I see the real utility these tools are providing to many folks, but ...

It just feels so ugly. Square peg meets round hole.

We built all these tools for defining security boundaries for user-installed applications, and it turned out that the Linux packaging/distribution landscape was such a wasteland that people spent a lot of time duct taping software distribution artifact reproducibility onto the security-boundary tools.

So now we're in this weird worst-of-all-worlds spot:

The simplicity, performance, and decades of work we spent to make it easy to develop powerful applications that run directly on userland is now bifurcated/trifurcated and a mess. The legibility of "I want to run an application that dynamically links a cryptography library; that library is provided by the distro and I know it is both patched and compatible with the rest of the distro" or "my application can access files/devices at /path/to/whatever and use those resources if it has permission to do so" is buried under tons of container indirection.

Meanwhile, as TFA explains in detail, the actual security/encapsuation boundaries that these tools were originally built for proved to be a fast-moving target for which tons of support is still missing years later.

We can see the possibilities of what could have been in other systems. Take BSD's pledge(2) for example: its approach is so aggressively oriented towards only solving the security problem that I can't really imagine a world where the pledge/capability system "grew" a packaging/distribution ecosystem the way Snap and Flatpak did. Or take plan9's approach: perhaps if we had modeled the entirety of the OS in such a way that the basic SysV permissions model (users, groups, files, permissions) covered as much as possible of applications' security sandboxing needs, then things like SElinux/snap/flatpak wouldn't have ended up being necessary.

The biggest thing that got us into this state wasn't the tools, though--it was the human stuff: the tensions between "distro/package repo maintainers are burnt out and want to support a relatively small number of dependency targets and ways to add things to the package graph on a given OS"; "app developers want to make complex software available to users as quickly as possible"; and "users are very willing to do insecure things to get new applications to run, but are generally unwilling to do complex things (configure/make, customize AUR sources, know what nix is) in order to install stuff".

Fast forward a few years, add a lot of false starts and other bullshit due to dueling desktop environments/compositors/audio systems, and where we ended up is not good.

The current situation is basically:

"Come on down to DLL hell but way worse, we have: tons of brittleness when apps want to talk to the rest of the OS (sucks for users--but only when apps need rare and advanced functionality like ... uuuh basic audio playback), all baked into highly complex container systems (sucks for application authors) aimed at delivering apps that each package their own look/feel/OS integrations (sucks for distro maintainers and consistency of UX) in massive "it's not actually static linking, I promise" images, each of which contains 75% of an OS, running on leaky isolates (sucks for the security patchers) with an update story of "just download the universe again" (sucks for bandwidth/CDN costs)."

Like, I understand how we got here. I get that it's better than the bad old days of "but which autoconf?"/"I just wanted to update my browser but then glibc-2.11-compat-compat-compat-but-for-real-this-time-FINAL updated and broke my bootloader". And I get that some of those areas might improve over time (e.g. OCI images help with redownload-the-world; eventually Wayland will percolate around and the container runtime X compositor geometric complexity explosion will die down; someday someone will finally fix universal D-Bus discoverability and security for the eighteenth time...).

But overall it is and will remain a mess at a fundamental, philosophical level. Seems like the Linux ecosystem did this in a maximally slow and fragmented way, which is nothing new. But it sucks to see such an "everyone loses" end state as the result.