I don't want this, I wouldn't use this. I guess I'm just not optimistic enough to see this work:
Flatpak, snap, etc don't work as they just try to make the current desktop philosophy secure, without the application and the rest of the OS really being aware of it. Android and ios have been designed to offer native features for fine grained access control and isolation. For a desktop os, you need the same, from the ground up, and every app needs to be tailored to this. You'll start with a desert and tumbleweed.
This will never work, because it's simply too late: The web. A Chromebook pretty much does all the isolation you want on a different level, and is enough for the vast majority of people. I know you can now list a thousand things you cannot do in a browser and whatnot, but consider that the folks here on HN are a very rare breed.
And again, as you even said, for such a hypothetical sndboxing desktop os, user space needs to be rebuilt in large parts from scratch. Not in a hundred years. There so many things that are still lacking on the linux desktop today that this would at best be yet another experimental toy OS with no real world usability.
For me it's simply two separate, physical machines, one for online banking and sensitive stuff, the other for dev work, games, goofing off, and one or two android devices for other random crap. That's my sandboxing.
I think this is a good idea anyway. I love how if I install some dodgy app on my phone, it can't access the private, stored data of other apps. It can't steal my google or facebook credentials. And it can't cryptolocker my filesystem.
My desktop computers are designed with this old "user security" model that I don't use at all - since I'm the only user anyway. User security protects ... uh, the operating system I suppose, which I could reinstall in 20 minutes anyway. But we're missing a much more important security boundary - which is between one bad program and all my other stuff. Every program you run today on desktop is inexplicably executed with full permission over all of your private files, and, worse, it has full network access. Its an insanely terrible design.
We /could/ retrofit the user security model to help us isolate applications. But personally I think it would be easier to just design and implement something good from scratch.
(For the security people in the room, the threat model is a bad program, or single bad npm package gets pulled into a program you run. How do we limit the blast radius?)
If you can't do it on desktop, you can't do it at all. Mainly because some of us have real work to do.
If the only "usable" implementation is on a hard-to-physically-secure mobile device that uses a tonne of different uncontrolled network access points a day -- that's not really an option now, is it?
I worry that it's worse. They have been working on this for years, but I think that they may have assumed that their desktop market dominance was so sound, that they just didn't care to put the effort into privacy. What are you going to do, Linux Desktop?
This seems like the general attitude that delivers lackluster solutions across many products, like Teams, SharePoint, etc.
Yeah, at second glance it actually (as proposed - huge caveat) might even be better for privacy.
I’m can’t begin to theorize how the future will play out if you need a PAT to access most web destinations. Do cloudflare or Apple engineers use Linux machines ever? Surely they do, and either know this is bad or have some plan to make it work?
Yeah, I find the creep of web app security mentality into the desktop to be a disaster. I want to be able to easily snoop on and control my GUI and I absolutely don’t want some display system to decide it knows better than me about this sort of thing.
I'd rather see the web evolve even further and make "apps" irrelevant and have a desktop OS on my phone, that respect my privacy, rather than the other way around... And FOSS!
I'd love the easy ability to run confidential computing loads with fine grained control over the data it gets access to. You can do this now on the desktop using SGX (etc) but on mobile it's really hard.
As a specific example of this, it'd be great to be able to run Whisper continually and have strong, system level guarantees about what can read the data.
People here are probably on the cautious side of centralising all of their online identities and activities into one app. Our privacy is under enough threat as it is.
Besides, I don't want to migrate everything I do online to a smartphone (it would have to be Android or IOS then, because that's all they support of course — vendor lock-in is not so great for innovation) or a sanctioned PC OS. In fact, most of the time I don't even want to run some service's software, except for those that run in the sandbox that is my web browser (i.e., websites and web applications).
Actually, all things considered we already have that one app that does it all; the web browser.
I don't understand the responses in this thread. Does nobody want an OS with a permissions system where you can reliably control access to resources? Or strong app sandboxing by default to keep chrome from sniffing your files (allegedly, this is virus scanning)? There isn't any loss of freedom with those as long as your super user can modify it all - its a gain of freedom in that you can have some control over what your random proprietary programs are doing
Finely grained permissions mean bad UX and as Android has shown you gain nothing practical from that since the people will learn to ignore them pretty much like they learn to ignore the UAC warning while on the other hand you lose the flexibility, functionality and openness of the entire system (all significant pillars for ensuring user control).
