Hacker News new | past | comments | ask | show | jobs | submit login
LibreOffice latest to fall victim to the curse of Catalina (theregister.co.uk)
223 points by dessant 51 days ago | hide | past | web | favorite | 121 comments



Buggy system implementations, unfinished API flows, apps constantly needing to ask for permission, a big break in compatibility and little to no time to properly test before the official release: it took some time, but Apple has finally reached their Vista point.

Not that this is necessarily bad (although the bugs are super annoying). Vista had to happen, and I can see why many casual users in the Apple ecosystem would prefer a simple, sandbox system for their operating system. Time will tell if this is indeed a step ahead or a problem that will be made undone in the future. It just sucks that Apple customers are dealing with their own Vista now though.


Vista had excellent security compared to its predecessor, but it never had this kind of sophisticated access control. In any case, within one year they fixed the annoying pop-ups and it was a solid OS, I was using it as my main OS for several years.

Apple's permissions are smarter and the constantly asking for permission does not happen in my experience on macOS. Apparently they've integrated the open file dialog with their access control, so any such dialog will automatically permit the app to access the target file/folder. The pop-ups only appear when an app wants to access specific folders in the background. This is brilliant and would stop e.g. malware which encrypts documents or nosy apps in their tracks!


Vista started enforcing the file system conventions people were supposed to follow all along. Things like, don't write config files to the root of C: or dump temp files in C:\Windows

The prompts went away because the apps were fixed. Thanks to the pain Vista went through apps can run without Administrator rights and most apps were ready for Windows 7.


> Things like, don't write config files to the root of C: or dump temp files in C:\Windows

Now half the devs out there write config files to fucking Documents for some reason...


Because Windows hides appdata from users, but many users often want to edit configs. So the devs stick them in Documents.


That's a terrible reason, if true. Anyone savvy enough to want to edit config files can figure out how to enable Show Hidden Files or just browse to %APPDATA% in minutes.

I don't use my Documents folder anymore because it's too hard to find actual documents among the dozens and dozens of misplaced config folders.


Windows application developers in general have a long track record of disregard for the user’s filesystem and other visible shared resources. Let them modify the user’s start menu and they dump a folder there with their company's brand name there and fill it with crap. Let them populate the Add/Remove Programs list and they’ll fill it with all kinds of incomprehensible stuff (even MS itself is horrible here, polluting it with MSVC Runtime This, and SQL Server That...)

It should be no surprise that developers choose to dump non-documents into the user’s Documents folder.


Adobe is the only one who does this crap in macOS on my system. They put 3 folders in Applications and on top of that put some more in Utilities. I see like 7 icons just for 1 app (2 if you count the subscription manager app).

Their attitude being the monopoly is just annoying.


Also all the games that now dump save files there.


Well, that I can understand. Save files are documents, as far as I am concerned (I used to back them up Just In Case while playing).

For RNG/permadeath games like Don't Starve, the save file better be safe.


We addressed this by adding a "Folders" tab to our About box which lists configuration, plugin, and other paths relevant to the application. Users can open a folder by double-clicking on it.


Is that the reason really? dot-dirs are also hidden by default, yet it is assumed anyone looking for config files knows they lurk beyond the period.


~/Library is normally hidden too, but that doesn't stop NSUserDefaults from sticking things there.


> Apparently they've integrated the open file dialog with their access control, so any such dialog will automatically permit the app to access the target file/folder. The pop-ups only appear when an app wants to access specific folders in the background. This is brilliant and would stop e.g. malware which encrypts documents or nosy apps in their tracks!

This pattern is called "powerbox", an idea from object capability security. I'm sure there are plenty of other usability improvements in there if you study those ideas (more so the more important security is to your application). Applying it to the web is getting easier with Mark Miller's JS standardisation work and (also his) https://agoric.com/ and https://ocapjs.org/


I've never heard about this powerbox thing, but webpages have worked like this - being able to access only files from a file picker - for decades, so I'm sure that's where they took the idea from.


I don't know the answer to that historical question (shaky data point: though I know Brendan Eich is a bit of a capability convert, I believe that's relatively recent thing: last decade or so?). Regardless of the answer, I'd agree if you said that the world seems filled with people reinventing capability ideas not as effectively as they could, because they don't know that that's what they're doing and so are cut off from the ideas that have developed in the small cap community over the decades.

This isn't really about files, though. Capability UI patterns are about composing all kinds of authority in a usable way. I'm sure we'd all agree that accessing files isn't the best or ultimate description of the interesting things that people do with computers now. This is an area that's waiting to be rediscovered by the rest of the world.


It's not surprising considering Powerbox has no API and I think this might be one of the few official mentions of it: https://developer.apple.com/library/archive/documentation/Se...


Ah! So given the language (explicitly using the word powerbox), it does seem a very good bet that whoever introduced this at Apple was at least aware of the work, and perhaps directly inspired by it.


