[EvilTerran]

Software: Don't install shit you don't trust. Don't trust shit you can't verify.

This one is pretty tricky. There's a lot of little tools out there that I find invaluable, and haven't screwed me over yet (as far as I know), but fall firmly in the "downloaded it off someone's little personal website" category.

I'd say we need better fine-grained permission systems for software, so people can install programs without needing to trust them, safe in the knowledge that they'll get the opportunity to deny any malicious behaviour before it actually happens.

[SoftwareMaven]

That's what the Mac App Store is starting to do, but unfortunately, it's "completely sandboxed in the store" or "not in the store". I'd like a model that started completely sandboxed but let me choose if I want to let it out of the sandbox in certain, well-monitored cases.

[EvilTerran]

let me choose if I want to let it out of the sandbox in certain, well-monitored cases

That's exactly what I mean. I envisage something kinda like Windows 7's UAC dialogs, but more specific than "this program wants root! [allow] [deny]" -- more along the lines of "this program wants to install a driver / write to such-and-such protected files (its own program folder/anywhere in Program Files/the Windows folder/...) / low-level disk access / to run at startup / etcetc [allow] [deny]".

Actually, I'd specifically forbid "all permissions" as an option; an enumeration of every permission a program wants would make the user more likely to notice unreasonable requests than a single item would, even if that single item's actually "everything". I get the impression, from seeing ordinary users dealing with UAC, that they don't usually appreciate quite how much power they're giving programs when they hit "allow".

I believe that's similer to what SELinux does, although I've never used it beyond observing its presence on university-owned computers.

[wlesieutre]

That's what Apple's shooting for with the App Store's sandboxing requirements, but I'm sure the typical HNer will continue to have a few programs that need to operate outside the limited entitlements that the App Store allows. Still, it'll be better to have a single digit count of those on your computer instead of anything being able to erase your home folder without asking.