
LibreOffice latest to fall victim to the curse of Catalina - dessant
https://www.theregister.co.uk/2019/10/23/libreoffice_latest_victim_of_curse_of_catalina/
======
jeroenhd
Buggy system implementations, unfinished API flows, apps constantly needing to
ask for permission, a big break in compatibility and little to no time to
properly test before the official release: it took some time, but Apple has
finally reached their Vista point.

Not that this is necessarily bad (although the bugs are super annoying). Vista
had to happen, and I can see why many casual users in the Apple ecosystem
would prefer a simple, sandbox system for their operating system. Time will
tell if this is indeed a step ahead or a problem that will be made undone in
the future. It just sucks that Apple customers are dealing with their own
Vista now though.

~~~
blub
Vista had excellent security compared to its predecessor, but it never had
this kind of sophisticated access control. In any case, within one year they
fixed the annoying pop-ups and it was a solid OS, I was using it as my main OS
for several years.

Apple's permissions are smarter and the constantly asking for permission does
not happen in my experience on macOS. Apparently they've integrated the open
file dialog with their access control, so any such dialog will automatically
permit the app to access the target file/folder. The pop-ups only appear when
an app wants to access specific folders in the background. This is brilliant
and would stop e.g. malware which encrypts documents or nosy apps in their
tracks!

~~~
jeroenhd
Of course, I don't intend to say that vista had anything that comes close to
the modern day sandbox. However, it did enforce strict security policies that
its predecessors didn't have. UAC and up to some point smart screen is
comparable to the sandbox permissions and the notarising thing. It's an
inconvenient break in compatibility, dialog flow and program design that has a
lot of benefits and some downsides. Until programs adapt to the new paradigm,
old programs will likely be slightly annoying to use, just like what happened
in the Vista days.

I hope Apple doesn't solve the dialog problem the way Microsoft did though (by
sacrificing security for usability), now we have the situation that being
logged in as a local admin with UAC set to default means that any malware can
gain admin privileges through UAC bypasses. You can prevent this by setting
the UAC settings to max or logging in as a standard user, but then you get
Vista-style annoyances again...

~~~
PastaMonster
I run a security program called Comodo Internet Security on Windows 7 (admin).
It have a feature that blocks all new software from starting, downloading to
accessing the filesystems important folders and files. It also blocks software
from accessing internet. It can be a bit dialog heavy until you have set it
up. It is a good software when you have configured it properly. Have never had
anyone break in via internet nor any malicious software issues. Although Ive
got common sense when it comes to what is safe to download but still I like
Comodo (most of the time).

When the OS cant deliver you can find software that do. So why the whining
about the OS security? For example the first thing I install is a proper
Firewall >with advanced configuration control<.

Comodo even stopped the malicious Windows 10 update with malicious dialog
design hiding how to close it and a delay timer so it can start the update
without user consent. Comodo is not supposed to stop updates to but my
configuration must have been why it did. And we all know that malicious
updateS liked to remove personal files and software installed by the user. Im
thankful for comodo. I later disabled the malicious updateS (since there were
many attempts to make it run, they changed the update name several times).
Nasty and malicious indeed.

~~~
mathw
Because you are an exceptional user. The average computer user will never
install or be willing to work to configure any extra security software,
especially something which takes that much work. To protect everyone, and to
keep the flow of malware to a minimum, we need to have security for everyday
users like my sister, who just wants to write up her latest site report and
deal with the email that's flooding in about the next conference.

------
guessmyname
These _“security”_ alerts are so stupid!

Why do I need to give an app a explicit permission to access common folders in
my home directory? I already gave the app permission to do that when I asked
the operating system to open it. This annoys me so much! You know why? Because
I have a firewall installed _(LittleSnitch.app)_ which shows alerts a few
times during the day about network connections from apps that are currently
running in the system. I like these alerts, they are informative, they serve a
clear purpose.

However, the alerts introduced by Apple, they are mostly useless.

Why Apple?! Why do you want to waste my time with this useless crap?!

