No its been people not updating their systems because if they do it breaks the apps.
The more important thing is the core system be up to date, if the app uses old libs and doesn’t update, that’s bad. But whats worse is holding the system in an much older state because its the only way to get X to work.
With a container model, the apps don’t break the system. Which ultimately, is more important. If a dev doesn’t want/care to update his software then that’s on him.
Mh well true… didn’t think of it the other way round.
How often have you heard this phrase:
Can’t update my system because it will break outlook.
So people just don’t update their system because that’s whats easier.
Never, because no-one sane I know uses Outlook 
Lol you’re lucky.
But at my current job we have a large AD infrastructure. So its a very delicate game.
That’s why SaaS took off so well. It was the X people needed to use and didn’t break because it wasn’t on their system. It was someone else’s problem to make sure it worked.
Basically like a container except it relied on a network stack for the I/O. With contains this ‘feels’ the same except it runs on the system.
Once applications fully switch to containers, people won’t give one cold shit if their OS ‘forces’ system updates on them.
Also it doesnt matter if the games libs are insecure as its sandboxed. any kind of exploit or whatever cant leak out into the host unless you let it.
This means that just flatpack, snap, etc have to keep support for the libs which is much easier todo then support a game from 20 years ago
Yup. its a One way data flow.
User input -> container.
Err if its a root exploit your hosed in a container.
It is an imperfect world.
what are you doing that has root privledges? a container should run entirely in userspace
If you have a compromised system, then ofc something like that would cause issues.
The whole point is that what’s inside the container stays in the container.
If you’re talking about the escalation bugs, then those are few and far between. But will get patched. Which is why its important to get system updates ASAP.
Every exploit tries to break out of userland to root. Even if the library running in a container gets root access. Your system is hosed.
Containers do not make you safer just apps safer to run.
If anything containers increase the attack surface if there internet facing.
Yeah, with system privileged escalation most of the time. Or through an exploit of a 0-day.
A container image is a lightweight, stand-alone, executable package of a piece of software that includes everything needed to run it: code, runtime, system tools, system libraries, settings. Available for both Linux and Windows based apps, containerized software will always run the same, regardless of the environment. Containers isolate software from its surroundings, for example differences between development and staging environments and help reduce conflicts between teams running different software on the same infrastructure.
https://www.docker.com/what-container
The internet is just an I/O channel.
In as it applies to the software running correctly.
If there is root exploit code in a container your hosed.
No you wouldn’t.
I’ll give you proof too.
Look at Azure or Heroku. They run stuff that anyone puts in them in containers. And if one of the containers goes bad it doesn’t hose their system. Its kept isolated, and dealt with.
Containers rock 
OK. agree to disagree. It’s only the internet.
Fair enough 
the thing is, there’s nothing that requires traditional packages to link to system libraries either, it’s just not turned on by default, which is a terrible practice. Also: there’s plenty of parallel build systems that cover all the major distros.
There’s no real ux improvement IMO – packages are bigger, security is compromised, you get nonstandard install locations, making fixing anything when it does (and in my experience with bot snaps and flatpaks, it always does) break a nightmare.
even if you want to argue that commercial software distribution stands to gain, the vast majority of vendors that do build linux versions just standardize on centos anyway for professional stuff, and even if they don’t they just take the (sane) .run universal installer route.
It helps people bolt on conversions AUR style, usually to the commercial vendors’ detriment because angry linux nerds start swarming their support forums when 420_penguin_Xx stops maintaining their repo. At least the AUR comes with the conceit that it isn’t always going to work, and still installs things in a standards-compliant way.
Agreed. Fpak and Snaps aren’t nearly as bad as kubernetes or dockers, but you still have really bad default settings that just don’t need to be that way.
I think this is much more of a problem on linux because general end users tend to be complacent about security because it isn’t windows.
I’d like to read something on someone hacking a container in order to bust out of it to the upper OS, especially since stopping that sorta thing is why containers were invented.
IE: You don’t put an ant in a canning jar, seal the lid, and the ant just walks through the jar. Thats not how it works.
If you’re a dumbass and break the jar or box of jars then you’re a dumbass and I can’t help you.
I’m not saying flatpak and snaps are perfect. I’m saying that containerization methodology is. But your concerns are valid, hopefully we could talk more about them in a specific thread or something.