They're extremely guilty of replacing the standards / implementations over and over again because they don't invest the time in coming up with a reasonable design from the start. Flatpak in particular is another total joke and doesn't even learn from 2008 era app security...
Conversation
If you think PipeWire replacing PulseAudio is going to be the end of that saga... or Wayland replacing X11...
When the replacements are so extremely flawed and impractical it's no wonder it takes no long to migrate to them and by the time it's getting done there's a replacement.
1
I could just point in the general direction of systemd and all the defacto standards tied to it. I don't understand the design approach. I don't understand writing all this new code in C either, particularly when the people doing it clearly don't have much understanding of C.
1
1
1
It's mostly completely oblivious to secure design and implementation approaches. Security is treated as if the way it's accomplishing is checking off a list of entirely optional user-facing features, with a completely insecure implementation / foundation underneath that.
1
1
1
Flatpak application security is literally opt-in and it's essentially designed around just giving access to everything and opportunistically eliminating it. Applications choose if they want to do things in a way that respects privacy and user consent or just use the old approach.
1
1
So, from the start, most of these technologies are disposable ones designed in a way that they need to be replaced. There's a weak attempt at making something incrementally better with the expectation that everyone puts in massive effort to migrate just for it to be replaced.
1
1
1
Anything using D-Bus which is most of this technology stack is dead on arrival since that's such an awful dead end approach. It was totally rejected for inclusion in the kernel which they needed to make it somewhat less bad. It's a massive security issue as it exists right now.
1
2
2
I have to deal with these things on my workstation and on servers. It's not fun. I mostly live in a terminal but this stuff creeps onto my system and I find the entire thing laughable. I don't know what they're trying to accomplish. It's like watching toddlers make an app system.
1
1
1
It's worse than toddlers. Children experiment and learn from it. The freedesktop people don't learn anything, and most of them are actually getting a paycheck to produce all that crap.
1
1
My issue with Flatpak is largely that it's not actually a well-defined application sandbox but rather applications bring their own security policy which is just not workable. It also repeats many of the things that are clearly mistakes. Should learn lessons from iOS / Android.
1
1
Having apps define their own security policy is terrible, but separately from that, coarse permissions for bulk data access are a bad model to encourage. Android has had to spend year after year making substantial privacy/security improvements many of them backwards incompatible.
And they are not even trying to provide parity with the awful way that things started out. It's so much harder to make things right after the fact like Android trying to do away with coarse permissions for shared storage which is effectively now delayed by a year until Android R.
1
There are so many lessons to learn from the failures and years of corrections in these mobile platforms with actual app sandboxes but they are seemingly not even capable of providing a real app sandbox that's meaningful. I don't understand how it can possibly be so bad.
1
1
Show replies