The first time I opened Terminal.app after upgrading to macOS Catalina I got
several alerts to give permission to the app to access folders that I wanted
to “cd” into. The alerts would be useful if they only showed up when something
is trying to access core folders, but why do I need a freaking alert when I
try to execute “cd ~/Desktop/” or “cd ~/Downloads/” ??? And don’t even try to
use the “find” command to search for a file in your user’s library folder, a
command like this will trigger dozens of alerts: “find ~/Library/ -name
"com.example.app.plist"”

These alerts trigger so often and people will start to mindlessly click
“Allow”, eventually they will grant system-wide access to malware that should
have been prevented by the operating system in a more graceful way. I can see
many of my friends and family members who are not tech savvy ignoring these
alerts and mindlessly clicking “Allow” every single time.

~~~
gridlockd
For the same reason that Ransomware.app shouldn't be allowed to encrypt all
your documents, or Spyware.app shouldn't be allowed to upload all your private
photos to a marriage scam agency in Slovenia.

Yet, this is the default behavior for applications on all Desktop operating
systems. Until now.

It'll take a while to iron out all the kinks, especially with legacy Apps, but
it's the right thing to do.

~~~
guessmyname
> _For the same reason that Ransomware.app shouldn 't be allowed to encrypt
> all your documents, or Spyware.app shouldn't be allowed to upload all your
> private photos to a marriage scam agency in Slovenia. Yet, this is the
> default behavior for applications on all Desktop operating systems. Until
> now. It'll take a while to iron out all the kinks, especially with legacy
> Apps, but it's the right thing to do._

This makes sense only for 3rd-party apps, but I’m talking about apps that have
been notarized by Apple themselves.

Terminal.app comes pre-installed in every Apple computer, it is developed by
software engineers who work for the same company that makes the entire
operating system. Why do I need an alert asking for permission to execute this
command: “cd ~/Downloads/” ? You could argue that you only need to allow this
access once and it will carry on for future interactions, but that is not the
point. The point is that Apple is focusing on increasing the security of the
system the wrong way, these alerts overwhelm regular users to the point they
will mindlessly click “Allow” every time an alert pops up, hackers will take
advantage of this and assume users will grant system-wide access to their
malicious programs.

I was happy with the previous versions of the “Security and Privacy” settings.
By default, you could only open apps downloaded from the App Store. However,
if you were tech savvy enough you could enable the option to allow apps from
3rd-party identified developers, and if you really wanted to take risks you
could enable the option to allow apps from unidentified developers. It was
your choice, and the options were “hidden” in the correct place. But today’s
operating system is just overly paranoid to the point of becoming an annoyance
even for security minded people like me.

~~~
mthoms
I haven't upgraded yet for various reasons. Are you saying that you'll get
prompted for _every_ folder you cd into? Or does the prompt for ~/Documents
(for example) cover all its subfolders?

~~~
crooked-v
It's one prompt for Documents, and a separate for external drives. One
approved or disapproved, the setting then lives in System Preferences ->
Security & Privacy indefinitely.

------
pwinnski
The Register is amusing, but this is hardly noteworthy. If, as LibreOffice
suggests, this is some sort of bug or mistake, it will be resolved soon
enough. The Register seems to be protesting the entire notarization
requirement out of one side of its mouth, while claiming to support increased
security out of the other.

Catalina apps should be notarized, which LibreOffice is committed to doing.
The Register hopes for more controversy.

~~~
vunie
Notarization only positions Apple to have control in the future. Allowing
Apple to be the sole arbiter of what a user is allowed to run on his machine
is a disaster for his rights. Just see iOS and Hong Kong.

Apps should be signed. App notarization should never be a requirement.

------
makecheck
Locking things down in fine-grained ways actually makes it more difficult for
developers to figure out all the permission scenarios that users are likely to
face. I hope that Apple adds tools to make that easier.

For instance, I only have one Mac; once I tell my OS to “allow” my app to do X
and Y and Z, how can I change my mind and “disallow” arbitrary things when
testing multiple features that all have to work under the same constraints?
Ideally, Apple should have a couple of simple switches like “simulate app
launch in fresh-install scenario” so that I can pretend my app doesn’t have
access anymore and see what happens. Similarly, I should be able to pretend
apps aren’t notarized, pretend apps have been disallowed by the user, etc. all
without fiddling with different commands and settings or screwing up other
permissions I already have set on my machine.

