[linuxandrew]

> If for some reason you want to run an untrusted application, use a container. But building your whole house around the "untrusted" premise sounds ridiculous.

I guess we should do away with memory protection as well. Filesystem permissions? Bah, they can go too, after all, a computer is generally used by a single person right?

The reality is that many users use untrusted applications that don't have access to home, ergo Flatpak. There are plenty of reasons why the free for all security model for X11 isn't suitable. Besides, that ship has well and truly sailed - most of the X11 devs have been working on Wayland for the better part of a decade now.

[mcpackieh]

> The reality is that many users use untrusted applications that don't have access to home, ergo Flatpak.

I'd like to see this quantified. How many people using flatpack are afraid of their application reading their files, vs using flatpack simply because it's a convenient way to install programs? I don't mean "oh me me!" responses, are there any user surveys to support the premise that average users are afraid of their applications?

Quite frankly I don't believe this level of paranoia is the norm. On Windows and MacOS, applications installed in the normal way can read the files on your desktop. This is the way it as always been on Linux too, with few exceptions. Letting the most paranoid users set the norms is a recipe for irrelevance. How popular is Qubes? It's a pain in the ass.

[E1Q6Y57O]

This is incorrect, apps installed through the macOS App Store have required sandboxing since 2012. Since 2018, Microsoft is also attempting to get developers to sandbox more apps, see more about that here: https://news.ycombinator.com/item?id=36059982

[mcpackieh]

I'm pretty sure you're wrong. Looking over the part where you imply that the MacOS App Store is the standard way to install Applications on MacOS (opposed to dragging the application to the Applications folder), let's look at what the system you're referring to actually does:

https://developer.apple.com/documentation/xcode/configuring-...

Show me where it says a program installed from the MacOS appstore will be unable to read the user's files unless the user explicitly authorizes it. Here's how it actually works as far as I can determine: The application developer grants their app the entitlements to read user files. The user may see that entitlement before installing the application, but thinks nothing of it because of course the program operates on their files. This does not protect the user against a malicious program being shipped with those entitlements and a plausible pretext to justify it. Example: The user downloads a program to read some kind of unusual file for work, the program grants itself access to ~/Downloads because of course it needs that, then the program instead reads ~/Downloads/your-tax-documents

This system only protects the user if the application was legitimate, refrained from granting itself the relevant entitlements, then got compromised by an attacker.

[E1Q6Y57O]

>Looking over the part where you imply that the MacOS App Store is the standard way to install Applications on MacOS

That is the standard way. An app that has its own custom installer or patcher/updater is by definition, using a non-standard install procedure.

But even if it wasn't, it definitely is the standard on Linux, where package managers are the norm.

>The application developer grants their app the entitlements to read user files.

Flatpak works in exactly the same way.