> Saying "my argument makes sense, you just can't understand it" is just you being petulant.
I did not say that. I said that my preferences are consistent. Security and diversity are orthogonal concepts. I can say: "I want as much security as possible AND as much diversity as possible". It is not an argument, it is a preference.
You come and say: "Aha, I got you! You cannot want both security and diversity! You have to want one or the other, not both, because I say so! You just lost the debate, you dumb ass".
First of all, I've been saying from the very beginning that your stance implies both less security AND less diversity. But I knew you would grasp onto the security part like a lifeline, because you've run out of ways to derail the conversation, which is why I clarified in my previous comment. You ignored my clarification, and once again decided to argue with a straw man. I've never seen so many bad faith straw man arguments in my life. Forget the security aspect of it since you clearly can't debate that, and just focus on the diversity, and you're STILL wrong.
As you like to say when you're clarifying, "let's take a step back here". I'll just repeat my last comment, and hopefully you won't evade it like you always do:
You've said previously: "My point is that webapps move everything into the browser, going towards a world where something like ChromeOS is the only valid way to use a computer. I want to choose my OS". [1]
So you think the best way to increase OS diversity is to get developers to submit their apps to proprietary app stores that only run on their own respective operating systems, instead of using open web standards that work on every operating system? How does that make sense?
Do you get it yet? You're claiming you want OS diversity, but you're advocating for the solution that results in LESS OS diversity, that's why you're contradicting yourself, and that's why your position is logically inconsistent. You absolutely know this, which is why you're dodging every attempt to actually debate it. And I know you know this, because you purposely omitted the first sentence of my paragraph when you quoted it, which was [2]: "And now you're arguing in favor of the app store duopoly which contradicts your point about software diversity." That part didn't fit your narrative, which is why you omitted it. You're better at evasion, and rhetorical trickery than you are at actually discussing technical topics. If you had said instead: "I admit my position implies less OS diversity, but in this case I'm willing to make that trade off in exchange for better security guarantees", then we could move on to the security question (and you'd lose that debate too).
You can admit that one of those pesky web developers you're so fond of condescending to actually has a good point, it won't hurt.
> So you think the best way to increase OS diversity is to get developers to submit their apps to proprietary app stores that only run on their own respective operating systems.
No, I don't. I think that having different tools, more or less specialized for particular platforms, is better than using webtech everywhere. My reason being that I tend to hate webtech and all it represents to me: I don't like unmanaged language package managers like npm and how they allow devs to have no clue about their dependencies. I don't like Javascript. I don't like having to run a browser to access Discord, or alternatively to have a fake Desktop app that is essentially a hardcoded one-tab browser. I don't like to run complicated webapps in a tab that can freeze my whole browser. I don't like that if my browser crashes, all my webapps stop. I find that pushing for WebAssembly to run everything in the browser is completely overkill given that we already have tons of ways to run stuff on different OSes. I don't like how web people tend to not know anything not web (including native/non-native-but-not-web mobile apps, native/non-native-but-still-not-web Desktop apps, mobile OSes like iOS/Android/Linux-based-but-not-ubuntu, Desktop OSes like Windows/macOS/Linux/-BSD, embedded OSes like OpenWRT/-BSD) but still claim that webtech is better.
I like C when it makes sense, I find merit to C++ in many situations, I think Rust is interesting (except for the language package management which seems to come straight out of the webtech hell). I like Java/JVM and its evolution in the last years (no, it's not just an interpreter and web applets since the beginning of the century, but too many web people missed the memo), I find that Android has done a lot of interesting stuff with JIT and AOT, I think that GraalVM is really promising. I love Scala and Kotlin, and the new Jetpack Compose way for UIs (coming to Desktop apparently). I wish I could spend more time on Swift and discover SwiftUI, and I had fun learning Flutter and Dart (though it's still has the fundamental issues of cross-platform frameworks IMO). I don't know anything about .NET, but it doesn't seem bad. I like making custom Linux with fun tools (buildroot, Yocto, pmbootstrap) or learning how relatively mainstream distributions work. I like running stuff on -BSD (not in a browser, actually on the system). I like how Linux distributions approach their package management.
I am a big fan of open protocols, which mean that I can run my TUI IRC client (written in C) on my OpenBSD, my favorite email client (written in Go) on my Alpine Linux, and a whole bunch of stuff like git/gpg/ssh/podman/pass in CLI. I can even enjoy tools written in niche languages like Hare!
Those things I like, TO ME, represent diversity, and allow me to choose the tools that are more ergonomic for me, and even to contribute to them. Webtech, TO ME, represents those shitty Slack/Discord/Teams/NameYourCloud proprietary apps (and those are the good ones), written by people who want a one-size-fits-all solution so that they can be more productive by knowing ONE tech and making ONE mediocre app that will run badly on all those systems they never cared to study, governed by rules like "no need to optimize for memory, memory is cheap ahahaha!!!1!". All that forcing me to run full-blown apps (and not websites anymore) in a damn browser, in a world where Safari is Apple's way of refusing webtech for as long as they can, Firefox is a joke (which I use, don't get me wrong) and everything else non-Chrome is about customizing Chromium and pretending that they own their codebase.
PWAs are a promise to move that shitty world out of the browser and into mobile devices (because ElectronJS already succeeded in moving that shitty world out of the browser and into the Desktop... by duplicating a browser I did not choose, and in my back). All of that is transforming my Desktop OS and my mobile OS into basically a big browser that I hate (Chromium) running bad apps written with webtech that I hate.
