[armadyl]

> As a general principle, application developers should not have free rein to modify my system's configuration, and OS's should do their part to make it very difficult for developers.

Funny enough macOS, iOS, iPadOS and Android do this and they are constantly attacked for it.

I do think there needs to be more strict adherence by developers to standards like XDG but I don’t know how it could be enforced.

[nulld3v]

They are constantly attacked because they prevent users from modifying the system configuration, not just app developers.

[simondotau]

From the operating system’s perspective, everything is the user. Or everything is an app developer. Depends on perspective. Disambiguating reliably, in a way you’d consider reasonable, is not trivial (and arguably impossible).

[Dylan16807]

Phone-style isolation is more like giving each app a separate user account. With that level of isolation and robust permissions, apps can do very little "on your behalf".

[simondotau]

How do you do anything on a computer that’s not via an app of some description? Do you make arbitrary exceptions for the likes of zsh and chmod? How does the OS know that chmod was knowingly run by the user, and not by some “sudo wget” exploit?

[Dylan16807]

> How do you do anything on a computer that’s not via an app of some description? Do you make arbitrary exceptions for the likes of zsh and chmod? How does the OS know that chmod was knowingly run by the user, and not by some “sudo wget” exploit?

I'm not sure what the purpose of the question is, because a unixy command line doesn't use phone-style permissions. I didn't say everything works this way.

If I installed photoshop with phone-style permissions, it wouldn't be able to invoke chmod and wouldn't even be able to access my downloads folder.

(Trying to tighten down a command line shell ends up being a tangent, but the short answer is that zsh itself would need to be trusted and hardened, and wget would not be allowed to run chmod. When it comes to downloading a script and then running that script on purpose, you probably just have to accept that doing so bypasses the permission system. Thankfully I very rarely need to do something like that.)

[selcuka]

So you installed a text editor and wanted to edit /etc/hosts. Should the OS permit you to save your changes or not?

Now what should happen if the text editor decides to modify /etc/hosts without your knowledge?

[nulld3v]

I'm not sure I fully understand you. All those OSes try very, very hard to disambiguate between apps and the user itself?

[lmz]

A program touches a system file. Is it due to its own logic, or is it your editor saving a file?

[simondotau]

Pretend you’re the operating system for a moment. What does “the user” look like, if not an app doing things?

[semiquaver]

If a user can do a thing, then an app can ask the user to delegate those permissions to it. And since 99% of users don’t read permission dialogs, the two ideas are completely equivalent. The only way to prevent an app from doing a thing is to make it impossible.

[pdpi]

Even if users do read permission dialogues, how many Adobe users out there actually understand what modifying the hosts file means? There can be no informed consent if the person who's meant to consent doesn't have the tools to understand the information.

[semiquaver]

I think we agree.

[Dylan16807]

You can put pressure on app developers to use standard installation methods that don't give unrestricted access.

Even if users don't read the permission dialogs, you can make one path a lot easier. And you can flag anything too tricky as malware behavior.

OSes are doing a bad job of this, but they could do much better. Linux is making the most progress on various package formats.

[gjsman-1000]

> I do think there needs to be more strict adherence by developers to standards like XDG but I don’t know how it could be enforced.

It can't be enforced. Developers can and will always do whatever they want with the tools available. For good ends (Adobe) or for ill (malware).

If you try to fix it with sandboxing and closed app stores (Apple forcing sandboxing and using SIP), you get attacked. If you don't try to fix it and let devs do as they please (Microsoft allowing host file editing), you get attacked. The conclusion of these incompatible goals? HN and nerds have zero relevance in policy discussions, because they don't have a consistent policy to offer [1].

[1] Unless, of course, you define "devs shouldn't be able to do anything bad even if they choose" and "users should be able to anything bad if they choose" and "users should be able to write their own software capable of bad things while simultaneously not being held to the standard of devs" as a compatible principled position.

[anfilt]

I think somewhat sand boxed is fine, but the user should at the end of the day be allowed to let things out or get out if it.

The problem with things like iOS is the user can't make that choice. Also what you call 'bad' is up to the user. At the end of the day a user should be able to adjust things even at root level or request other software to do that on their behalf. Heck for iDevices owners should be able to load their own signing keys at a minimum for the Boot-ROM.

As for Adobe most people would not expect their software to touch the host file, so it's fine to call them out here. Someone using a utility or tool that you would expect to edit the host file that's fine, and people should be able to use or make such a tool. (The os should not prevent the user/owner if that's what they want).

[ryandrake]

Yea, that's what I was getting at. The user should be king. Not the application developer, not the OS vendor. The user should be able to easily say yes/no to these things and have the final say.