Zero Install and Snake Oil

Based on a casual reference from Edd Dumbill, I thought I’d check out the Zero Install system he mentions.

It starts out as an intriguing concept. There are obvious security implications, though, and they seemed to have addressed them here. Unfortunately, that page makes the following mistake:

Only the Zero Install software itself is a potential risk to system security. With traditional (non-zero-install) systems, every application, library and documentation package is a potential root compromise.

Of course, this system is all about downloading software off the Internet and running it on your local machine, every piece of which is a potential risk to system security. Thus, this particular “fact” is snake oil, and these people now have a very high burden of proof to overcome before I consider their system trustworthy.

It’s tempting for people to think they’ve solved a particular security problem just because they handle it better than other people. There may be benefits to the Zero Install approach, and they may even be a theoretical improvement over other systems. But “almost right” doesn’t cut it in security, and if they’re amateur enough to make claims like the above, why should I believe that their execution will be any more competent?