Of course, I don't intend to say that vista had anything that comes close to the modern day sandbox. However, it did enforce strict security policies that its predecessors didn't have. UAC and up to some point smart screen is comparable to the sandbox permissions and the notarising thing. It's an inconvenient break in compatibility, dialog flow and program design that has a lot of benefits and some downsides. Until programs adapt to the new paradigm, old programs will likely be slightly annoying to use, just like what happened in the Vista days.

I hope Apple doesn't solve the dialog problem the way Microsoft did though (by sacrificing security for usability), now we have the situation that being logged in as a local admin with UAC set to default means that any malware can gain admin privileges through UAC bypasses. You can prevent this by setting the UAC settings to max or logging in as a standard user, but then you get Vista-style annoyances again...


I run a security program called Comodo Internet Security on Windows 7 (admin). It have a feature that blocks all new software from starting, downloading to accessing the filesystems important folders and files. It also blocks software from accessing internet. It can be a bit dialog heavy until you have set it up. It is a good software when you have configured it properly. Have never had anyone break in via internet nor any malicious software issues. Although Ive got common sense when it comes to what is safe to download but still I like Comodo (most of the time).

When the OS cant deliver you can find software that do. So why the whining about the OS security? For example the first thing I install is a proper Firewall >with advanced configuration control<.

Comodo even stopped the malicious Windows 10 update with malicious dialog design hiding how to close it and a delay timer so it can start the update without user consent. Comodo is not supposed to stop updates to but my configuration must have been why it did. And we all know that malicious updateS liked to remove personal files and software installed by the user. Im thankful for comodo. I later disabled the malicious updateS (since there were many attempts to make it run, they changed the update name several times). Nasty and malicious indeed.


Because you are an exceptional user. The average computer user will never install or be willing to work to configure any extra security software, especially something which takes that much work. To protect everyone, and to keep the flow of malware to a minimum, we need to have security for everyday users like my sister, who just wants to write up her latest site report and deal with the email that's flooding in about the next conference.


> You can prevent this by setting the UAC settings to max or logging in as a standard user, but then you get Vista-style annoyances again...

And I'm not even sure UAC at max level is officially a security boundary. As for the second solution, yep, and you actually could also log in as a standard user in XP (and 2000, and NT)

Now there is a fun thing about security, is that it can be sometimes counter-intuitive. A yes-no popup on a secure desktop can be way more secure than asking for a password in some cases, because the popup screen could be spoofed, and while obtaining an admin pwd is obviously valuable, obtaining a yes-no answer from the user at the console is not... (Some mitigations exists like SAK but they are not perfect, because the users can make mistakes, especially if asked for their password all the time)


MS "fixed" Vista UAC by making it unsound and not a security boundary in 7. Now I'm not even sure it was a security boundary in Vista, but when you look at the technical way it is implemented and the additions it came and work with at the ACL level, it was probably at least initially intended to be by their designers.

If anything UAC is a good case to show how security must come with usability, otherwise you just don't get much in the end...

The end result from a technical point of view; well obviously better than nothing, but never count on it. It is actually way more useful to avoid casual mistake than for security purposes.


I disagree. I think UAC (or at least the prompt part) is actually worse than nothing. UAC has poisened a generation of users to just click yes, because security is way too big of a hassle.


We are not mainly talking about the same thing, but on the specific subjet you evocate I actually kind of agree with you, and that was in a way what i meant by stating that security must come with usability. However, I'm not sure about how you can come to your "worse than nothing" conclusion, from a security point of view. Sure if the model let the user authorize nearly anything, they have the power to do it. Sure, if this englob both bening and potentially dangerous modifications, the user can be desensitived. BUT if it still technically achieve its designed purpose, then it is better than nothing in the sense that by nothing, I meant that it would be equivalent as if "yes" was implied all the time. And I find it hard to make the case that mandatory yes all the time and complete lack of access control is better than giving the choice...


I'm a “power user” and I think sandboxing is a good thing. I often run code written by others that I haven't read. I would like it if it does not have the ability to erase all my files.


I agree re: sandboxing. The security gained by a sandbox is immense and dumb programs and games I use should be restricted to their own little space. This does require some well-thought-out system level abstractions for users and developers to accept the new sandbox, but that's not impossible to do. Especially for stuff that should Just Work (R), sandboxes are a great tool. This isn't just a casual user thing, system developers also use Spotify and don't want to mess with arcane program settings and directories. I do believe that casual users will be using more apps that "just work" than power users though, which is why I mentioned them.

On the other hand, I do like to have access to each and every file on my system if I so please and I do want to be able to use my toolset anywhere on the system. For my classes I need to run what we call "PhD-ware" every now and then (technically advanced software that is great at doing one specific job but is mostly unmaintained and requires a specific setup to work) and that's never going to be compatible with any security restriction. I want to be able to override the system when needed.


