There are two problems these are “solving”: API incompatibility and isolation. Both of this issues are a real problem when you want to run proprietary software.
When you have a source code of all applications and libraries you can compile them and otherwise patch them to get things working together most of the time. This way we don’t have to worry about changing libraries that much.
When you can trust your software you don’t need isolation.
For programs like Firefox things are a bit different since it is, by default, running untrusted software and it’s sandbox will never be perfect. You can get isolation without duplicating all dependencies using process isolation (what Android does) or even using namespaces where you share your root files system but not your home directories.
So for open source software these systems are creating more problems then solving. For running potentially malicious system on Linux I don’t think we have a good solution yet, or if we even should waste time solving it. There are better OS designs that would make this easy (Plan9, object-capability bases security, etc.)
As for Windows the business model that MS is trying to support is vendor locking combined with licensed closed source binaries. In such case the long term backward compatibility is a must. And consequences of such models we are all aware of.
You can statically link binaries. Plan9 does only that, Rust and Go only support static linking (by default). The problem is that you need a good meta-data system that will allow you to track what was linked into each binary, so that if there is a security issue you know exactly what needs to be rebuilt. I don’t think we have such a system yet. If I have a bug in OpenSSL I just update that, restart servers using TLS and it is patched.
There are two problems these are “solving”: API incompatibility and isolation. Both of this issues are a real problem when you want to run proprietary software.
When you have a source code of all applications and libraries you can compile them and otherwise patch them to get things working together most of the time. This way we don’t have to worry about changing libraries that much.
When you can trust your software you don’t need isolation. For programs like Firefox things are a bit different since it is, by default, running untrusted software and it’s sandbox will never be perfect. You can get isolation without duplicating all dependencies using process isolation (what Android does) or even using namespaces where you share your root files system but not your home directories.
So for open source software these systems are creating more problems then solving. For running potentially malicious system on Linux I don’t think we have a good solution yet, or if we even should waste time solving it. There are better OS designs that would make this easy (Plan9, object-capability bases security, etc.)
As for Windows the business model that MS is trying to support is vendor locking combined with licensed closed source binaries. In such case the long term backward compatibility is a must. And consequences of such models we are all aware of.
if needed, whats wrong with static linking?
You can statically link binaries. Plan9 does only that, Rust and Go only support static linking (by default). The problem is that you need a good meta-data system that will allow you to track what was linked into each binary, so that if there is a security issue you know exactly what needs to be rebuilt. I don’t think we have such a system yet. If I have a bug in OpenSSL I just update that, restart servers using TLS and it is patched.
Fantastic idea! This would be a really important project to see developed!
Just nitpicking here, but last week i learned golang binaries are not statically-linked (at least not completely).