Comment by necovek
5 days ago
I think you are mistaken. Just like neither Windows nor MacOS have really solved the desktop app sandboxing story, so neither has Linux.
Because, as I said in a sibling comment and cosmic_cheese notes further below, this requires rethinking the usage model altogether: files and folders, and even file types, don't work anymore.
If an app needs to access any related files, it basically needs access to my entire $HOME, and once that is granted, well, any sandboxing is out the window.
I think Linux community is well aware of that, and basically what we get from sandboxing of desktop apps is all the nuisance with no benefit.
Android model is also broken from a usage perspective: having files "owned" by an app is just as wrong, and precludes there being multiple apps operating on the same file. Example of VLC with subtitles is a common one, but if you've never used multiple apps on the same file, this is the challenge that is unsolved by any sandboxing approach today, because it is more of a UX problem, than a sandboxing technical problem.
I don't fully agree with cosmic_cheese's comment. If we take music as an example, you could put your music in a Music folder and open that folder using your music player/manager and that folder gets added to your sandbox. This is how macOS sandboxing works and it works fine. Moreover, you can protect certain directories by default, even for unsandboxed apps, as e.g. macOS does, where a random app that is not sandboxed cannot read your Mail, address book, documents folder, etc. unless you allow this.
All these things make security substantially better than the Linux model of every app gets access to your full home directory.
Sure, a capabilities-based OS or whatnot would work better, but would even be harder to implement in the current desktop Linux. Instead of gradually improving security, you are basically throwing away the baby with the bathwater.
You get exactly that with snaps/flatpaks which are not given access to your $HOME.
But even with your example, you might need access to cover art from your graphics editing app, and very quickly you get to the same state. How about lyrics file from your text editor or a dedicated one? And wait, I'd like to mix in some music into Audacity too. File portals are actually a decent solution there, but they only work for files with supported software.
Yes, you can adapt your workflow, but it's going to be adapting and you will lose some things you might love in your workflow.