[stouset]

Your perspective is coming from a very rigid all-or-nothing mentality and I don’t think it’s wise to see things that way.

Sure, a web browser that needs to open arbitrary network connections can be built to phone home. But nearly none of the components it’s built out of can. The image decoding and rendering libraries can’t touch the network, the rendering engine can’t touch the network, and nor can the dozens of other subcomponents it needs to work.

Your installed editor extensions can’t phone home even if the editor itself can. Or perhaps even the editor itself wouldn’t be able to, if extensions are installed out of band.

Your graphics driver vendor can’t phone home, your terminal can’t phone home, and on and on and on.

A solution doesn’t have to be perfect for it to be an improvement, so stop acting like it does.

[vlovich123]

But your editor extensions can’t phone home only if your editor sandboxes them into a separate process. Hint: VSCode doesn’t do such sandboxing and neither do most editors that I can think of.

Anyway, you’ve just proven my point with “install extensions out of band” - you’ve ceded that it’s a losing position technically and are arguing for alternative UX solutions. I’m not pretending it has to be perfect. Like I said, capabilities are great for creating a secure OS and writing more secure software more generally. But the threat model it’s protecting against is not software that phones home but against the size of the exploit opened up from a compromise.

Think about it this way, Android apps and iOS apps are largely sandboxed through a primitive capabilities system already, not super fine-grained capabilities but still the same concept. Would you care to claim that privacy and malware isn’t a problem on these systems or that the permissions model has meaningfully curtailed anything but the most egregious of problems?

[stouset]

Your editor doesn’t do it because handling, delegating, and slicing up capabilities isn’t a core part of the OS.

[vlovich123]

Firstly, VSCode runs on 3 major OSes that don’t have this capability and such software results the way it is partially because of targeting the lowest common denominator. Only a Fuscia first editor would do this.

Secondly, the editor also does it this way this because of reasons other than support within the OS because even with components it would need to design a capabilities model for extensions and a sandbox process to maintain the permissions - it’s much easier to just do the extensions in-process and not think about it.

[stouset]

> Only a Fuscia first editor would do this.

The difference is in that every single one of those other operating systems, applications just have network access. By default. No capability needed. This would not be the case in an OS centered around capabilities.

Multi-platform software develops integration with local OS APIs all the time.

Like I said, your thinking is way too black and white. Your inability to see a different world doesn’t make one impossible to exist. What is even the point of thinking this way? Your entire mindset boils down to “nothing can ever be better”.

[vlovich123]

We’re getting way of topic. What I said is that capabilities in an extremely limited to ineffective tool for the end user to try to enforce their own privacy and security because it doesn’t offer controlling for the semantics of what happens. For example, it would be very hard to take a fuschia system that simultaneously allowed for the Google assistant feature and not for telemetry / Google storing mic data that was sent to them.

I’d ask you refrain from personal attacks. That isn’t a fair characterization of what I said. All I said is that capabilities fundamentally doesn’t solve the phone home problem in many real world cases. I also highlighted that there are very real economic forces that must be accounted for in terms of understanding why software is architected the way it is. And no, there’s very few applications that have a completely different architecture per major platform which is what we’re talking about with capabilities. That’s very different from abstracting some platform-specific APIs here and there.