On 11.09.2015 07:41, Michael Catanzaro wrote:
If you can do whatever you want, you'll probably install the
first non
-sandboxed, non-xdg-app-ified third-party app that you want to use. If
that becomes commonplace, it will totally defeat the purpose of having
application sandboxes: we might as well not bother, because sandboxing
all the non-malicious applications does us zero good if the malicious
applications simply don't use the sandbox. Analogy: Windows and Java
application signing is intended to make it harder to distribute
malware. It's also totally worthless, because it's optional, and nobody
cares whether an application is signed or not, or even understands what
that means. (In fact, it's worse than worthless, it's actively harmful,
since it trains users to ignore security questions.) This is *exactly*
what is going to happen to xdg-app if we allow running things that
aren't xdg-apps. It's also what's going to happen to sandboxed xdg-apps
if we allow running unsandboxed xdg-apps. Even if most apps play nicely
in the sandbox, you're just going to get owned by the ones that don't,
and building the sandbox was a waste of effort.
that's a very good point, but imho it's over-stated a bit since the
hypothetical malware apps aren't going to be as widely installed as
non-malware apps.
the desktop should provide an easy and obvious way to install trusted
apps from a curated app repository (xdg-app-store?), which ought to make
it hard for users to install trojaned builds of the popular apps.
sandboxing apps that aren't malware but do read untrusted input is still
very valuable as it limits the damage from potential exploits and *will*
increase security in practice.