~~~
crooked-v
> how can I change my mind and “disallow”

System Preferences, Security & Privacy -> Privacy.

~~~
extra88
I haven't seen it in Catalina yet but in Mojave, everything is organized by
permission, not by app. If you want to review everything a particular app is
allowed to do, you have to look in every permission category. It's not a
terrible design but it is inconvenient in that scenario.

------
api
So everyone complains about cruft and ugliness and the fact that OSes
accumulate legacy crap without bound, but then everyone freaks out when an OS
vendor purges some legacy crap and it breaks some things.

~~~
trymas
IMHO, it is similar with security. Everyone wants better security, but
everyone freaks out if their workflows change or some extra input steps are
required for more sensitive actions.

~~~
blfr
Because many people implementing security measures sincerely believe that more
hassle is better. They have a moral view of security: the more you're willing
to put up with, the more secure you are.

This is, of course, not true. Password managers are both convenient and
improve security. U2F beats virtually every other second factor and YubiKeys
are also more convenient than copying codes from texts.

If you're changing the workflow anyway, make it both more secure, and more
convenient. Sure, it's not always possible. But it very often is.

------
aazaa
For a long time unsigned apps have refused to launch on macOS. The workaround
is to right-click on it then choose "Open".

Does this no longer work on Catalina?

~~~
SyneRyder
According to LibreOffice's own post, that workaround still works, for now:

[https://blog.documentfoundation.org/blog/2019/10/22/libreoff...](https://blog.documentfoundation.org/blog/2019/10/22/libreoffice-
and-macos-catalina/)

------
filmgirlcw
I wish Apple would take the lead in documenting (for the public -- not just in
support tickets) how to update your build pipleline to work with notarization.
Lots of projects/devs who don't build only for macOS aren't prepared to update
their systems and don't always do the testing required to overcome errors in
the process.

That said, FOSS or not, this is the stuff that should be tested before
shipping. It's disconcerting that apparently no one on the LO team has
bothered to test an install build on the latest version of macOS (and if you
buy a laptop or desktop from Apple today, it likely has Catalina installed).

~~~
saagarjha
> I wish Apple would take the lead in documenting (for the public -- not just
> in support tickets) how to update your build pipleline to work with
> notarization.

There's a page for that:
[https://developer.apple.com/documentation/xcode/notarizing_y...](https://developer.apple.com/documentation/xcode/notarizing_your_app_before_distribution/customizing_the_notarization_workflow)

------
marcus_holmes
I moved from a MacBook to a Linux-only laptop this year. I enjoyed my time
with Apple, they used to manufacture the best POSIX-ish laptops around. But
I'm glad I left. They're no longer interested in making the best hardware for
creatives. Other people are, though.

~~~
tornquist
Do you mind sharing what you moved to? I’m curious about the hardware you
chose and the build quality.

~~~
marcus_holmes
I went with:
[https://puri.sm/products/librem-13/](https://puri.sm/products/librem-13/) it
looks lovely (pure matte black with no branding gets my vote every time). The
OS is a standard Debian derivative, so no surprises there, and I have the
option of replacing it if I want to (haven't yet).

Build quality hasn't been fantastic to be honest - I had to return the first
one because of a faulty monitor connection (but to be fair I had exactly the
same problem with my 2015 MacBook too), and the replacement has a problem with
its space bar. But the great thing is that I can unscrew the back with a
normal screwdriver and have full access to the internals so if I get really
bothered by it I can replace/upgrade/fix any of it. Purism support was great,
and they encouraged me to take the back off and see if I could spot the
problems, which really blew my mind after Apple support.

I've been using it for most of a year (writing this on it) and it's been a
great experience. The article's view that "I'm no longer reliant on hardware"
is true, though I haven't (yet) gone the next step of picking a different
window manager and storing the setup for it in a git repo. It's on my to-do
list though ;)

------
gargravarr
Well now, that's interesting. I include LibreOffice v5 with my standard
install of Mojave. I ran a fresh install earlier this week just to test the
upgrade, which worked. Only then did I try opening the applications. And
LibreOffice v5 opened without a fuss. I read this article and tried
downloading v6. Sure enough, I hit this exact issue. That's seriously
inconsistent Apple. Thanks for the unnecessary grief.