Native Android and iOS apps are not perfect of course. But they are not webtech. And at this point I'm holding to anything that is not damn webtech (or worse: "AI" bullshit).
Go on, tell me why I should not feel the way I feel or, even better, prove it to me, with cross-references to whatever you find (I still won't click on your links, though, I really don't give a shit).
> then we could move on to the security question (and you'd lose that debate too).
I am not here to win (is there a price for the winner?). I would genuinely be very happy if you taught me something (just a small thing) about why browsers are fundamentally better in terms of security than any other kind of sandbox I can imagine. But something constructive, like why it is that whatever is used to sandbox processes in a browser cannot be used to sandbox processes outside the browser. Or why granular access control works in the browser and fundamentally cannot be used outside of it.
But if it is to tell me that browsers are better because smart people spend a lot of time working on V8, or that web people invented access control last year, please don't lose your time.*
> I don't like how web people tend to not know anything not web
This is the reason why your responses have been so arrogant. This is why you assumed I lacked knowledge about sandboxing before we'd even had a chance to discuss the topic in any sort of depth. You have this preconceived notion that all web developers are myopic and can't see anything outside of the web, and you've projected this stereotype onto me as if you're omniscient. If you truly do enjoy engaging in good faith arguments, and learning from other commenters, then you wouldn't start with the pompous assumption that the person you're talking to is ignorant.
> I don't like unmanaged language package managers like npm and how they allow devs to have no clue about their dependencies. I don't like Javascript.
Finally, you just came out and said it. You have a deep seated visceral hatred of JavaScript and anything even tangentially related to it. This is why you've been trying to bait me into talking about Electron, to the point of literally fabricating statements (at one point you claimed I was talking about VSCode). This is your pet issue, and your clamoring for a chance to talk about it.
I get it, you don't like JS. It's a popular opinion amongst snobbish developers who like to promote this culture of contempt that pervades the software development world [1].
The problem is...we're not talking about the pros and cons of JavaScript as a language, or npm as a package manger. I have feelings about that as well (which I may or may not share), but my primary conjecture has always been that software is safer when run in the browser (especially on desktop operating systems). That's why I originally responded to your comment about Figma and Photoshop, and provided my own anecdote about my experiences using Adobe Photoshop on my desktop computer.
> Those things I like, TO ME, represent diversity, and allow me to choose the tools that are more ergonomic for me, and even to contribute to them.
The preceding paragraphs read like a CV with every technology you've ever interacted with, and many of them are very interesting, but all of that is completely besides the point. I'm going to quote you again here, you said: "My point is that webapps move everything into the browser, going towards a world where something like ChromeOS is the only valid way to use a computer. I want to choose my OS".
We're not talking about the diversity of tools used to build applications, we're talking about the diversity of operating systems used to run graphical user interface apps. You absolutely refuse to stay on topic. Submitting apps to proprietary app stores that only run on their respective operating systems is not the best way to promote operating system diversity. If I build an app for the browser it'll run on every operating system (since they all ship with a web browser), that's just an objective fact.
> is there a price for the winner
You should be a comedian. I'm here to talk about technology.
> I would genuinely be very happy if you taught me something (just a small thing) about why browsers are fundamentally better in terms of security than any other kind of sandbox I can imagine.
We're not talking about what you can fundamentally imagine, we're talking about how software is used in reality.
> why it is that whatever is used to sandbox processes in a browser cannot be used to sandbox processes outside the browser. Or why granular access control works in the browser and fundamentally cannot be used outside of it.
I hate to keep repeating myself but, we're not discussing theoretical means with which you could sandbox an application, we're talking about how apps are actually used in practice. You seem to want to discuss how desktop apps could theoretically be just as safe as web apps, but I'm more interested in reality than theory. I've given you several examples of security features which are present in the browser, and have no proper analog built in to desktop operating systems.
Here's a non-exhaustive list of things that make webapps more secure than desktop apps (many of these points haven already been mentioned, but you keep ignoring them):
- Webapps can't read from the clipboard without user confirmation.
- Webapps can't make themselves truly persistent the way a desktop app can.
- Webapps can't record your keystrokes when their tab isn't active, whereas keyloggers are one of the most pervasive forms of desktop malware. On a Mac for instance, I normally have to use Reikey to mitigate this threat.
- Webapps can't forge the origin and user-agent HTTP headers to impersonate legitimate clients.
- Webapps can't read the response of an HTTP request to a third party origin unless the site allows it via a CORS header.
- Webapps can't read a single file from your filesystem unless you explicitly allow it.
- Webapps can't see which SSIDs your computer is connected to in order to pinpoint your location by matching them against known wifi networks.
Could some of these protections be implemented on the desktop in the future? Sure, and if they do I'd be happy to revisit this discussion in a few years. But my arguments are firmly rooted in reality, not speculation about future enhancements. And please don't bring up onerous security measures like virtual machines. First because that only proves that desktop apps are insecure by default, second because most users are likely unaware that such measures even exist, and third because those measures can be applied to a browser as well, so they only augment the security of webapps if anything.
I did not say that. I said that my preferences are consistent. Security and diversity are orthogonal concepts. I can say: "I want as much security as possible AND as much diversity as possible". It is not an argument, it is a preference.
You come and say: "Aha, I got you! You cannot want both security and diversity! You have to want one or the other, not both, because I say so! You just lost the debate, you dumb ass".
Fine, I lost the debate, you're the best.