Robert Frost:

"Before I built a wall I'd ask to know
What I was walling in or walling out"
(https://www.poetryfoundation.org/poems/44266/mending-wall)

With computers, this strategy doesn't work. Inside and outside have a way of switching places.

In Unix, the crown jewels were the root user; other user accounts were sandboxed. Code (in C) ran all types erased.

Time passed. Root grew vestigial, people stopped sharing computers. The crown jewels moved to user accounts.

Some possible lessons to draw from these sample points.

Sandboxing isn't about a single boundary. When designing VMs for adoption, build for isolation within the VM in addition to the boundary. Allow people to collaborate and run untrusted code within a single sandbox.

Oh, and don't erase types.

This post is part of my Freewheeling Apps Devlog.

Comments gratefully appreciated. Please send them to me by any method of your choice and I'll include them here.