Yeah but there I can still update vulnerable libraries independently, to be a statically linked system just means that if there is a bug in libpng then I have to recompile everything?
Not recompile I guess, but you need to relink everything.
Oasis seems to have a good way of doing that, with the whole system being built in a single tree by an efficient build tool (my recollection from last time it was posted).
A dynamic executable needs to relink every time it's run, which also takes time.
> if there is a bug in libpng then I have to recompile everything?
You say that as if it's such a burden. But it's really not.
I'm somewhat sympathetic to the space argument, but a package manager/docker registry means that updating software is very easy. And it happens all the time for other reasons today anyhow.
I use Gentoo, so I am not against rebuild everything, but afaik unless you have static-libs USE flag for something, it's dynamically linked so relinking on rebuilding the dependency is enough, with static-libs the dependent package is also rebuilt
I mean, if you ran every single executable on your desktop in a separate container I think you'd see problems. There are a pretty large number of programs running on most desktops, plus all the programs that get called by shell scripts, etc.
Running a handful of containers representing major applications is more reasonable and the memory wastage may be worth it to avoid dependency conflicts.
Except that QubesOS uses VMs for their security benefits, which are greater than those of containers.
Containers make a lot of sense to me on servers ("deploy a controlled environment"), but often on Desktop I feel like they are used as a solution to "I don't know how to handle dependencies" or "My dependencies are so unstable that it is impossible to install them system-wide", both of which should be solved by making slightly better software.
This seems a weird thing to complain about =)