Our sandboxed apps won't really protect users

[Michael Stahl]

On 11.09.2015 07:41, Michael Catanzaro wrote:
> If you can do whatever you want, you'll probably install the first non
> -sandboxed, non-xdg-app-ified third-party app that you want to use. If
> that becomes commonplace, it will totally defeat the purpose of having
> application sandboxes: we might as well not bother, because sandboxing
> all the non-malicious applications does us zero good if the malicious
> applications simply don't use the sandbox. Analogy: Windows and Java
> application signing is intended to make it harder to distribute
> malware. It's also totally worthless, because it's optional, and nobody
> cares whether an application is signed or not, or even understands what
> that means. (In fact, it's worse than worthless, it's actively harmful,
> since it trains users to ignore security questions.) This is *exactly*
> what is going to happen to xdg-app if we allow running things that
> aren't xdg-apps. It's also what's going to happen to sandboxed xdg-apps
> if we allow running unsandboxed xdg-apps. Even if most apps play nicely
> in the sandbox, you're just going to get owned by the ones that don't,
> and building the sandbox was a waste of effort.

that's a very good point, but imho it's over-stated a bit since the
hypothetical malware apps aren't going to be as widely installed as
non-malware apps.

the desktop should provide an easy and obvious way to install trusted
apps from a curated app repository (xdg-app-store?), which ought to make
it hard for users to install trojaned builds of the popular apps.

sandboxing apps that aren't malware but do read untrusted input is still
very valuable as it limits the damage from potential exploits and *will*
increase security in practice.