Consider Arcan for the display server

[davidchisnall]

Arcan is a flexible windowing system that provides both Wayland and X11 compatibility layers. Importantly for this project, it is designed to support sandboxing and disconnection. It looks like a much better building block for this project than Xorg or any of the Wayland compositors.

I believe that it should be relatively easy to add Capsicum support to Arcan.

[mszoek]

Hey David :) I just recently discovered arcan and have been thinking about this. It might be a less opinionated fit. It still needs drm/kms drivers like our current wayland implementation, so it doesn't help with making things work in VMs or with nvidia chips. Thanks for the suggestion!

[RandomDSdevel]

(Slightly belatedly:)

(Similarly to and paraphrasing from a post I made in the project Discord server:)

     If one could get Arcan or a variant/fork of it to work in a multi-user environment, then, sure, it could be worth taking a look into using it. Right now, though, it's single-user and appears like it may well stay that way. From https://arcan-fe.com/2021/09/20/arcan-as-operating-system-design/ (emphasis mine:)

Arcan is a single-user, user-facing, networked overlay operating system.

And from https://www.divergent-desktop.org/blog/2020/08/10/principles-overview/#p7:

Principle 7: The Single User - The U in UNICS

Of all the legacy pieces in the chain going from boot to an actually usable desktop, the one that takes the biggest toll in terms of wasted opportunity and inane complexity is that of ‘multi-user’ as the outer default. There is a slight hint of irony to this in that a key simplification to good ol’ UNIX when compared to even older Multics was found in stripping away much of the complex device sharing semantics.

The actual role of a ‘user’ (as in account) in a world where computing devices come cheap and greatly outnumber us, is as a safety and system management compartment, and not as flesh and bone actually using- and sharing- the same device.

While the ‘login screen’ at the ‘getty’ or worse, ‘display manager’, level, may seem harmless at first glance, when you unravel and untangle just how much this decision poisons the rest of system design it becomes clearer that the legacy had us not only build the pyramid upside down, but to think of that as the rational thing to do - and it is anything but.

Authenticate against the device, not a dynamic ‘user’. Then, allow safe, ephemeral, secure sharing of the smallest, innermost compartment or an interactively defined aggregation thereof. This compartment is ‘the window’, not ‘the desktop’.

A macOS-compatible system like ravynOS will, naturally, still be multi-user.
     That leaves single-user environments like Arcan out as a potential base layer to build from. (Unless some way could be found to build a multi-user environment on top of the single-user one, but I suspect this could — well? — be…difficult at best.) One could still mimic some of Arcan's architecture when building something new that's also still multi-user, of course. I think something off-the-shelf that doesn't need too much tinkering with in terms of changes or configuration probably fits ravynOS better, especially at this point in its development lifecycle, if I'm understanding things correctly. Any of these decisions can no doubt be left open for revisiting later, of course.

[davidchisnall]

I'm curious how much you expect that to actually matter. In 20 years of Mac use, the only time I have ever used the multi-user bits of the GUI was when I wanted a pristine environment for recording videos for a book, and now I'd use a VM for that instead.

[RandomDSdevel]

     I won't bloat this thread with anything more on the subject, but, if you're on the project Discord server (invite link at the bottom of the project web page,) then there was further discussion about this starting here.

[ashifolfi]

I'm curious how much you expect that to actually matter.

@davidchisnall Shared machines, borrowed machines, wanting to keep work and home separate but not having two machines to do so for space or cost reasons (actually still a thing!)

Shared machines can be very common with families that are low on money but need a computer for their kids. They would setup an account for each kid to use and keep their stuff separate.

And not everyone will be provided with a work machine. Freelancers come to mind immediately. It's not healthy to mix work and home and having 2 accounts to separate them is extremely helpful as it's more out of the way and unlike a folder doesn't force me to constantly be aware it exists.

I already use multiple accounts to keep my school work and personal stuff separate. It's extremely helpful not having to make more folders and just being able to swap accounts when I need to do school things. Less distractions from all my games and whatnot since that's all under a different account. (I have pretty bad self control/executive dysfunction due to ADHD and I need it to be completely out of sight and mind to not be a distraction)

Why would modern operating systems still have them if they didn't matter?

Those are just what I thought of off the top of my head but I'm sure there's more.

[RandomDSdevel]

     I keep my administrator and non-administrator content mostly separate by having a separate administrator and standard user account, though I do share some files between the two.

[yangm97]

I'm with @ashifolfi in multi-user cases being a thing but I still think arcan has a point in regards to current implementations.

Take for instance File Vault v1, which encrypted user home directories individually, and compare it with v2, where the whole disk is encrypted, and despite claiming APFS would allow for very advanced encryption scenarios, any user's password is capable of unlocking the whole disk (and you can't run fdisk on a container with at least one encrypted volume locked and possibly other papercuts I'm not aware). It takes one weak password/bad user to compromise the whole system.

Unix users were designed a long time ago, for sharing resources between thin clients, it's no wonder that doesn't fit nowadays expectations.

Given Apple's reluctancy to add multi-user support into iPads (and what the fuck they have done on tvOS?) proper multi-user support might be harder than it looks.

Dotfile hell is another sign of unix user fracture and this is where some Arcan principles might come handy. We ot used to running developer tools such as npm unsandboxed and the fact they can create ~/.foo directories also implies they could very well read ~/.ssh, compress and send its contents to some bad actor.

TL;DR: ravynOS main goal is binary compatibility with macOS so diverging from its architecture might not be desired and/or create more effort to get things running properly. Personally though I would love to use multiple encrypted zfs datasets per user/application and FreeBSD jails to contain macOS apps which aren't sandbox aware.