I upgraded to Catalina and barely noticed the restrictions since I mostly use Browser, Terminal and Editor - along with some off-the-shelve proprietary software. For me it's a good development since I rarely download .DMGs from the web browser, and if I do, I get a strong reminder that this might contain adware, spyware or just make my system a little more buggy.

Most software I actually install through homebrew and it's nice that the software has been checked more than once by other people. To me it's the whole point of using Mac(OS), things just work (TM) and if not there's a way to make them work. One positive thing actually: I think Apple tidied up the DTrace configuration, so it's much easier to start without doing any crazy configuration stunts.


> For my classes I need to run what we call "PhD-ware" every now and then (technically advanced software that is great at doing one specific job but is mostly unmaintained and requires a specific setup to work) and that's never going to be compatible with any security restriction.

Sounds like a job for Docker, or possibly a hypervisor: Put the app in a container, put the specific files it needs to work on in the container, and the app lives entirely inside that container, whether it's a Docker image or a filesystem image with an OS or something in-between; there's no security implications because it can only touch what's already in the container with it.

As a plus, the whole system (OS, configuration, application, and all) is now reified into a single container artifact you can ship around and just run. It won't rot, or at least it'll keep a lot longer (as long as the container technology keeps).


Ha, I wish I could just use docker for this. I'm sure I could find the exact arcane combination of outdated Java, unsupported C libraries and hardcoded paths and combine them into a Docker container, but in the end it's probably not worth the effort when I can set up a snapshot, configure the software and just run it. It's not day-to-day software so after 3 or 4 months I'll likely never use the software again.

One tool I had to use would only work on old Linux kernels, proven to be working on Ubuntu 12.04. The guest tools in the VM provided were so old that I had to set up an older version of Virtualbox in order to get the system to run, which opened a whole can of worms in itself. This was on Ubuntu at the time, so luckily that it was just a matter of installing dependencies and trying to find compatible versions that didn't clash with normal system tools. Maybe Docker is able to run VirtualBox but just thinking about glueing Docker and a hypervisor together is giving me a headache. Nested KVM works these days, but who knows how that might affect a piece of software like this.

Just for the weird legacy cruft that comes with some tools, I just want the option to mess up my system in order for something to work.


I like sandboxing too, but what you just said gives a window into the problem: You don't want a program to be able to erase all your files, but you might want it to be able to create and edit files. So how do you express that clearly enough to become an automatically-enforcable security policy? Can a program only create files? Can a program create files, and only edit files it created? Can a program create files, and then edit and delete only the files it created?

Ignoring the technical details of implementing this, you still have a semantic gap between "I don't want my document editor running wild on my files" and something you can express unambiguously. The only way anyone seems to have come up with to close that gap is Popup Whack-A-Mole, which everyone seems to agree is a massive usability failure except everyone who's reinvented it.


I expect this is a problem that's been thouroughly thought about.

Permissions are probably something like"you can do what you like over HERE but can't touch anything else".


is it sandboxing shell/python scripts downloaded? Or programs installed by brew.?

While I'd love to check all the code I've downloaded for sneaky problems, I'll agree that in this day and age that isn't entirely feasible. At some point, you have to hope your backup regimen is working.


The problem is that sandboxing has been consistently proven to impede legitimate use cases, but not so much the illegitimate.


Huh? Sandboxing absolutely impedes illegitimate use cases. I love that I can run apps knowing that they can't scan the contents of my documents directory, or my photos app. Without sandboxing, apps can rampage through my user contents unrestricted.


Sandboxing on iOS and Android is working great to prevent the spyware developers from achieving their goals.

And now macOS is adding more of the same protections...


> Sandboxing on iOS and Android is working great to prevent the spyware developers from achieving their goals.

For power users who use Tasker, Android's restrictions are a nightmare. I cannot, for example, kill an app using Tasker, and I really really need to do this. Plenty of other restrictions that made Tasker users' life difficult.

To be clear, this is on a rooted phone. Am I not allowed to algorithmically decide to kill an app on my own phone?


Do even 0.1% of Android users use Tasker? 100% of them are at risk from malware and spyware which would directly access your data and other apps if not sandboxed. This could be somewhat addressed with different sandbox policies for well-audited applications but we've seen a long history of those lines being pushed as far as possible (e.g. Uber trying to use geo-fencing to evade reviewers).

As an aside, I'm curious what makes killing an app so critical vs. only shutting down background processes. That seems like an edge case on an edge case?


> Do even 0.1% of Android users use Tasker?

This thread is about power users, not average users.

If I sold you a Linux PC, and gave you root access, but it was sandboxed and you couldn't kill apps from the command line, would you say the PC I gave you is fine for "power users"?


