Two Holes and complex builds?
1) Setuid()/setgid() binaries? Certainly root isn't running any installation scripts written by unknown parties, but a non-trivial class of applications exist (email) that tend to rely on setuid()/setgid(). I took a quick look at my system here and Mutt and KDE are the standout setuid()/setgid() offenders. A normal user can't install a setuid()/setgid() application, so this means that 0install needs to run as root (at least during the chown() call). Not an unfixable problem, though.
2) Hacked originating sites = comprimised 0install clients. GPG keys are nice and all, but how many people actually walk around with their GPG private keys on a floppy disk or USB keychain drive? IIRC a few months ago there was a site/source comprimise where the MD5 signatures matched the tar but the binaries had a trojan inserted. Mode 600 doesn't protect GPG keys on a rooted machine.
For that matter, the 0install system can be used as a kind of Denial of Service engine in a "dumb-user" environment: all one has to do is set up a teaser website where the list of dependencies includes huge lists of large files; if left unattended at home/small/medium size sites it can saturate the Internet access pipe until the disk is filled.
3) Complex builds can strike the system down. Ex: PHP4 with all its extensions. Say extension #1 in PHP4 depends on liba; extension #2 in PHP4 depends on libc, which in turn depends on libb and liba, and for whatever reason two different versions of liba are specified between the two extensions. Boom. It's difficult enough for a person to properly configure a PHP4 installation with the myriad library/sublibrary dependencies and the interaction with Apache.
Granted, it's unlikely that the end user is going to be installing PHP4, but it's not impossible that other reasonably complex applications have similar problems.
Re: Choose a proper language (Re: If you build it, they will come...)
> % What do you suggest instead of
> C++ is a draft rather than a good
> Consider using Caml instead, for the
> library level and higher (not the
> hardware drivers, I guess). It is a very
> clean language [...]
I don't know how you can call Caml a clean language. Never in my life have I seen a language with more syntactic sugar.
Some of the syntax and features in C++ aren't necessarily clean either. Then again, I don't have to type a '.' after every operator and a 'let' before every assignment. Caml fails the KISS principle in that regard. What do you suppose the odds of me (and every other programmer) adopting a language like Caml when almost every other programming language in existence uses a much simpler operator syntax?