>If a user needs an app then they ring up the helldesk
That seems very inefficient and friction prone. We have stuff like the nix package manager that can install stuff locally without sudo. It also has other nice features from what I've read. What I'm saying is that we need general purpose distros where you don't need sudo to use them.
Interesting you bring this up.
Regardless of the provenance of packages and facility for installation you seem to be hinting that there should be a
method to install specific service/feature sets to a system
securely and without systems access.
I designed such a system which runs with appropriate permissions to a task, is modular, and accomplishes the provisioning via 'job' files submitted to a service
endpoint. A user could describe the software they want installed. The SA performs due diligence on vetting software
and designs a standard install module then generates a skeleton jobfile and provides it to the requesting user to fill in necessary details and submit. Wash , rinse, repeat.
That's the way its done in general: User makes request, request is approved, action. I was noting that a Linux system does not get in the way of that work flow by being a Linux system. If the box belongs to a company then the company gets to decide what is on it.
If the box belongs to the end user then obviously root rights are in order. However, my wife never gets to use anything requiring root rights on her Arch Linux laptop and does not care and would not know what it is anyway. I keep her laptop functioning effectively by watching disc space and other metrics and regularly patching/updating it for her.
That seems very inefficient and friction prone. We have stuff like the nix package manager that can install stuff locally without sudo. It also has other nice features from what I've read. What I'm saying is that we need general purpose distros where you don't need sudo to use them.