[zbowling]

Guess you have never used https://snapcraft.io/, https://flatpak.org/, or https://appimage.org/ because all of these do exactly that. Snap apps are straight linux containers and the others root like chroot jails I believe still.

Or even go take a look at Nix/NixOS and how they pull it off in another way. They have hermetic isolation down to a science.

Or heck, just look at what Android does, running each app under its own uid/gid, sandboxing 3rd party code, and keeping each app from reading and writing outside their little jails. Can't pollute a user directory or even write to /tmp if your user can't even enumerate it.

Hell, even built a whole sandboxing capability-based security model inside of Fuchsia at Google, which I worked on for 5+ years.

I've been building OSs for 20+ years, between Fuchsia and Android at Google and mobile/embedded products at Texas Instruments, so I hope I know what I'm talking about.

[Brian_K_White]

Android is a thoroughly managed appliance, not a general purpose OS.

Snaps should not exist. Flatpak and appimage should exist, but should not be used except in extreme cases.

You can have bad judgement for 20+ years easily.

[zbowling]

Nah. Your objections are rooted in the very limited definition of what an OS is and what a user application model is that fits it. There is no reason why each process/app can't be sandboxed. In fact, it should be for security (we did it in fuchsia). It's actually the way things work with apps from the app store on MacOS in a lot of ways where you can't escape your jail except through what is explicitly entitled.

General purpose just means that it's generally useful for a wide range of applications. Android is that. Hell, you can find Android running small appliance server infrastructure and powering IoT devices. Even in 2024, iOS/iPadOS is general purpose at this point, and they have VERY different application models from legacy app models you find on Windows and Linux. You wouldn't not call NixOS a general-purpose OS, and it's like flatpak for literally every process down to things like bash, grep, and vim.

Snaps are fine. Aversion is only from how it was introduced to people in Ubuntu, but conceptionally, is great. cgroups wrapping user processes to box them is not only good for security but also for stability and solving dependency versioning issues. It's brilliant. It's similar to what we did in Fuchsia at Google (we took it to another level because we had no legacy to deal with).

And sure, maybe I have bad judgment on some things. I contributed a ton to GNOME in the early 2000s both code and ideas that were horrible in hindsight, but I'm not still stuck in an outmoded mental model for thinking about my user environment.

[account42]

> Guess you have never used https://snapcraft.io/, https://flatpak.org/, or https://appimage.org/ because all of these do exactly that. Snap apps are straight linux containers and the others root like chroot jails I believe still.

AppImages are not containers at all. They bundle up the program data into a single archive but do not do any sandboxing and leave programms to write their user/config/cache files to wherever they would be written without AppImages, i.e. in xdg-basedir locations. As it should be.

> Or even go take a look at Nix/NixOS and how they pull it off in another way. They have hermetic isolation down to a science.

NixOS's packaging is also completely orthagonal to the xdg-basedir spec.

> I've been building OSs for 20+ years, between Fuchsia and Android at Google and mobile/embedded products at Texas Instruments, so I hope I know what I'm talking about.

None of those are desktop operating systems. Please stay away from those with your anti-user opinions.

[fragmede]

Or Qubes, which goes further and features per-app VMs. Snaps was foisted on the community which was then unwelcoming of it, but per-app isolation isn't the worst idea.