Note that i'm not saying to disconnect computers entirely, i'm saying to rely less on connected computers. Simple stuff like use LibreOffice or MS Office instead of Google Docs, use a desktop calendar and other tools instead of relying on "web apps", instead of using a "cloud-based solution" for syncing data with your mobile phone, just connect it directly to your computer (via wifi, bluetooth, whatever - this is a UX issue mainly - but it doesn't have to roundtrip with someone else's server). Stuff that makes you and your computer less reliant on the network.
Not everything can work like that of course, but then instead of trying to isolate applications from each other using fine-grained separation, we can simply treat the network itself as hostile and try to defend from it (e.g. applications that can access the network cannot access outside of a designated folder - the OpenBSD pledge approach but forced on all applications that access the network). I think it is a much easier, flexible, user controllable and understandable approach than UAC on steroids or any other approach that relies on application segregation.
It does require a massive shift in developers' mindsets and profit incentives for companies though, which is why i do not see such a thing happening.
This gets silly, though. If you are going for full isolation where applications can't just let the user have data, then you have to coordinate every app talking to every other app.
This is why the share button on a phone is ridiculous. Instead of just copy to clip board, you get a ton of options.
Is it safer? Hard to say. I can do less and have less capabilities without more active work from the developers.
There is something to be said for this, of course. But it seems a losing game. I contend there is no technical panacea to security versus convenience.
As far as desktop OSes go, I think the much larger problem is how to let users control the degree of sandboxing an application has. On mobile we're broadly used to each application asking for permissions (and whether we've trained users to just hammer 'allow' until it proceeds) and each is largely independent.
Windows also has its legacy software that wouldn't know about new restrictions, so would need dummy access until allowed, and UI for the user to gain understanding about why their newly downloaded utility can't access their webcam and all their files yet, and how to rectify that. Windows already has something like this through controlled folder access, but I've yet to hear of someone who turns it on. Part of the biggest strength of desktops is how all the software/hardware parts combine, so I think this is high stakes in terms of not pissing people off so the feature actually gets used.
You are deluded. Modern internet developers don't do this sort of thing. Not what you've described. Not as you've described it.
It's never about deploying features that can't be explicitly controlled by the mothership. Furthermore, the graphics processing you're envisioning will consume battery power and might be kiboshed by the end-user's OS arbitrarily. That alone (lack of OS control) gives developers a plausible way to rationalize the orwellian.
You want things to work in a way that will never ever happen.
I'm almost at the same stage that you are. I think that as powerful as traditional desktop operating systems have been, they are clearly less secure than mobile operating systems which sandbox applications. People have sensitive data on their devices, and it is simply far too easy to get harmful malware on your machine. Whether from an external developer becoming compromised, or actual malicious behaviour.
I still download popular 3rd-party programs (i.e. not in the OS repos), especially if they are open-source (i.e. just GitHub), and there is evidence of active maintenance with a significant number of contributors to the project, or if it is from a reputable, popular real-life person.
I think it is a real shame. I should be able to download any program and know that they aren't just going to be trawling through the files on my PC without the OS at least asking me (and so on). It's a tricky balance between sandboxed "useless" apps, and god-mode, but something that I feel desktop OS's need to focus on if their platform is to survive.
Not to mention the sandboxing. I'm glad a lot of the "apps" I use are just "webapps", so that I can trust them less. A user process on a desktop OS is given an insane amount of permissions by default, though this is being fixed, slowly
I'm not sure you can guarantee a great user experience on a free, open web with user privacy and choice on a device you don't have rights to because it's completely locked down beyond your control by the vendor.
There should be a way to run a device that's not controlled by Google, Apple or Microsoft; not just because you're "paranoid", but because you'd like to learn and contribute, and maybe come up with some cool ideas yourself.
Point in case, because it's open-source, you could work on those browser features you'd like to see on mobile systems.
Flatpak, snap, etc don't work as they just try to make the current desktop philosophy secure, without the application and the rest of the OS really being aware of it. Android and ios have been designed to offer native features for fine grained access control and isolation. For a desktop os, you need the same, from the ground up, and every app needs to be tailored to this. You'll start with a desert and tumbleweed.
This will never work, because it's simply too late: The web. A Chromebook pretty much does all the isolation you want on a different level, and is enough for the vast majority of people. I know you can now list a thousand things you cannot do in a browser and whatnot, but consider that the folks here on HN are a very rare breed.
And again, as you even said, for such a hypothetical sndboxing desktop os, user space needs to be rebuilt in large parts from scratch. Not in a hundred years. There so many things that are still lacking on the linux desktop today that this would at best be yet another experimental toy OS with no real world usability.
For me it's simply two separate, physical machines, one for online banking and sensitive stuff, the other for dev work, games, goofing off, and one or two android devices for other random crap. That's my sandboxing.
reply