> But fundamentally right now the desktop is still one security domain, > and I don't see that changing in the near future.
The desktop is quite a few security domains. Mail clients handle certificates and dangerous remote content, other tools render untrusted content like PDF, while the desktop panel probably deals in little more dangerous than weather reports. > > > Not to mention a bunch of other problems. It's > > probably better to just fix the VM's. > > Far harder - and I think it would likely require language semantics to > change, in particular for Python. > > Having one VM for Python applets would not be rocket science. Someone > just needs to spend the few days on it, and get patches to use it > upstreamed. For applets it would be a huge help and I agree not be a security issue. More generally it would make SELinux rules harder to get tight. Taking out the commonly used python apps and replacing them with compiled code would be an even bigger performance and size leap. Alan _______________________________________________ desktop-devel-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/desktop-devel-list
