Fedora opens up to bundling

> But you need _operating system_ updates in order to punch these new holes in the sandbox, not software vendor actions.
Yes. But currently application vendors are not just at the mercy of the OS, but at the mercy of many packagers! It's even worse - what if your app depends on a feature of a package with asshole maintainer?

> And these introduce even more headaches, because punching new holes may break old software (or even new software, if we look into selinux).
Quite unlikely. New APIs rarely affect the old APIs.

> And in practice this is a much more common scenario than a malicious presentation reading your browser story -- see long tradition of Office viruses. After all, you've already compromised the office suite, so there's 0% additional effort in doing that, while there's sure to be some platform and browser-dependent code in reading browser history.
Viruses these days exist to actually earn money for their developers. Botnetting and browser history (including CC information) are the easiest target, while documents are almost always useless.

> I still believe in that a smaller programs model is much better for security, and that the App Store model clearly goes against smaller programs; if only because it becomes much harder to share data between programs.
So basically you're saying: "I believe in magic and unicorns". No packaging system can make a complicated office suite a "small" program. It might remove a bunch of peripheral dependencies, but nothing else.

So let's actually think about the threat model. Suppose I want to steal users' credit card information.
1) If I have an exploit for a widely used library like zlib or libpng then I probably wouldn't want to bother exploiting LibreOffice, never mind trying to exploit a sandboxed LibreOffice.

2) I have an exploit for LibreOffice itself. With a naïve distro model I simply need to hack LibreOffice and I instantly get access to browser's history with all the juicy CC info. With the sandboxed code I have to try and infect other documents, hoping that a user eventually opens a document with CC info.

So it appears that distro model provides no advantage here. Now, there might be a question of update speed. A distro might be able to update a shared library faster than a vendor can go through a full formal QA process. And that actually might be a disadvantage.