Given that a lot of Python software I see already by convention runs in a venv, which is at least somewhat-isolated from the rest of the system…I wonder how much harder it would be to make it the norm for most Python software to run in an isolated sandbox, without broader filesystem access. Like, kinda follow an Android-like model, where there’s an application-private directory and permissions that mostly make the app keep to itself.
I do run some Python software in firejail. But it’d need to be a norm for how the software is distributed. Can’t require a bunch of technical work on the part of end users.
Given that a lot of Python software I see already by convention runs in a venv, which is at least somewhat-isolated from the rest of the system…I wonder how much harder it would be to make it the norm for most Python software to run in an isolated sandbox, without broader filesystem access. Like, kinda follow an Android-like model, where there’s an application-private directory and permissions that mostly make the app keep to itself.
I do run some Python software in firejail. But it’d need to be a norm for how the software is distributed. Can’t require a bunch of technical work on the part of end users.
You can’t simultaneously have an executable that operates in a private sandbox and maintain all the features expected of the programming language.
You’re correct. Not all software will be able to usefully run under such a restriction.
But I think that a very substantial amount probably can.