> Shared libraries can be linked by name and version constraints
"Grab random libraries and never update them again" leads to the same security disaster of containers.
It's crucial to have large communities AKA Linux distributions that ensure that a set of libraries at given versions work well together and receive security backports!
3, 4, 5, 6, 8: you just described seccomp, symlinks, and tools the already exists.
The problem here is not about technology. Doing better packaging and modularization was possible for decades but goes against some commercial interests.
The problem there is that we've never figured out how to make it scale. Right now everyone builds everything static or as a container because if you depend on anything upstream it will break and then you will be held responsible for fixing it. Communities don't scale, and the Apple/Google alternative of closed app stores are... closed... and also tend to suck.
Making shared libraries and other upstream dependencies actually scale is an open problem in practical computer science / systems engineering.
The fact that commercial interests often have a vested interest in things sucking is a problem all over the place.
"Grab random libraries and never update them again" leads to the same security disaster of containers.
It's crucial to have large communities AKA Linux distributions that ensure that a set of libraries at given versions work well together and receive security backports!
3, 4, 5, 6, 8: you just described seccomp, symlinks, and tools the already exists.
The problem here is not about technology. Doing better packaging and modularization was possible for decades but goes against some commercial interests.