Kids who have grown up knowing only the Microsoft Windows way of bundling everything as a big binary blob, or maybe the few who have known the Apple way of bundling everything as a big binary blob, are now in a position to dictate that the only sensible thing for distributing their Linux software is as a big binary blob. It works on Windows, it works on Macintosh, make it work on teh Linux.

This is the twenty first century. Security is not a concern any more. Software is something that gets written quickly by anyone without specialized knowledge, dumped on a consumer, and forgotten so the developer can move on to the next big shiny. If it causes a problem, dispose of it and get a new one.

You're going to see all the big distros pandering to this in the next while. Just grab a docker blob or equivalent, stick it on your (real or virtual cloud) device and go. No need to worry about licenses or compatibility or issues. After all, it works for apps on your iPhone or Android device and it's so simple even your boss could do it.

We should just let applications overwrite the system libraries with their own versions. Doesn't anyone else miss "DLL Hell" from the Windows 98/ME days?

You, by accident or on purpose, actually make good points in your first and third paragraphs. Here's the thing.. This policy, as someone who is subbed to that mailing list & contributes & read every email on that thread as they came in, is not being made because the distro feels its the right idea. This is being made because the developers of software have gotten into a bundling habit and are bundling whatever they want. Sometimes they are at least nice enough to bundle JUST the library... sometimes they bundle the library and then make changes to it that they don't ship back upstream, which means the 'upstream version' wont work for them.

In a perfect world the developer would send their changes up stream. In a slightly less perfect world the developer would just work around the bugs. In an even less perfect world the packager would handle the diff, either patching the application or patching the upstream library. None of these things are happening. The developer doesn't care to send upstream, or upstream wont accept the change, or they don't think the changes would be useful. And the packager doesn't have time / the knowledge to work with upstream to fix the program.

A decade ago the distributions meant everything. They were THE WAY to get the applications into user's hands. That meant if an application developers wanted a program to be used then they HAD to work with the distributions and the distributions basically had their hands around everyones throats... Now they don't. The distributions matter less and less, they are undermanned and don't have the pull they once did.

Honestly the best thing, from a user experience, developer experience, and market share perspective, that could happen to Linux is for everyone to rally around one distro and say "THIS is LINUX." But that won't happen, and it probably shouldn't. Having multiple distros does serve a purpose... but I honestly wonder how many distros we will still have in years to come.



You do realize -why- docker and containers are gaining steam for applications, right? Because developers are tired of working around the fact that Ubuntu has library foo version bar, Debian has foo, version bar - 10, fedora has foo, verison bar + 5, RHEL might have foo version bar - 2, Arch has foo version bar + 7, etc... etc... etc.... This is even assuming that the particular distro's packaging guidelines ALLOW library foo (*looks at Fedora*). Application developers don't have the time to test against library foo, version bar +/- 5 (and every number in between), so they pick one and they tell the distributions to deal with it... but the distributions don't the manpower to deal with it. So they don't package it. Then the users complain about the distro not having the package, so they change distros, which means there's even less possible contributors, so the distro now has less manpower, which means fewer packages, more users complain and leave... see where this is going?

I ain't saying containers are the right solution to the problem. But they are the solution that people are going with because it allows the developers an easier time, and it allows the distributions to have an easier time.

Ideally they would just USE the system provided libraries, but that doesn't always work out for developers

You could not be more wrong. Security is a huge concern, and the lack thereof is a financial liability for many entities.

I have seen companies (and their developers) exit entire markets due to their lack of security and QA in their software, and customers requirements for those.

Now, INDIVIDUAL developers may not care about security for some small cell phone app. But I assure you, if you are a commercial entity of any type and your security is lacking, you will be punish by the market and/or the legal system.

This.

The next stage is scanning for security issues inside of containers, and providing certified application containers.

containers are solution to dancing pigs

Containers are the new static linking... Next up : memory deduplication to enable 2 programs to work on memory constrained devices...

He is right unfortunately.
Security is only a problem if it affects their reputation. This is why public shaming (in the form of full or responsible disclosure) is so effective to have companies fix security bugs.

Lolwat.
I bet for every example you give of that happening, I could find several examples of companies which had gaping security holes in their products, some of which even caused huge scandals, and instead of promising their customers to fix the bugs tried to sit it out or tried to intimidate the researchers who found them.

Wrong. The legal system does not punish lack of security. Heck, a security vulnerability is often not even considered a defect in a product which would entitle consumers to RMA the thing.
The only time when the legal system comes into play is if there is a contract which demands timely reaction to security bugs. But there the customer pays extra, usually considerably so, for the security SLA.