Hacker News new | past | comments | ask | show | jobs | submit login

Using `/usr/bin/` readonly is also a thing on some few distros (e.g.: Fedora Silverblue), so maybe you want to consider that for your usecase.

For device-local binaries (e.g.: not part of firmware), /usr/local/bin sounds like the right choice (also, somewhat in line what some BSDs do).




This is just another direction to desktop-hive mentality with a focus toward minimizing security.

Perhaps, it might be ideal and suitable to Windows-ize for your case; the security modeling of many designs, not so much.


How does this minimise security?

I don't see how Window is relevant; it doesn't have /usr nor /usr/bin.


Precisely, Windows have centralized directories for system executables.


Perhaps it would be better if you stopped implying and started to make your point explicitly. Because if your point is that there is some security boundary in Windows that allows an application installer to write to %PROGRAMFILES% but not to \WINDOWS\SYSTEM32, then you are sorely mistaken.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: