> The fact that you must trust programs to do the right thing is the root cause of the problem.
Well, yeah, that's the issue. That's why relying on simple DAC is so inadequate. Really, some kind of MAC is needed. Things like pledge and unveil are nice but clearly inadequate (I actually had a pretty braindead discussion on that recently, with someone not understanding the differences and trying to equate them out of ignorance, sigh).
Ahem. It might not solve the issue but it's to late to bring Multics back. And I acknowledge Multics was far better in security.
Also, something I would like it's the polar opposite with the MIT/ITS philosophy + Emacs. There's GNU Guix, but I don't like Ice-9's crap on Guile as if it was the default, I prefer SRFI's. Something hackable from the start, with Scheme as the REPL and a Scheme based window manager. Gnome with Mutter bindings to Guile instead of GJS would be a dream.
Well, yeah, that's the issue. That's why relying on simple DAC is so inadequate. Really, some kind of MAC is needed. Things like pledge and unveil are nice but clearly inadequate (I actually had a pretty braindead discussion on that recently, with someone not understanding the differences and trying to equate them out of ignorance, sigh).