I am not sure why Linux people tend to think this is bad. It is how you ship robust software that doesn't break. Linux "solves" this issue by having all kinds of things break all the time and just accepting that breakage and saying "no really things usually work fine".
The main argument against this kind of bundling (apart from higher disk usage) is about security updates of libraries. E.g. if many applications ship their own copy of OpenSSL and another vulnerability is discovered, you have to update every application individually. And it is unlikely that all developers/vendors will provide such updates fast enough.
But if all applications use the same OpenSSL that is managed by dpkg+apt (or something similar), a single update will fix all applications.
Personally, I don't think that this problem can be solved without losing the advantages of bundling (robustness, reproducability, binary portability to other distributions).
Right, but there's a difference between things that the OS is expected to provide (OpenSSL, GTK, etc) which the app should not bundle, and things like libpng which the app basically should bundle.
e.g. Windows supplies KERNEL/USER/GDI as builtins, but doesn't supply libpng.
Pretty much the whole point of an OS is to provide a guaranteed stable base. Anything that isn't guaranteed or stable should be bundled with the app.
GTK indirectly depends on libpng, so that probably wasn't the best example ;)
The thing is that Linux distributions traditionally don't make any difference between the OS and apps. Everything is split into relatively small packages. Like everything this model has some advantages (e.g. security updates) but also some disadvantages (it's harder to distribute/install software outside the distribution).
I would argue that you shouldn't bundle any libraries at all. As a package maintainer, I get real annoyed at projects that bundle things like libpng and don't provide an easy way to use an already built version.
>It is how you ship robust software that doesn't break.
It's how you ship 1000 different versions of the same library and have no idea what to do when they need to be upgraded. It's just a terrible way to manage a system. Easier doesn't mean better.
Seems like Linus agrees with you to an extent. He thinks it is sad to have to statically link libraries and create huge binaries but it is what you currently have to do to ensure things don't break.
In my understanding you can just (read-only) bind-mount the necessary libraries into the sandbox, ship your own, or do a combination of the former two.
