Comment by zaphar
4 hours ago
I recently tried to make something properly sandboxed and, my goodness, we have basically crafted an ecosystem where everything needs access to everything. No wonder docker, despite all it's faults, is how everyone does it. You need an entire linux distro completely accessible in your sandbox.
POSIX is a millstone around the neck of the software industry.
If you wanted to do something really new in operating systems, you might think "POSIX is insecure" or "POSIX is bloated", etc. If you have a fundamentally different API though you have to write a whole new userspace. You're going to put in a POSIX personality so you can run bash and vim and nethack but once you do that you have the insecurity, bloat, etc.