sh where we don’t ask for email. Even on our website we instruct users to generate a token so if they do lose their key they can use it to recover their account.

People regularly lose their ssh keypair and also don’t generate a token. I think using email as a form of recovery is totally fine and regardless when you have to pay for the service you’re going to give up your email (and other personal info) via payment processor

notepad0x90 12/28/2025||

I would eventually want even payment processors to stop asking for email. They have my address and government id, for any liability related reasons. ideally, we would use federated auth, where auth providers aren't using email at all. I'd imagine the complexity of your backend is simpler too as a result.

And kudos on your service, I'll keep it mind next time I'm picking a provider.

docmars 12/27/2025||

It isn't a free service -- only during the alpha you get access to an "Individual" account which would normally run $20/mo once the test period is over.

https://exe.dev/docs/pricing

notepad0x90 12/28/2025||

Yes, it should be paid of course. Matter of fact, please charge me more for the privilege of not being asked email,phone, credit cards. Just take my money, and feel free to take whatever steps you think are needed to make sure abuse isn't taking places. I champion requiring a "deposit" where if abuse took place the user would forfeit it.

But, my original comment is strictly about email. Even if you asked for a government-id and credit-card payment, I won't object. Just please, no email!

docmars 12/28/2025||

I think that leaves: how would you prefer to recover your account if you lost access?

notepad0x90 12/28/2025|||

same way I would with my email provider. But I'd expect a recovery code of some sort that i could save.

How would you normally recover an account? Email? So, if my email is compromised, everything gets compromised? That's not sane at all. You should normally have MFA, and if you can recover your MFA/2FA with email, it's just an over-engineered inconvenience. The way it's done right, the MFA recovery code servers as a general account recovery code as well. You save that somewhere safe and offline.

In this case, they use ssh public keys, so there is no need for all that, just add a spare public key to authorized_keys, and keep it's private key offline and safe, ideally in an HSM.

This is a service for technical people, so all that works, for general consumer service, you give them a choice. Either they choose to use a recovery key, a recovery email/phone...or recovery via payment. Let them pay $1 for recovery, proving they control the original method of payment (KYC not crypto). But if nothing else, users should be able to choose recovery code instead of email. It's more secure, because you're not relying on a 3rd party service to also be secure. I don't like them much, but recovery questions have also been used, but if you think about it, those are not that different from recovery codes, they're just more guessable.

Recovery codes aren't one string, they're usually multiple, so if users chose, they can split up their storage. For added reliability, you can require validation of recovery codes periodically, after a successful sign-in.

docmars 12/28/2025||

Thanks for explaining! I was mainly curious what viable alternatives there would be for the average user, and I think your suggestions are sound. Even technical folks wants things to feel as frictionless as possible.

The nice thing about recovery codes is being able to store them securely in a password manager alongside any other entries for the service.

The downside is they're easy to leak (or lose), so the added factors in requiring access to email (also with its own 2FA) are lost in a system like this, if whatever you're managing is mission critical. I wouldn't want to make that kind of bet, personally.

notepad0x90 12/28/2025||

> , personally.

I get it, that's why I advocate letting users choose. Especially with a technical audience, treating them like they can't be trusted to make mission critical choices is not good.

lane776 12/30/2025|||

[dead]

ilaksh 12/27/2025||

Are they actually VMs, or are they containers? Some kind of special container like gvisor? Firecracker microvms?

crawshaw 12/27/2025|

Hello, an exe.dev person here. They are VMs, on a crosvm-derived VMM. So I consider them "actually VMs", though we do not currently support custom kernels. You can do VM things in there, like create TUN devices, etc.

jauntywundrkind 12/27/2025|||

Not super important to me (and you state explicitly it may change) but your docs are a little out of date here, I think. crosvm versus Cloud Hypervisor / Kata Containers, is, I think, different?

  exe.dev ▶ doc how-exedev-works
  How exe.dev works (how-exedev-works) - press q to exit
                                                                                                                                                                                                                                                 
  You're an engineer. We're engineers. Let's talk about what's going on under the hood.                                                                                                                                                          
                                                                                                                                                                                                                                                 
  An "exe.dev" VM runs on a bare metal machine that exe.dev rents. We happen to use Kata Containers and Cloud Hypervisor, but that's a bit of an implementation detail (and may change!).                                                        
                                                                                                                                                                                                                                                 