~~~
tinus_hn
Surely this cannot be a problem caused by the LibreOffice developers and must
be Apples fault. After all, it only happens in one version of the application
and not the other!

------
at-fates-hands
_The GIMP image-editing application also has problems, giving permission
errors when trying to access files in locations such as Desktop and Documents_

I know a LOT of people who will only use Mac laptops and a ton more graphic
and web designers who use Macs religiously. I have yet to find someone who
uses any Mac products that run Gimp so I find this to be an interesting point.

~~~
tikej
Well here I am, using GIMP on macbook, although not professionally.

I like the os and so on, yet I try to keep my workflow as FOSS as possible.

I invest a lot of time in learning and mastering my tools so I believe that
using preferably multiplatform and Free software will let me keep my skills
and hours I put into learning stuff under my, not some vendor’s control (e.g.
if apple keeps going the direction it is going at the moment).

This is why I use emacs, inkscape, gdb, gcc etc. on Mac OS

------
skyzyx
This is much ado about nothing. The people (and apps) who are impacted are the
ones who waited until beyond the last minute to adopt Gatekeeper &
Notarization. Apple has been banging this drum for quite a while.

Headline is FUD.

------
dottrap
LibreOffice says they notarized. Does anybody have a clue to what the specific
problem is? I'm wondering if it is a bug or edge case that others (such as me)
need to worry about for notarizing their distributions.

------
kbumsik
I'm just curious, but why many popular free and open-source softwares are
distributed unsigned?

------
yitchelle
Is the notarisation only valid for current and future versions? Hopefully it
is retrospective.

~~~
crooked-v
Notorization is for a specific .app bundle.

~~~
yitchelle
Oh man, that means that user is forced to up rev if they want to use Catalina.

------
Scarbutt
Never had a good experience with LO in macos(too buggy), I hear that in
windows/linux is much better though.

------
rolltiide
Curse of Catalina

I like this book title already

------
campfireveteran
I continue to enjoy staying on Mojave (10.14.6) and iOS 12.4.1, and won't be
buying an MBP or iPhone anytime soon. This is due to Apple's pattern of
extracting money from customers through immediately crappy, defective, and
less repairable products needing expensive services to operate as they were
promised (repair services are now more profitable to Apple than hardware) and
releasing buggy, critical feature-eliminating software that has negative
value, means I refuse to play along with their unreasonable cult of
conspicuous-consumption games lacking meritorious value any longer. _Fool me
once ..._

Catalina removes iTunes and 32-bit programs.

~~~
newscracker
I’m not suggesting that you upgrade to Catalina yet. The removal of support
for 32-bit programs was long coming, but I can see how it’s a big deal for
some people running legacy software that may never be updated by the
developer.

You can run the latest (or any recent) version of iTunes on Catalina and use
it to manage your iThings and content. There’s a forum post on Macrumors with
a nifty AppleScript that will install an older version of iTunes (that you’ve
separately downloaded) and make it available for you. It does require
disabling SIP temporarily. It doesn’t seem like the determined user is forced
to abandon iTunes, as of now.

------
bableka
Catalina is just pain

~~~
dang
Hi, could you please not post unsubstantive comments to HN? We ban accounts
that do that, because we're trying for a bit better quality level on HN than
the internet normally defaults to.

If you'd please review
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)
and follow those rules when posting here, we'd be grateful.

You might also find these links helpful for getting the spirit of this site:

[https://news.ycombinator.com/newswelcome.html](https://news.ycombinator.com/newswelcome.html)

[https://news.ycombinator.com/hackernews.html](https://news.ycombinator.com/hackernews.html)

[http://www.paulgraham.com/trolls.html](http://www.paulgraham.com/trolls.html)

[http://www.paulgraham.com/hackernews.html](http://www.paulgraham.com/hackernews.html)

------
rwmj
Any thought I might have that I might give macOS a try are now extinguished. I
can't run software unless it has been "notarized" and inspected by Apple? No
thanks.

~~~
ratww
> I can't run software unless it has been "notarized" and inspected by Apple?

You absolutely can. Where did you get that?

~~~
rwmj
From reading the article obviously.

