← Back to context

Comment by iggldiggl

17 days ago

> The way to do it on a desktop, is to allow the user to choose exactly which resources a program may use, at runtime, by dialog boxes similar to the ones they already use, but with the additional behavior that the operating system enforces their choices, instead of just praying a program operates as intended.

> We can have secure and user friendly compute, both in our desktops, and in all our devices.

I'm doubtful about that, e.g. basically all existing file system sandboxing implementations that I'm aware of tend to break workflows that are more complex than "open exactly the one single file the user selected". (Apple's implementation tries a bit harder, but you still run into limitations pretty quickly.)

E.g. when I open an image in my favourite image viewer, I don't just want to view the one picture I've opened, often enough I also want to browse through other pictures within the same directory without having to explicitly open all those other images through some OS-secured gateway. And even that isn't enough, because my favourite image viewer also has the nifty feature of being able to quickly switch into a different directory (plus it has its own built-in thumbnail directory browser), so ultimately the only way to use its full functionality is through full file system access.

Or videos – subtitles are often enough stored in separate files, so a video player will want to look for those files, too, when it starts playing a video. Split-up archive files work along the same lines, too.

And never mind things like both HTML or DWG files, both of which can reference arbitrary other files up and down the directory hierarchy which need to be loaded at the same time, too…

Now the OS can't be expected to know about the peculiarities of each and every file type, plus you can't make permissions dialogues arbitrarily complex, either, which leads you back to the dilemma of ultimately either breaking more complex workflows, or else having to provide an escape hatch that then promptly runs the risk of getting abused by malicious actors, too.

0 comments

iggldiggl

Reply