  With most providers, your VM starts with a "base image" and is given a block device. Exe.dev instead starts with a container image (by default, "exeuntu"), and hooks up an overlay filesystem to the VM. This makes creating a new VM         
  take about two seconds. In exchange, we lose some flexibility: you don't get to choose which filesystem you're using, nor which kernel you're using.                                                                                           
                                                                                                                                                                                                                                                 
  On the networking side, we don't give your VM its own public IP. Instead, we terminate HTTPS/TLS requests, and proxy them securely to your VM's web servers. For SSH, we handle ssh vmname.exe.xyz.

crawshaw 12/27/2025||

Yes our docs are out of date we are not using Kata, thanks.

ilaksh 12/27/2025|||

Thanks. So KVM I assume. Congratulations on your launch. Any plans for public IPs?

crawshaw 12/27/2025||

Thank you! Yes, KVM. And public IPs are very useful and we want to do them. We will have to charge and/or limit them, unlike VMs, unfortunately, because IPv4 is scarce. (I am busy trying to buy some right now.) You can follow along here: https://github.com/boldsoftware/exe.dev/issues/6

Uptrenda 12/28/2025||

I think I get more what they're going for now. A technical person can setup a server for themselves and setup services to work for multiple projects. But its complex to get everything right. Trying to reuse a server, setting up routing, domains, and so on can be tedious. I guess they abstract that problem. The wild card domains -> VM is a neat mapping. Then making it easy to use your resources and dispose of VMs.

I guess its an innovation at the resource management layer where you create / manage VMs. It's interesting they choose to give away individual plans. That's very generous. Though I'd feel bad using any of their resources.

varenc 12/27/2025||

Just setup an account and started a VM, but it's hanging when trying to access it while waiting on the public key response. Web based terminal not loading either. Guessing the site is getting the hug-of-death from HN users?

varenc 12/27/2025|

Took a bit, but now I'm in! So far, loving this service.

Cyphase 12/28/2025||

> What is exe.dev?

> exe.dev is a subscription service that gives you virtual machines, with persistent disks, quickly and without fuss. These machines are immediately accessible over HTTPS, with sensible and secure defaults. You can share your web server as easily as you can share a Google Doc. With built-in optional authentication, so you can focus on your thing.

> Your VMs share CPU/RAM. Create as many VMs as you like with the resources you have.

Source: https://exe.dev/docs/what-is-exe

gurjeet 12/27/2025||

In https://blog.exe.dev/meet-exe.dev

s/cloud computing should like/cloud computing should be like/

waldrews 12/27/2025||

Might be a good place for yunohost/coolify style services, especially if you have multiple separate entities - though probably tricky to do inbound mail because of IP allocation?

0xferruccio 12/27/2025||

i tried this and it's pretty cool, that being said for my use case of spinning up many agents working on my app I'd need a way to specify the docker images that get started with each new VM

i cannot find a way in the docs to start new VMs with a bootstrap script that starts a bunch of services for me and runs a specific docker image

my use-case is that I want a full developer environment for every branch of my project, so i can vibe code on many VMs at a time

EDIT: Just realised there's an image one can pass to the new command. Still it's not clear to me whether private images would be supported and what registry this is using:

exe.dev ▶ help new

Command: new

Create a new VM

Options: --command container command: auto, none, or a custom command --env environment variable in KEY=VALUE format (can be specified multiple times) --image container image --json output in JSON format --name VM name (auto-generated if not specified) --no-email do not send email notification --prompt initial prompt to send to Shelley after VM creation (requires exeuntu image)

crawshaw 12/27/2025|

[exe.dev cofounder here] Thanks for the feedback! We do not support private registries yet but it is very much on our mind, it is one of the first things business customers ask for so we know we have to build it.

We are also exploring alternatives for pre-configuring your VM. (Because we make lots of VMs and feel this too, so it is very much on our mind.) One is a sub-second VM "clone" feature, so you can configure a base VM to use as an image.

0xferruccio 12/28/2025||

The clone idea sounds awesome! It’s kind of like what Devin does for setting up new machines for each task

cstricklan 12/27/2025||

I normally try to stick to serverless with SST for quick projects because I like that they scale to $0, but this is enticing. Shelley is a great feature and must have well-designed system prompts and tools for testing the website built-in. It just one-shotted a volunteer management app and with just one more click in the console I can expose it to the public.

Havoc 12/27/2025|

Looks good!

Though not a fan of 100GB and egress charges. Is there a way to hardcap that?

I guess I could implement something VM side but that’s a bit convoluted

More comments...