You have to think about how these capabilities are abused for something with as much personal data as a phone: if that capability is there it will be abused by malware, abusive partners, unscrupulous app vendors, snooping governments, etc. to impact orders of magnitude more people than believe they need these features. People will be trained to click approve the next time they install spyware or bogus optimization / cleanup utilities and many of the people most likely to be exploited will be the loudest about saying they're power users who need this access and won't make mistakes (see past decades of Windows usage).


Your comments seems to agree with me: That Android is not good for power users.

To a power user, this isn't a phone that is smart. It is a computer that is running Linux. It's totally fine to put in measures that enhance security on an unrooted phone, and it's also fine to make users go through hoops to root the phone and give them more power. But simply disallowing basic things with root privileges is hostile to power users.

Take something as trivial as backup, for example. I need a rooted app to do it (and thankfully, it works). But if you step back and realize an unrooted user cannot easily back up the contents of some of their simple apps without using a 3rd party cloud, and realizing that even that doesn't work well, then you can't reasonably view an Android device as something you truly own. I paid hundreds of dollars for a device where it's nontrivial to get access to my own data on the device.


> You have to think about how these capabilities are abused for something with as much personal data as a phone

The computer has more personal data than the phone does, often by huge margins.


For power users maybe, but I honestly doubt that most people keep more personal data on computers than they do their phones.


My mother is terrified of computers. But she stores all her documents and old email archives on the computer, not on the phone.


Do you think there are more people like that than there are people who use their phone as their only device, not to mention the difference between a computer which often turned off or not physically present versus a device which is almost always on and near its owner?


Among people with documents, I think there are many more who store them on a computer than who store them exclusively on a phone.

And I'm pretty sure the total amount of personal information contained in the documents of people with documents vastly exceeds the total amount of personal information contained in the phones of people with phones.

Counting number of people, there probably are a lot more who use the phone as their only device, but those people aren't generating as much in the way of personal information.

Going back upthread, we have this claim:

> I honestly doubt that most people keep more personal data on computers than they do their phones.

which was in response to this claim of mine:

> The computer has more personal data than the phone does, often by huge margins.

Two different questions have been raised:

1. Are there people who have phones, but don't have computers?

2. How much personal information is on someone's computer -- assuming they have one -- compared to their phone?

#2 is the relevant question if we're talking about "something with as much personal data as a phone". The answer is "several orders of magnitude more", and that is unaffected by the existence of people who don't have a computer.


Sand boxing is a power user thing, non power users don't understand it, don't even look at permissions let alone understand them, they just learn to click yes to everything to make stuff happen.

It's a solution created by power users, only usable by power users that gets in the way of power users.


No, it just means you need to create a social network to install spyware.


The problems with permissions dialogs are overblown in my experience. You get hit with a flurry at least initial boot up after upgrading because desktop applications don’t know how to behave themselves in a sandboxed environment and just reach for whatever they please, but after that initial burst they’re quite rare.

With how Apple has been gradually weaning third party devs from having extensive/root access it’s nowhere near as annoying as UAC was.


I don't think UAC was tbat annoying to be honest. Where it asked for confirmation and admin privileges, it made sense. Most UAC buttons were labeled and from a security standpoint, it was quite a solid experience. Last time I used Apple, it felt like a flashback to Vista to me. Prompts for every program I downloaded, leaving me to keep the system security settings open for the first hour or so to download appropriate installers and password prompts every time I went to change a setting. Like in vista, the places it asks for admin permissions usually make sense, but the contrast was quite stark compared to the Windows and Ubuntu dialog flow I was used to. I found the "the system prevented you from opening this program" dialogs reminiscent of the super-criticised SmartScreen dialogs that block(ed?) Windows 8+ programs from unknown sources.


> Apple has finally reached their Vista point

Well, on a different note, even Linux desktop/workstation distributions have reached their Vista point... in the somewhat trivial sense that they now need Vista-capable hardware in order to be reasonably usable! (We do know how it happened, it's all about the usual CADT syndrome. At least they are still usable, unlike Vista or Catalina. But one can still be disappointed by such developments.)


XFCE and LXCE still provide low resource alternatives to Gnome, KDE and whatever else is popular these days. If you want to go ultra slim, take a tiled window manager like i3. Technically, you don't need Vista capable hardware if you're willing to give up on some modern niceties.

Vista level hardware is 10-12 years old by now though. I don't think it's unreasonable to drop support for hardware over 10 years old for a fully-featured environment. People want new and shiny. Why should I want to give up on some eye candy on my five year old laptop just so that someone else's 10 year old laptop isn't missing out on anything?

Mind you, Firefox and LibreOffice are bigger slowdowns than the rest of my systems and I'm using vanilla Gnome3. The system can still boot a fully featured desktop with less than a gigabyte of RAM in use. Even Vista hardware should be able to cope with that.


> Vista level hardware is 10-12 years old by now though. I don't think it's unreasonable to drop support for hardware over 10 years old for a fully-featured environment.

