Remix clone Hacker News

The whole “server facing the Internet” attack model is real, but it’s rather out of date. Especially if you’re a programmer, the software on your machine is likely to try to attack you.

In any case, the right solution for saving files from Thunderbird has been known for years: “portals” or whatever a particular sandbox system calls it. The sandboxed code in Thunderbird asks more privileged code to pop up a file chooser, and Thunderbird gets to save the chosen file. Zero friction and excellent security. Sadly, no one has gotten the whole ecosystem to play along. Android has supported this for years and app developers complain and refuse to use the correct API. iOS apps barely support files. I think Flatpak can do this, but almost no one does it.

▲

ptsneves 7 hours ago | parent | next [-]

Thanks for answering.

The threat model for a programmer is likely much more complicated than for a regular user, but not related to sandboxing.

Regarding the "server facing the internet is real", I am not sure I get your point. Could you elaborate?

The point you make about portals and how the support exists but neither Flatpack/IOS or Android ecosystems get it right is very revealing: when nobody gets it right then it likely means the design is broken. Even Fuscia failed and it was an OS built from scratch to focus on userspace isolation and contracts for IPC and syscall.

Anyway it is very unfair to the users when designs supplant existing ones breaking things that used to work. Again we are talking about very basic computer usage patterns that have existed for several decades.

	▲	amluto 3 hours ago \| parent [-]
		> Regarding the "server facing the internet is real", I am not sure I get your point. Could you elaborate? What I mean is: once upon a time, computers were often not really accessible to the Internet, and a server with an open port was the major attack vector. Sure, you could maybe get compromised by opening a malicious document that someone emailed you or gave you, but that was a slower-moving and more unusual attack vector. The code that you intentionally executed was largely things that you bought, possibly offline and possibly online, installed, and used for a long time. Nowadays, everything has a web browser, but fortunately it has a decent internal sandbox. But people run "apps", and "apps" have broad permissions and, by design, execute code that comes from their supposed vendor. And people literally buy out vendors of popular apps to be able to deploy arguably malicious code to their user base. And some of these "apps" and plenty of developer applications, by design, run code or the equivalent of native code (thanks, Apple, for your lovely incoherent policies about code integrity) that come from third parties, and possibly from the fourth parties selected by those third parties, etc, and auto-update this code. Increasingly, people do things like running MCP, which is basically a tool to give a remote system remote control of your system. And, in my book, on client machines (e.g. the kind that are likely to use Flatpak or similar systems, all these things are more important attack vectors than servers facing the Internet.

▲

yencabulator 3 hours ago | parent | prev [-]

> I think Flatpak can do this, but almost no one does it.

Flatpak can do it poorly. What I see is opening a file for read once gives the sandboxed app write access to that path name forever.