What about zero-install? [LWN.net]

What about zero-install?

Posted Jan 25, 2008 15:02 UTC (Fri) by vonbrand (subscriber, #4458)
In reply to: What about zero-install? by Tom2
Parent article: Fedora developers on PackageKit

A messed up system because the sole user installed lots of junk is different how from a messed up $HOME because the user installed lots of junk?

If you look around, latest malware doesn't take over the machine (it has become harder as MSFT has slowly tightened security), they content themselves with using the user's resources. Users installing applications under their control is exactly what such stuff needs...

(Log in to post comments)

What about zero-install?

Posted Jan 25, 2008 17:14 UTC (Fri) by Tom2 (guest, #43780) [Link]

You wrote: "Sure, if it is a one-user machine, [Zero Install] works fine", so let's look at
multi-user machines, which is (presumably) what you have a problem with.

On a multi-user system, a messed up system is worse than a messed up user account because:

1) All users are affected.

2) Any security policies that might limit the damage (iptables, AppArmor, SE-Linux) are
compromised too.

On a single-user system (where the user is the admin) and where the user doesn't make use of
multiple accounts or other sandboxing or security technologies you're right: Zero Install
isn't a significant improvement on Debs. Except, of course, for the benefits mentioned by the
OP:

"No admin rights needed, minimal dependencies on the host, multiple (eventually conflicting)
dependencies handling, distributed depository setup (i.e. an ISV can publish software by
himself)."

(and let's all agree that on a single-user machine, a user who accepts Zero Install's "Do you
trust this GPG key" question is just as likely to enter the sudo password when dpkg prompts
for it).