When I bought my first EeePC I expected to get a reasonably recent gen hardware, just without the bling and low power. It had a brand new 10 year old Intel graphics chip inside. At least it had a decent battery life and doubled as a toaster if you opened a pdf in firefoxs javascript pdf viewer.


Indeed. Especially considering that Vista had rather high system requirements; among other things, it required 4 gb of RAM, though Windows 7 only needed 2gb.


Why should precious developer time and resources be devoted to supporting pre-2006 hardware?


A system that runs smoothly on 2006 hardware runs blazingly fast on modern hardware. It's also likely to consume less resources and power.

There's also the fact that many developers live in rich countries where good hardware is relatively cheap and easy to come by. Developing countries usually don't have access to reasonably priced hardware at all. There's billions of people whose hardware is barely capable of running a Vista equivalent. That alone should be reason to consider developing with older systems in mind.

Developing to keep an old system somewhat smooth can lead to improvements across the board. There's pros and cons to every decision and I certainly don't think every piece of software should be designed to run on a Core2Duo. In many cases some considerations for those who can't bug fancy hardware would be nice though.


> A system that runs smoothly on 2006 hardware runs blazingly fast on modern hardware.

This is especially true wrt. memory use, BTW. Memory bandwidth is, as a rule of thumb, the main bottleneck affecting performance in present-day systems, so most savings in RAM use yield very real increases in performance for real-world scenarios. Also, less RAM use makes it easier to run a useful number of virtual machines or containers, even on non-high class hardware.


Just want to say that CPU is often the bottleneck for end users on old hardware and low-end laptops.

For example, youtube doesn't play well, because the hardware is too slow to decode a full HD video stream in real time. No kidding, that's actually a big driver for people to buy newer hardware, people really care about youtube.

Another example. Loading a modern website with 10 MB of javascript bundles. It takes 5-10 seconds to process all that javascript in chrome (on developer workstations), which is slow but fine. Unfortunately that's 15-30 seconds on laptops and mobiles for end users, that is quite a lot, enough that people leave thinking the site is broken.


Most Linux DEs do not use a lot of memory (don't know about Gnome). They do require accelerated 3D or 2D, but run well within the RAM envelope of a 2006 machine.

The problem is, running on the CPU does not make your DE faster (it's the other way around), memory that is the largest problem isn't an issue, there is some heavy disk usage on load time, but then none, and there isn't much of a CPU load. They can't run on a 2006 machine, but it does not extend into your VM.


CPU performance didn't increase dramatically since the period around 2006 (core 2 duo generation).

An application that doesn't run smoothly on old hardware like that will probably not run well on current hardware either. It's twice as true if the application should be usable on modern low-end laptops, that can really have terrible hardware, worse than a desktop from back then.


So precious energy, resources and labour don't have to be devoted to replace perfectly good hardware.


yes, GNOME 2 -> 3, unfortunately...


I tend to agree - Vista's security improvements were its best feature, and they also broke a lot of stuff and resulted in a bunch of annoying UAC pop-ups that confused users and probably encouraged them to get in the bad habit of saying "yes" to everything.


This is a one-time access control check for security. The article is overblown, the headline is sensationalized, and so is your comment.


The "one-time access control check" doesn't fire properly if you merely upgrade from Mojave. Dropbox completely stopped working for me until I did a clean reinstall of Catalina and then the permissions window finally appeared and I was able to say "yeah, let Dropbox do its thing." Really bad user experience, if I knew I'd have to do a clean reinstall, I would've waited to upgrade.


These “security” alerts are so stupid!

Why do I need to give an app a explicit permission to access common folders in my home directory? I already gave the app permission to do that when I asked the operating system to open it. This annoys me so much! You know why? Because I have a firewall installed (LittleSnitch.app) which shows alerts a few times during the day about network connections from apps that are currently running in the system. I like these alerts, they are informative, they serve a clear purpose.

However, the alerts introduced by Apple, they are mostly useless.

Why Apple?! Why do you want to waste my time with this useless crap?!

The first time I opened Terminal.app after upgrading to macOS Catalina I got several alerts to give permission to the app to access folders that I wanted to “cd” into. The alerts would be useful if they only showed up when something is trying to access core folders, but why do I need a freaking alert when I try to execute “cd ~/Desktop/” or “cd ~/Downloads/” ??? And don’t even try to use the “find” command to search for a file in your user’s library folder, a command like this will trigger dozens of alerts: “find ~/Library/ -name "com.example.app.plist"”

These alerts trigger so often and people will start to mindlessly click “Allow”, eventually they will grant system-wide access to malware that should have been prevented by the operating system in a more graceful way. I can see many of my friends and family members who are not tech savvy ignoring these alerts and mindlessly clicking “Allow” every single time.


> Why do I need to give an app a explicit permission to access common folders in my home directory?

Because you might not be aware that the application wants to harvest all the {meta,}data in your Pictures/Documents/Downloads folders?

The era of trusting applications with wide-open privileges has long since ended.


Sadly, the days of trusting applications with unrestricted access to the filesystem and other compute resources that contain your data are gone. When you run an application on most consumer OSs, the application has access to everything the user running it has access to, which is a massive risk when the application developer is part of the threat model. Unfortunately, from the point of view of the user, developers need to be treated as adversaries, due to the track records of a few bad actors.

I don’t like it either but it’s the world we've built.


That's the world some have built. There are other approaches to this such as the apple store and linux repositories, they contain trusted software with various degrees of vetting and it's extremely rare to have to install something I don't trust, sand boxing is a good idea for those apps though.

A huge problem in software is that the trade off for security is almost always usability and/or convenience.


For the same reason that Ransomware.app shouldn't be allowed to encrypt all your documents, or Spyware.app shouldn't be allowed to upload all your private photos to a marriage scam agency in Slovenia.

Yet, this is the default behavior for applications on all Desktop operating systems. Until now.

It'll take a while to iron out all the kinks, especially with legacy Apps, but it's the right thing to do.


> For the same reason that Ransomware.app shouldn't be allowed to encrypt all your documents, or Spyware.app shouldn't be allowed to upload all your private photos to a marriage scam agency in Slovenia. Yet, this is the default behavior for applications on all Desktop operating systems. Until now. It'll take a while to iron out all the kinks, especially with legacy Apps, but it's the right thing to do.

This makes sense only for 3rd-party apps, but I’m talking about apps that have been notarized by Apple themselves.

Terminal.app comes pre-installed in every Apple computer, it is developed by software engineers who work for the same company that makes the entire operating system. Why do I need an alert asking for permission to execute this command: “cd ~/Downloads/” ? You could argue that you only need to allow this access once and it will carry on for future interactions, but that is not the point. The point is that Apple is focusing on increasing the security of the system the wrong way, these alerts overwhelm regular users to the point they will mindlessly click “Allow” every time an alert pops up, hackers will take advantage of this and assume users will grant system-wide access to their malicious programs.

I was happy with the previous versions of the “Security and Privacy” settings. By default, you could only open apps downloaded from the App Store. However, if you were tech savvy enough you could enable the option to allow apps from 3rd-party identified developers, and if you really wanted to take risks you could enable the option to allow apps from unidentified developers. It was your choice, and the options were “hidden” in the correct place. But today’s operating system is just overly paranoid to the point of becoming an annoyance even for security minded people like me.


If you don't restrict Terminal by default, users can be tricked into running malicious *.command files and the like.

The large majority of Mac owners will never intentionally use Terminal. I don't know what it's like in Catalina but I have no issue in Mojave going to Security & Privacy > Privacy and granting Terminal Full Disk Access because I'm one of the few who will be regularly using it. If Catalina is making it clear that permission needs to be granted, that's an improvement over Mojave because the first time I did something that required the Full Disk Access permission, that was not clear to me from the text shown in the shell.


> Terminal.app comes pre-installed in every Apple computer, it is developed by software engineers who work for the same company that makes the entire operating system. Why do I need an alert asking for permission to execute this command: “cd ~/Downloads/” ?

Because differentiating between that command and any command that may be harmful is NP-Hard. Like I said, these kinks will have to get ironed out. Terminal is UNIX legacy and that "security" model was broken from day one. The sooner we get rid of it, the better.

> The point is that Apple is focusing on increasing the security of the system the wrong way, these alerts overwhelm regular users to the point they will mindlessly click “Allow” every time an alert pops up, hackers will take advantage of this and assume users will grant system-wide access to their malicious programs.

You don't get system-wide access, that's the point of asking you for every folder. Let me ask you, what's the alternative to asking for permission? If I accidentally give a malicious program permission to do something, how is that worse than just giving it that permission without being asked?


> Because differentiating between that command and any command that may be harmful is NP-Hard.

Turing complete.


For an input string of finite size and with certain commands restricted, I don't believe that proving harmlessness is equivalent to the halting problem.

I'm not sure if NP-Hard is the right classification for the more restricted case though.


It's still Turing complete. In general, proving pretty much any non-trivial property about a general-purpose (and I mean this term very loosely: you have to strip away a lot of things from your favorite language before this is no longer true) programming language is.


I haven't upgraded yet for various reasons. Are you saying that you'll get prompted for every folder you cd into? Or does the prompt for ~/Documents (for example) cover all its subfolders?


It's one prompt for Documents, and a separate for external drives. One approved or disapproved, the setting then lives in System Preferences -> Security & Privacy indefinitely.


Just the parent folder.


Computers are meant to facilitate smooth management of data. Imagine if every last time you applied a table saw to a new piece of wood, a breaker would pop on initial contact with the piece of wood.

That's what this type of thing is devolving to. It's going to get to the point that most users are simply going to click through without thinking, and those that do pay attention are going to suffer continually.

To be quite honest, I'd pass. It'd just be easier not to keep my life on the bloody computer readily accessible all the time.


Here's my standpoint: I don't want a system where any binary can just read/write all my user files. Prompting me is the most straightforward way to implement this.

Most users already know this behavior from their phones, they aren't all so dumb and reckless. They reject permissions all the time, which we know from statistics. They don't just mindlessly say "YES" to everything, but even if they did, why put everyone at risk, just because most people aren't diligent?


> which we know from statistics

What statistics?


The Register is amusing, but this is hardly noteworthy. If, as LibreOffice suggests, this is some sort of bug or mistake, it will be resolved soon enough. The Register seems to be protesting the entire notarization requirement out of one side of its mouth, while claiming to support increased security out of the other.

Catalina apps should be notarized, which LibreOffice is committed to doing. The Register hopes for more controversy.


Notarization only positions Apple to have control in the future. Allowing Apple to be the sole arbiter of what a user is allowed to run on his machine is a disaster for his rights. Just see iOS and Hong Kong.

Apps should be signed. App notarization should never be a requirement.


Locking things down in fine-grained ways actually makes it more difficult for developers to figure out all the permission scenarios that users are likely to face. I hope that Apple adds tools to make that easier.

For instance, I only have one Mac; once I tell my OS to “allow” my app to do X and Y and Z, how can I change my mind and “disallow” arbitrary things when testing multiple features that all have to work under the same constraints? Ideally, Apple should have a couple of simple switches like “simulate app launch in fresh-install scenario” so that I can pretend my app doesn’t have access anymore and see what happens. Similarly, I should be able to pretend apps aren’t notarized, pretend apps have been disallowed by the user, etc. all without fiddling with different commands and settings or screwing up other permissions I already have set on my machine.


> how can I change my mind and “disallow”

System Preferences, Security & Privacy -> Privacy.


I haven't seen it in Catalina yet but in Mojave, everything is organized by permission, not by app. If you want to review everything a particular app is allowed to do, you have to look in every permission category. It's not a terrible design but it is inconvenient in that scenario.


So everyone complains about cruft and ugliness and the fact that OSes accumulate legacy crap without bound, but then everyone freaks out when an OS vendor purges some legacy crap and it breaks some things.


IMHO, it is similar with security. Everyone wants better security, but everyone freaks out if their workflows change or some extra input steps are required for more sensitive actions.


Because many people implementing security measures sincerely believe that more hassle is better. They have a moral view of security: the more you're willing to put up with, the more secure you are.

This is, of course, not true. Password managers are both convenient and improve security. U2F beats virtually every other second factor and YubiKeys are also more convenient than copying codes from texts.

If you're changing the workflow anyway, make it both more secure, and more convenient. Sure, it's not always possible. But it very often is.


For a long time unsigned apps have refused to launch on macOS. The workaround is to right-click on it then choose "Open".

Does this no longer work on Catalina?


According to LibreOffice's own post, that workaround still works, for now:

https://blog.documentfoundation.org/blog/2019/10/22/libreoff...


It still works.


I wish Apple would take the lead in documenting (for the public -- not just in support tickets) how to update your build pipleline to work with notarization. Lots of projects/devs who don't build only for macOS aren't prepared to update their systems and don't always do the testing required to overcome errors in the process.

That said, FOSS or not, this is the stuff that should be tested before shipping. It's disconcerting that apparently no one on the LO team has bothered to test an install build on the latest version of macOS (and if you buy a laptop or desktop from Apple today, it likely has Catalina installed).


> I wish Apple would take the lead in documenting (for the public -- not just in support tickets) how to update your build pipleline to work with notarization.

There's a page for that: https://developer.apple.com/documentation/xcode/notarizing_y...


I moved from a MacBook to a Linux-only laptop this year. I enjoyed my time with Apple, they used to manufacture the best POSIX-ish laptops around. But I'm glad I left. They're no longer interested in making the best hardware for creatives. Other people are, though.


Do you mind sharing what you moved to? I’m curious about the hardware you chose and the build quality.


I went with: https://puri.sm/products/librem-13/ it looks lovely (pure matte black with no branding gets my vote every time). The OS is a standard Debian derivative, so no surprises there, and I have the option of replacing it if I want to (haven't yet).

Build quality hasn't been fantastic to be honest - I had to return the first one because of a faulty monitor connection (but to be fair I had exactly the same problem with my 2015 MacBook too), and the replacement has a problem with its space bar. But the great thing is that I can unscrew the back with a normal screwdriver and have full access to the internals so if I get really bothered by it I can replace/upgrade/fix any of it. Purism support was great, and they encouraged me to take the back off and see if I could spot the problems, which really blew my mind after Apple support.

I've been using it for most of a year (writing this on it) and it's been a great experience. The article's view that "I'm no longer reliant on hardware" is true, though I haven't (yet) gone the next step of picking a different window manager and storing the setup for it in a git repo. It's on my to-do list though ;)


Well now, that's interesting. I include LibreOffice v5 with my standard install of Mojave. I ran a fresh install earlier this week just to test the upgrade, which worked. Only then did I try opening the applications. And LibreOffice v5 opened without a fuss. I read this article and tried downloading v6. Sure enough, I hit this exact issue. That's seriously inconsistent Apple. Thanks for the unnecessary grief.


Surely this cannot be a problem caused by the LibreOffice developers and must be Apples fault. After all, it only happens in one version of the application and not the other!


The GIMP image-editing application also has problems, giving permission errors when trying to access files in locations such as Desktop and Documents

I know a LOT of people who will only use Mac laptops and a ton more graphic and web designers who use Macs religiously. I have yet to find someone who uses any Mac products that run Gimp so I find this to be an interesting point.


Well here I am, using GIMP on macbook, although not professionally.

I like the os and so on, yet I try to keep my workflow as FOSS as possible.

I invest a lot of time in learning and mastering my tools so I believe that using preferably multiplatform and Free software will let me keep my skills and hours I put into learning stuff under my, not some vendor’s control (e.g. if apple keeps going the direction it is going at the moment).

This is why I use emacs, inkscape, gdb, gcc etc. on Mac OS


Do you really think there aren't any people who use a Mac and run GIMP? Why would Mac distributions of it exist if no one used it?

I use a Mac and run GIMP. I even bought a recommended app (I think it was Pixelmator?) a few years ago and tried switching to it, but I liked GIMP better so that's what I stuck with.


Every developers machine at an web agency I worked for had Gimp Installed and the supplied machines were Macs.... Only designers got the $110+ a seat Creative Cloud Subscriptions.


I used GIMP just today ... for paid work! ... on a Mac.

Granted it isn't a full-fledged replacement for Photoshop, and I do have an Adobe CC subscription, but some things are simply faster and easier (for me) with GIMP.


This is much ado about nothing. The people (and apps) who are impacted are the ones who waited until beyond the last minute to adopt Gatekeeper & Notarization. Apple has been banging this drum for quite a while.

Headline is FUD.


LibreOffice says they notarized. Does anybody have a clue to what the specific problem is? I'm wondering if it is a bug or edge case that others (such as me) need to worry about for notarizing their distributions.


Curse of Catalina

I like this book title already


I'm just curious, but why many popular free and open-source softwares are distributed unsigned?


Is the notarisation only valid for current and future versions? Hopefully it is retrospective.


Notorization is for a specific .app bundle.


Oh man, that means that user is forced to up rev if they want to use Catalina.


Never had a good experience with LO in macos(too buggy), I hear that in windows/linux is much better though.

bableka 51 days ago [flagged]

Catalina is just pain


Hi, could you please not post unsubstantive comments to HN? We ban accounts that do that, because we're trying for a bit better quality level on HN than the internet normally defaults to.

If you'd please review https://news.ycombinator.com/newsguidelines.html and follow those rules when posting here, we'd be grateful.

You might also find these links helpful for getting the spirit of this site:

https://news.ycombinator.com/newswelcome.html

https://news.ycombinator.com/hackernews.html

http://www.paulgraham.com/trolls.html

http://www.paulgraham.com/hackernews.html


I continue to enjoy staying on Mojave (10.14.6) and iOS 12.4.1, and won't be buying an MBP or iPhone anytime soon. This is due to Apple's pattern of extracting money from customers through immediately crappy, defective, and less repairable products needing expensive services to operate as they were promised (repair services are now more profitable to Apple than hardware) and releasing buggy, critical feature-eliminating software that has negative value, means I refuse to play along with their unreasonable cult of conspicuous-consumption games lacking meritorious value any longer. Fool me once ...

Catalina removes iTunes and 32-bit programs.


I’m not suggesting that you upgrade to Catalina yet. The removal of support for 32-bit programs was long coming, but I can see how it’s a big deal for some people running legacy software that may never be updated by the developer.

You can run the latest (or any recent) version of iTunes on Catalina and use it to manage your iThings and content. There’s a forum post on Macrumors with a nifty AppleScript that will install an older version of iTunes (that you’ve separately downloaded) and make it available for you. It does require disabling SIP temporarily. It doesn’t seem like the determined user is forced to abandon iTunes, as of now.


Any thought I might have that I might give macOS a try are now extinguished. I can't run software unless it has been "notarized" and inspected by Apple? No thanks.


> I can't run software unless it has been "notarized" and inspected by Apple?

You absolutely can. Where did you get that?


From reading the article obviously.


He's an Apple hater. That's where he got it.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: