Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Isolating things is easy; engineering them to still work is the hard part. If the engineering was easy then every OS would isolate every operation and memory space, and Apple would have isolated these things long ago. But that's not possible because of the performance hit and because of the practicality of using 'perfect security' (it becomes secure even from developers and users).

How does Apple choose what to isolate, and how do they make the isolated parts functional with the rest of the system and for developers? And what changed to make it possible now?



The other submission should answer your questions: https://news.ycombinator.com/item?id=43314657


Like with SELinux where it is such a pain to get anything working everyone just turns it off.


People turn it off these days because their fear of the level of pain is disproportionate to the effort to get it working. The reference policy covers 99% of most peoples needs.


That may be true but if you've been burnt enough over several years that it seemed to cover 1% of people's needs you just put it on the trash pile.


Those people were throwing out the stove instead of learning how to adjust the temperature.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: