If the message were completely transparent, something like "The developer didn't pay $99 for us to do a cursory check on them (or whatever it is that Apple does with that money), are you sure you want to run their software? [Move to trash] [No] [?]", then that would give the user the relevant information to make this decision, but as it is, virtually no mac user will understand what is really going on.
I also can't imagine $100 is easy to come up with in countries below level 4. The OpenStreetMap Foundation recently introduced a way to waive the yearly £15 fee for OSMF membership if you have a certain number of map edits or otherwise contributed to the project. The OSM community seems to be quite diverse, but I can't imagine that Apple computers are less widespread than OpenStreetMap.
GPL3 allows that. And looking backwards, apple shipped software that was GPL2, but would not ship software that was GPL3. As one example, bash and make all quietly stopped getting updates from apple when the GPL3 versions came out. (although apple sort of broke GPL with bash as it never shipped all the source for it -- missing the header file rootless.h)
One other point about these dialogs + the help message. You are required to contact apple to even see this online help. Apple deals itself into the equation no matter what.
- in apple tech, the users are volunteer products where servicing them gets a myriad of monetization, notarization etc.
- hope open source starts to ignore apple platforms as a target at some point. Being "*nixy" and presence of "brew" etc gave the false impression apple is in the open source camp.
The level of rationalization of these lock in practices is just sad to be honest, fully neglecting how software becomes more accessible.
Even signed apps have been victims of malware attacks and I do think the check is primarily to ensure the developer has paid their Apple tax. It isn't that high, but I don't think I want to spend it. If it normalized, Apple will surely increase it and developers would have absolutely no handle to protest.
I think the true reason for the check is not money, but control. They want to control what software runs on "their" platform. For historical reasons, they don't have that control on desktops/laptops yet (but they already have it on phones).
I don't think that's a particularly good thing, but it does explain how <10% market share can make such a big splash. Especially for more casual projects, IMO.
People have been saying it since day 1 of the Apple App Store. It's called a walled garden and it should be attacked as the abuse of a dominant position it is.
Oh I'm against this latest erosion of the ability to run whatever code you want on a Mac. This is one of the reasons I just got one of the new Intel iMacs, because I can see this coming on the ARM side. It's their product though, they legitimately get a monopoly on what features it has, and I don't have any right to tell them how to design it. That's histrionics.
There is a legitimate case to be made though as customers as to how we would like to see the product develop. I'm behind that effort 100%.
The problem is that there's only one Apple Developer Program for both iOS and macOS.
If you get kicked out of the developer program for reasons related to the iOS App Store, you're also kicked out of independent Mac distribution outside the App Store. You no longer have true independence on the Mac either.
And to be crystal clear, that's the approach I am personally going to take. I carved off a TB partition and installed Windows 10 and WSL 2 on my new iMac and it runs like a dream. I still need MacOS, and I'll be installing Virtualbox for some stuff. If the Mac gets to the point where I can't run all the applications and tools I need, I'll miss the hardware and the OS and some apps, but I'll jump ship. I hope they listen to us, but I intend to ask and argue, not tell or coerce through legal action.
This doesn't tell the whole story, because terms change. Even open source licenses change. Apple added Gatekeeper to Mac OS X in 2012. Before then, it was a pretty open platform. And other companies such as Microsoft and Google have been known to follow Apple in some respects, so just because one platform has better terms than another at the moment doesn't mean the platform owners can't change their terms on a whim. Apple/Google/Microsoft have close to all of the OS market share on both mobile and desktop, so it's not like there are a lot of choices, especially in the consumer space.
On the developer side, you can't really refuse to use the new versions, because they are required to support your software for the latest OS versions, which is where your customers will be. So if you don't, you lose your customers and go out of business, which is not much of a choice.
It's untrue that updates consist of nothing but new features.
Do that. I do so as well. But as a rule for society it seldomly works. Too few people are willing or knowledgeable enough to withstand the lure of their individual short term benefit as opposed to the collective cost of their action. I mean, this very feature we are talking about is itself a protection of users against their short term desire: "Let me run this application, I want to see the dancing bunnies"  And people fail to do so, even though the downsides are personally and sometimes very immediate. They could research who distributes the file, calculate the trade-off between the remaining uncertainty and the expected reward and come to a rational decision. Or they could just click! Just accept those terms and conditions. Just enter their credit card number on the apple developer product page to get to what they want. And that's what most people do most of the time.
It's for this coordination and collective bargaining problem that we need to regulate the shit out of anything that reaches a certain size.
I wish the choice was simple, but it isn't.
It is a shame that people are forced to buy a computer and not reformat the disk to install their OS of choice. It is a shame that we can not take the money that we could be saving and investing in open alternatives...
But it is not a panacea and it is not for everybody. And it has two main issues:
- developers don't care about stability and/or polish (just see the discussions on the trackpad ITT) "Oh but if you change library X to Y and reroute libinput and etc it might maybe work and maybe it will not break anything else"
- because of the former reason, not all (important) applications are available to the platform. I'm really glad that a lot of things are online now, but that doesn't solve all problems
I've lost count of how many times wifi was supposed to work "out of the box" in Linux and it didn't. (And no, it wasn't an issue with drivers or wpa, it was the stupid Gnome NM widget - if I configured it manually it works). Or some other stuff. And sure, a there are stuff that works better even than MacOS.
- windows 10 - no privacy, hello telemetry, cortana, etc.
- mac os - no freedom to do anything not allowed by apple
- Linux - polish / ui issues?
At least with Linux once I configure it right it works without issue and does everything I want.
Currently that means kubuntu 20.04, AMD GPU (or intel integrated) and laptops that say they support it (Dell/Lenovo) or self built desktop. (I used gnome until I hit your NM issue too and it did not allow me to move top bar to the right... switched to KDE)
I no longer have a fear of upgrading distributions/packages causing problems, nvidia drivers causing black screen after upgrade...
Still, I do not have UI issues and the polish is fine on Linux, was explaining how to get there.
Problem is people expect a 300$ Linux laptop to work like a mac usually... when you would need a similar priced dell xps or lenovo carbon x1 plus manufacturer to support Linux, like dell developer edition.
I don't think the obstacles to adoption are based on the merits of Linux (or lack thereof). The obstacles are institutional. Businesses don't want to adopt Linux because that's a risk, and most people know Windows/Microsoft Office. Average people don't want to take a risk (installing Linux/buying a Linux box) with a device that is a decent-sized investment for most people.
Certainly I have issues with Apple, but it's a simple cost/benefit calculation. Right now the benefits of macOS vastly outweigh the downsides for me.
Unless Apple's problems increase to the point of being unbearable (very likely to happen at some point) or the quality of desktop Linux increases significantly (unlikely to ever happen), I just can't justify switching. And I expect many, many other people are in the same boat.
My computer is a tool. Idealistic notions about free software are nice, but they don't mean anything if that software is worse than a nonfree alternative. Free software needs to be _better_ to win, and I just don't see that ever happening in the consumer OS space.
Until an update breaks it because some asshole decided to break an ABI, or swap out a fundamental system component with a different one, etc.
So I guess what you're saying is true so long as you never update anything.
I have only 3 things I hit:
- NVIDIA driver updates (or kernel updates while using nvidia) - caused black screen... I dumped nvidia... these are due to crappy nvidia.
- Ubuntu deciding to remove old libraries/apps that are not maintained. That's fixed via docker or just keeping an old version.
- Major version upgrades (ubuntu 18 to 20) - here I just re-install and it's expected, I wouldn't upgrade windows 7 to 10 either...
Other then this I'm not sure what you are referring to?, systemd vs sysvinit? (you only get annoyed by those if you are a power user anyway)
Note: I set up automatic updates packages every day and have not hit issues.
Why not? I've upgraded a few Windows machines from 7 to 10, and the upgrade has gone just fine, assuming there's enough disk space for the OS to store the upgrade files before it starts the upgrade. Similarly, I've upgraded Linux boxes (both Ubuntu and Fedora) across major versions. MacOS as well.
I don't know where you're getting this notion that an OS upgrade is a scary thing to do. In my experience, it's been a routine, if somewhat long process.
Also, I'm old, maybe things have improved but I've had upgrades wipe my hard drive due to centos anaconda bug once (centos 5 to 6) other times it just did not boot (yay using encrypted boot partition but thats on me and updating grub fixes it)
Added benefit is it also forces me to check/update backups
> NVIDIA driver updates (or kernel updates while using nvidia) - caused black screen... I dumped nvidia... these are due to crappy nvidia.
This is a legitimate dispute and I'm not really counting it because as much as I think Linux should have a stable driver ABI, NVidia are being needlessly obtuse.
> Ubuntu deciding to remove old libraries/apps that are not maintained. That's fixed via docker or just keeping an old version.
Which is not a simple task. Why can't keeping old software be simple? It is in sane operating systems. Hell, even Linux can do it right, as AppImage proves, but the Linux Desktop community is so hell bent on making everything as complicated as possible that they pretty much ignore AppImage.
> Major version upgrades (ubuntu 18 to 20) - here I just re-install and it's expected, I wouldn't upgrade windows 7 to 10 either...
Ubuntu LTS receives 5 years of support, but most new software will not be backported to the repository for anywhere close to that long in my experience and instead you're getting about 2 years. Windows 7 was supported for nearly 11 years and it was rare new software didn't support it for that entire time.
> you only get annoyed by those if you are a power user anyway
Precisely. Linux Desktop people seem to think that targeting people who only need a web kiosk is somehow going to make them popular, but if people who actually know about and need the features of an actual desktop computer don't like it why would they ever recommend it to anyone?
Care to share?, I'm curious :)
> Which is not a simple task. Why can't keeping old software be simple? It is in sane operating systems. Hell, even Linux can do it right, as AppImage proves, but the Linux Desktop community is so hell bent on making everything as complicated as possible that they pretty much ignore AppImage.
Resources make it complicated (time/money/...). I wouldn't maintain another person's library that he doesn't bother with.
> Windows 7 was supported for nearly 11 years and it was rare new software didn't support it for that entire time.
You are comparing a paid product with something free. For better or worse new software works on ubuntu older versions as well, but you need to compile it or work to get it there. Or just upgrade.
I assume you can also switch to Red Hat which have paid support.
> Precisely. Linux Desktop people seem to think that targeting people who only need a web kiosk is somehow going to make them popular, but if people who actually know about and need the features of an actual desktop computer don't like it why would they ever recommend it to anyone?
My point there was if you are a power user you should be able to get it working, it's a skill that's very good to have. Other less skilled people don't hit it by virtue of not playing around.
The 'Linux Desktop' people that you say are targeting things for better or worse put in time to build free products, if you don't like some switch to others or contribute.
I did. I used to run Linux on 4/5 of my desktops and now that is down to 1/5, and only because I haven't turned that one on in 6 months. My complaints are made no less invalid by that.
Contributing to Linux Desktop is, in my considered opinion, a waste of time. The community is so dead set on doing things in the most convoluted and complicated ways possible that there is no hope for reasonable ideas.
I for one am the reverse, tried recently using windows and it just got in the way, plus felt like I was being spied on like old times under communism...
Tried last year MacOS/macbook but I can't even move the titlebar to the right... Plus Apple restricting everything I can do... Plus Macbook couldn't install Linux on it, crappy keyboard, overheating, easiest return I ever did.
Otherwise Linux since forever.
I'm pretty much Windows-only at this point. It definitely has its flaws, and it is definitely getting worse as the new "lets make everything suck as bad as the web" culture takes hold, but I still find that it works with me much more often than against me which is more than I can say for the way Linux desktops work.
It is not a matter of recommending Linux or *BSD or anything else. It is just a matter of refusing to give in to closed software on the grounds of "convenience".
I don't go around telling people what type of software they should use, but I do expect technical people and the common developer to understand what a terrible trade-off they are making when they choose proprietary desktop. I feel hard to sympathize with those that complain about the abuse and developer hostility from Apple. They sold their souls to the devil for cheap and are now trying to bargain their way out of it?
I don't mind people that tell me they need, e.g, Photoshop to do their work. I do mind the fact that they don't contribute to any alternative. Just paying the subscription to Adobe and shrugging it off, instead of hedging and contributing to the alternatives? Shame on them.
Imagine 10% of every Adobe customer donating 10% annually of what they pay to Adobe to contribute to the development of an open alternative, we'd have hundreds of millions of dollars. How long would it take until Adobe would be no longer needed or at least playing against a more leveled field?
Even more in the case of the stereotypical web developer that uses a Macbook when every other tool they used is FOSS. Puts $2k on a laptop that you will only cripple you and work against you and still think this is somehow good "User Experience"? To me this is like failing an IQ test.
I have seen what happens when people try to help. At best they are ignored. As I've said before, it is my considered opinion that the community is simply not interested in making things better. I would be totally ok with that if they weren't also evengelical.
And also, there's only so much time in the day, some of us have higher priorities than building replacement software for stuff that already exists.
> there's only so much time in the day
Then contribute some other way instead of just expecting the "community" to accommodate you and your opinions. I'm pretty sure that you won't be ignored if you find the developers responsible for the projects you care about and spare 10-20 bucks their way alongside a list of the issues and proposed improvements.
Same difference really if our opinions of what constitutes "better" are so drastically opposed.
> Then contribute some other way instead of just expecting the "community" to accommodate you and your opinions.
I have contributed both code and money to projects I think are doing good work. Sadly there are very few of them.
> I'm pretty sure that you won't be ignored if you find the developers responsible for the projects you care about and spare 10-20 bucks their way alongside a list of the issues and proposed improvements.
I can say with confidence that most the projects I've donated to have given me absolutely no special treatment just because I contribute money. I wouldn't have it any other way really, issues are issues regardless and they should be fixed with regard to severity, not who has deep pockets.
Hell, that's probably one of the reasons things in Linux land are so ungodly complicated right now: FAANGs are calling the shots because they have the deep pockets.
I am not sure I follow. You mentioned somewhere else that Lubuntu was the one that gave you the least problems and that you are now using windows. Coincidentally, Lubuntu is the flavor that looks like the most with older versions of Windows.
To me it looks like your assumption is that anything that does not look like Windows 2000/XP is "worse". If you are starting from this point, don't be surprised if others disagree and ignore you.
(Myself, I've been using Xubuntu for the past 8+ years, but I am really not liking the direction Canonical is taking with snap. Perhaps I will switch to Debian + XFCE when I get a slow weekend but this has nothing to do with desktop issues. It's not perfect but the worst problem I can remember was related to get a blank screen after resuming from sleep, which I solved by changing the screen lock program)
> FAANGs are calling the shots
What the big companies are doing are related to the infrastructure side of things and have nothing to do with the desktop - perhaps except Google and their ChromeOS, but Google's ChromeOS approach is looking each day more and more like turn of the century MS and their "embrace, extend, extinguish".
Anyway, perhaps the issue is that you are conflating "Linux" with "Open Source Desktop" and expecting a central place to solve all solutions?
> To me it looks like your assumption is that anything that does not look like Windows 2000/XP is "worse"
That's a very condescending conclusion to draw. I found LXDE less complicated and significantly snappier than alternatives that had their own Ubuntu derivative. I chose an Ubuntu derivative because Ubuntu has the widest range of supported software.
But hey, it all has to do with how it looks right? Thinking like that by the Linux Desktop community is why you guys still aren't taken seriously.
> What the big companies are doing are related to the infrastructure side of things and have nothing to do with the desktop
The desktop experience is not wholly separated from the infrastructure beneath it. The init system, the event subsystem, hardware management, network management, sound system, display server etc. are only abstracted in the leakiest of ways.
> Anyway, perhaps the issue is that you are conflating "Linux" with "Open Source Desktop" and expecting a central place to solve all solutions?
Unfortunately it pretty much is the only option that is even remotely viable. But mostly I focus on problems with Linux because it has by far the most evangelical community.
It's been at least since 2012 that I had installed Linux and couldn't connect a printer or scanner. Meanwhile my wife's laptop on windows asked to reinstall drivers every time she wanted to print something. Webcams? No problem. Wi-fi? No problem as long as I didn't try to use a chipset that was either too obscure or too new and unsupported.
The one thing that I gave up on having on my laptop is low-latency audio to connect a guitar and use software audio effect processors. But the way I solved this was by using a separate old laptop with a custom kernel dedicated to be my "guitar effect box". I still didn't have to give up my freedoms and I did not have to give up any functionality/comfort.
> But hey, it all has to do with how it looks right?
I believe you when you say that LXDE was snappier than the other Ubuntu alternatives, but were the alternatives slower than whatever version of Windows you have now? That will be very hard to believe.
So forgive me for sounding condescending, but you went with probably the most obscure and least popular Ubuntu flavor - the one that has probably almost to no funding from Canonical and maybe a handful of developers interested on it. What were you expecting, exactly?
If Ubuntu was bad for you, maybe try Fedora? If you wanted a more knowledgeable community, maybe try Arch? Why instead of sticking with your preconceptions of how things should work, you ask what are the others doing that let them be productive on a FOSS Desktop? Why is it that upon hitting difficulties your reaction is to go back to the comfort zone of a proprietary and familiar system?
> only option that is even remotely viable
We must have very different thresholds for defining "remotely viable". From http://www.daemonology.net/blog/2020-05-22-my-new-FreeBSD-la... :
"Is FreeBSD ready for the desktop? Yes and no. Yes, in that I have a very nice FreeBSD laptop where everything works the way I want. But no, in that it took me two months worth of fiddling with this in my spare time to fix some of the "glitches" which arose; while there wasn't anything particularly challenging, I expect that most people would give up long before they fixed all of the issues I ran into.
On the other hand, can FreeBSD be ready for the desktop? Absolutely. I've fixed the issues I ran into — and once we have FreeBSD 12.2-RELEASE with packages built for that release the process of bringing up a GUI will be much easier, as well. The biggest thing FreeBSD needs is to have developers acquiring laptops and carefully working their way through the issues which arise; the FreeBSD Foundation has already started doing this, and I hope in the months to come they — and other FreeBSD users — will publish reports telling us which laptops work and what configuration they need."
> Which is not a simple task. Why can't keeping old software be simple? It is in sane operating systems. Hell, even Linux can do it right,
I've wondered about these things, and I think the true reason is that Linux is a source-compatible operating system.
Other OS's solve this by the boring and painstaking task of assuring binary interfaces are stable and remain working. They usually do this by hiring and paying people to do it.
Linux does all compatibility at the source level, and binary compatibility is a little hit or miss. The common way to fix it is to recompile a lot of stuff.
As one example, I installed ubuntu 18.04 and it should be Long Term Stability.... but I did an
apt-get update && apt-get upgrade
I use Linux Mint and love it.
MS Teams, Skype and a surprisingly good list of software runs on it natively.
A Hackintosh inside VirtualBox IS a pain to setup, but pretty cool when it works. Windoz inside VirtualBox works better than ever, thanks to MS new attitude on embracing Linux.. which is still hard to wrap my head around.
My point is that if you are willing to sacrifice your freedom for the convenience provided by the hypercapitalistic (sic, and lol at how pathetic this term is) companies, then don't complain about the lack of choices available.
> developers don't care about stability and/or polish
Try paying them just a fraction of whatever premium you paid for your iDevice. That might help.
There are alternatives out there. So it becomes really hard to claim anti-trust.
Apple already owns the customer because they’ve invested in the platform, but they’re not providing equitable access to software that other platforms are. This isn’t revealed to the customer though, so it’s not clear as a user that choice is being restricted in this way.
A lot of Apple’s practices have been legal up until now due to their minority market share in all markets they operate in - but what we see those markets as is changing. The App Store is a massive multi-billion dollar industry in itself that Apple holds and exploits 100% control over.
Whether or not a violation has or is occurring is for lawmakers to decide based on whether or not the App Store (or Google Play for that matter) constitute markets within the definitions provided by local laws.
I suppose if you're a socialist you probably don't understand how it all works without a government edict giving you instructions and making sure you and your neighbor have the same marginal product.
However, even without this edict, rest assured that you can make the change without the government allowing you to... Fell free to switch.
If you mean the hardware, it's OK I guess. It still lacks basic computer features like PXE booting (unless you count the proprietary "netboot"). You can't really install much on it or use it for anything but MacOS, which really isn't that great, IMHO. For the same cost as a MacBook, I got a really nice PC laptop with double the specs that runs linux flawlessly. I can also update the CPU, GPU, and RAM, which I can't do with a macbook.
My go to Laptop these days is the Lenovo ThinkPad X1 (either carbon or Yoga) very nicely built with a great keyboard, I hardly (if ever) heard the fan noise and except on a couple of models where the fingerprint driver isn't present, it works flawlessly ootb with Linux.
They used Comet Lake instead of Ice Lake - that results in things like HDMI port supporting only 1.4 (i.e. no 4k@60 there). It makes their current non competitive with 2020 XPS13 or 2020 MBP13, that do come with Ice Lake.
That was wishful thinking from the get go.
No commercial UNIX was ever on open source camp, in fact they are the very reason while GCC was ignored for several years, it got a bunch of helping hands as Sun started the trend of user and development UNIX versions.
Also given NeXTSTEP heritage, UNIX on NeXTSTEP was always a means to have a foot on the DoD UNIX requirements, there was nothing open source about Renderman, Lotus Improv and many other NeXTSTEP based tooling.
Six months later a teenager from a country you didn't know existed sends you an email - and the teenager would like source code please. They are legally entitled to that source code because of Bill's offer.
The written offer rule is deliberately the worst case. You should never choose GPL "written offer" with the expectation that this is reducing your work load or whatever, if you want least work just ship the source code with your program and fulfil the purpose of the GPL up front.
— GPL 3, Section 6, alternative (b).
Yes, in GPL 3, a link would be enough, but the link must be already provided with the distributed program, you don’t get to only give the link only to those people who ask for it.
In GPL 2, a link is not OK, you must be prepared to send people the source code as “machine-readable copy”, “on a medium customarily used for software interchange”.
GPL software can be used for any purpose, you just have to pass along the rights you were provided if you redistribute it.
But that’s for Apple’s X server, so maybe Bash’s is different? But I couldn’t find anything about that in a quick google search.
Don't know why Apple doesn't just devote 1 engineer to do something like homebrew or macports.
Their ROI just on hardware sales will be very high. Maybe all the unix guys retired or left and there are only round window corner xcode guys left.
Certainly. From what I've read here on HN you basically can't publish a line of code (or even star things on Github) ob your own, presumably for secrecy reasons.
What's that about? The "macOS User Guide" is available online only?
Apple's focus is on maximising profit, and ours is on maximising mapping and the width of our membership, especially after the entryism attempt last year ( https://news.ycombinator.com/item?id=19008792 ).-
We've also recently received a non-profit signing certificate from Apple through our German local chapter, and two of us are working on getting JOSM automatically signed and notarized. Our workflow is at https://github.com/thomersch/josm/blob/master/.github/workfl... and a JOSM.app built yesterday can be downloaded at https://github.com/thomersch/josm/actions/runs/214334897 .
$99+ every year is a lot of money to an independent open source developer who's in most cases losing money for their work. The fact that a company worth $2 trillion is demanding it - it's really beyond outrageous.
Many of us used to pay for every single piece of software that we had to run on top of our already expensive computer around 2000 euros on today's money.
It's also a straw man, since I was talking about an OS developer wanting to publish their software, and you're attempting to sink it by portraying it as referring to a consumer wanting free stuff.
The subject of your conclusion, 'current generations', is also so vague as to be redundant. Current generations who are alive? Generations of 21st century? Of modernity? Of the West?
I'm afraid this is not a very good HN post.
What you're referring to is the top-tier MSDN subscription, which is something that very few organizations will require.
This is in contrast with Apple, which requires you to pay $99 regardless of whether you're an individual or a corporate entity.
The exception is being able realistically develop for a platform without little/no expense. People really are spoiled by FOSS tooling.
There are people that make Visual novels,text based games and other indie stuff(without using Apple tools most are Python,Java or Web tech) for free or a few bucks, I think they would not pay the Apple tax and either not support Mac at all or link to some instructions to workaround this limits while it is possible.
How many people stick with iOS because of all the apps they like, which may not be available on Android.
At minimum one would need the Shareware or PD disks tax to get hold of some similar compiler.
Sure, but in the case of an open-source developer working on macOS, he has already paid for his operating system; if he is using GCC, he has already paid everything the GCC developers require; why then must he pay extra money to Apple in order for other people to run his software in a straightforward manner on their machines (or, in the future, at all)? How is Apple even a party when two people wish to transact, when one writes and compiles free software on his hardware (paid for) and software (paid for) and the other runs it on his hardware (paid for) and software (paid for)?
Ironically that you mentioned GCC, it only came to be, because Sun made their development tools an additional payment to the base Solaris price.
DG/UX, Aix, HP-UX, Tru64, Solaris, and some Linux boxes ironically not considered serious enough for production deployments.
Apologies for the hijack...
Back to the main issue with right click.....
For that particular case, if you post the URL or location I can take a look if you want.
Thanks for putting me right.
So there's no point (is there?) letting any old people send in corrections, and waiting years...?
Perhaps you notice that (as a gross example too large to be likely) the big field a few kilometres away from you that's used to fly aeroplanes isn't labelled on OSM. You don't know much about maps or aeroplanes, but it's not on there.
If you go into an OSM editor and tell it that's an airport you're probably unintentionally adding false information. Because it probably isn't an airport, there's a good chance OSM cares exactly what it is, like maybe it distinguishes controlled and uncontrolled airfields, maybe it would prefer you label the area one way, and then also label any marked runway (perhaps there isn't one) separately. There's a Wiki full of instructions about the best way to label things. Sometimes there are also local conventions, maybe the Wiki says not to distinguish uncontrolled airfields, but in your area a convention has arisen to add a specific marker for them. All this is stuff that an editor ideally should know, but a random person who thinks "Hey why isn't this on the map" doesn't know.
For small corrections (such as changing a business from a pub to a store, adding a road, naming a street…) it's perfectly accessible to anyone interested.
For sure for complex edits (like touching important objects such as airports) it's better to make a note if you're not familiar with it.
Interestingly enough, it seems to be possible to notarize someone else's app, so perhaps it might be a worthwhile use of my developer ID to provide this service to people I trust but don't want to shell out money…
If you check the code signature of a Developer ID signed app, you'll see the developer's name and Team ID from the signing certificate. This guarantees the app was signed by that developer, as long as the developer has kept their private key secure.
First you sign the app, then you upload it to App Store Connect for notarization. It's an "open secret" that Apple has allowed any Apple Developer Program member to submit any app for notarization, even if the app wasn't signed by them. Apple really wanted all apps notarized. Whether Apple will crack down on this practice in the future, who knows.
The notarization "ticket" is signed by Apple, not by the developer. I've heard of developers who discovered that someone else notarized their app. But nobody else can put their "name" on the app except the owner of the Developer ID certificate. If you Developer ID sign someone else's unsigned binary, you're presenting it to the world as your own. But that's not the case with notarization. Nobody except Apple knows who submitted an app for notarization.
Note that I'm not necessarily arguing that training people to click "yes, yes, continue..." is a good idea. Digital security is my day job and I totally see why Apple wants digital signatures for software. However, the message is opaque about what is really going on and just tries to scare people into buying "trusted" software rather than using free software: that developer fee doesn't pay itself.
> perhaps it might be a worthwhile use of my developer ID to provide this service to people I trust
I was thinking the same, we could pool the money, but figured Apple almost certainly prohibits that "for security".
How does a certificate let "macOS verify the app is free from malware"?
(1) and probably a manual review if the App under analysis was found to call into any but a whitelist of “safe” system APIs.
Without the code signing, you can’t be sure that the app you’re seeing is the same one Apple‘s servers saw. It might be a copy of the app that has had a virus injected into it (which has happened quite a few times recently in pirated macOS software.)
How so? Even if they don’t catch malware during notarization, Apple also reacts pretty quickly to invalidate a developer’s code-signing certificate if they use it to sign apps that contain malware (as soon as Apple is made aware of that malware-app, for which they maintain relationships with both major antivirus vendors and independent security researchers.) Your computer then receives the new Apple code-signing CRL in a silent update, and won’t run the app (or any app by that developer) any more. Even if you’re offline at the moment, and so can’t contact the notarization servers to find out the app has been denotarized, as long as you’ve been online at any point since the CRL was updated, you’ll be protected. (And where does malware come from? These days, 99% of the time, the network. So if you stay offline, you’re extremely unlikely to run into novel malware anyway. And if you’re online to receive the malware, you’re almost certainly going to have received the CRL update first.)
And sure, there’s a small period of vulnerability before Apple is made aware of new malware; but most malware infections are not from zero-day malware, but rather from malware that’s been going around for a long time already. (And I believe they also push ‘disinfectant’ logic in those same silent updates that update the code-signing CRLs, same as Microsoft does with Windows Defender. So the usual “join a botnet, hijack your browser” kind of malware can simply be reverted.)
Plus, there’s the whole System Integrity Protection thing, meaning that macOS malware can’t really do anything to permanently subvert the Gatekeeper infrastructure, since it lives in the “untouchable” root partition. (It could do something clever with a system extension, but as of Catalina you have to explicitly activate those in the Security preference pane; and probably, as of Big Sur, you won’t be able to activate them at all.) So it’s only people with SIP off (i.e. system extension developers; Hackintosh owners) who would even feel any sort of “deep impact” from any of this malware. Meaning that macOS malware authors basically don’t bother to try to “deeply embed” their malware into the OS, given that the process will only actually work on a tiny fraction of systems.
Anyway, all that being said: it’s not like Apple said they can’t “guarantee” that the app is free from malware, implying that signed+notarized apps would be guaranteed free from malware. They just say they can’t “validate” that the app is free from malware, implying that the apps that don’t show this warning have been “validated” by Apple—i.e. audited, to the best of their own abilities and current knowledge. Signed off on, like a home inspector signs off on a house. And that’s exactly the case. Apple has “validated” those apps. That doesn’t translate to some technical guarantee of safety, like running the app in a VM would give. It only translates to “you can trust this app to the degree that you trust Apple’s validation process.”
It’s exactly the same claim that Chrome and Edge are implicitly making when you download software through them on Windows: the software gets “validated” by Google/Microsoft as not containing malware to the best of their knowledge. It’s an antivirus signature scan, combined with a trustworthiness heuristic based on whether the developer was willing to sign their software. The only difference is that, in Apple’s case, the “antivirus scan” part happens on a server somewhere, asynchronously, rather than on the client. But it’s the same level of effective security.
Granted, you could quibble with the details (does pointing out that you can't verify that it's free from malware imply that you could verify that it's free from malware if there were a certificate?). But calling the message "intentionally" (!) misleading?
I... don't think misleading means what you think it means. Misleading statements (pretty much by definition) don't imply falsehoods. They "merely" "suggest" falsehoods to those who don't already know better. If they intentionally "implied" falsehoods then they would be called "lies", not "misleading".
2) Apple documentation  says (my highlight) "The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly."
Is the claim that Apple is not actually scanning notarised software for malicious content?
3) Random unsigned apps presumably have not been scanned, and might contain malware. I still fail to see the problem, or what's misleading (and "intentionally" so!).
No, the claim is that just because Apple _hasn't_ scanned some particular piece of software for malicious content, that doesn't necessarily mean it _does_ contain such.
> 3) Random unsigned apps presumably have not been scanned, and might contain malware.
Exactly: they _might._ But popping up big hysterical warnings about it strongly implies, particularly to less technically well-versed users, that they_ do._
> what's misleading (and "intentionally" so!).
Strongly implying something that is obviously not true, that's what's misleading. In fact, AFAICT, that is the very definition thereof. And unless they're putting stuff they didn't intend to say into the dialogs they pop up, then yes, it is obviously intentional. Is the claim that their dialog text is un-intentional?
> I still fail to see the problem
Two hoary old quotes (or is the first a proverb? Maybe literally, from Proverbs) come to mind:
1: Nobody is as blind as he who does not want to see.
2: It's hard to make a man see something he doesn't want to see, particularly if his salary depends on him not seeing it.
(Personally, I do data warehousing / ETL programming for a living; currently at the Finnish Social Security Agency.)
I don't think so, the concern would be revokation, if someone does a bad thing and Apple pulls the cert your entire friends would lose access.
I wonder if it would make sense to do ring-based instead (r0 being most trusted)
macOS is becoming an increasingly difficult platform on which to release software. We're going down the notarization rabbit hole (which is a nightmare), but given that we don't fit on the App Store, it's very obvious that Apple doesn't want us on the platform.
My suspicion is that they will eventually charge $$$ for a "developer unlock" on Apple Silicon, a move that I think will make both Windows and Linux look increasingly attractive to developers.
Don't mind me, I'm just annoyed that Microsoft won't add support for ssh-copy-id.
I should also note directly launching the binary inside the App bundle from Terminal bypasses the UI dialog. The assumption is you know what you are doing in that case.
You can also remove quarantine flags from anything you download and after that you don't have the right click option either.
xattr -dr com.apple.quarantine ~/Downloads/Absolutely-Not-Malware.dmg
Yes I see now what you mean and with that background Xenadu02's reply does make a lot more sense.
Don't have access to a Apple Developer Transition Kit, so was not aware of the new requirements.
It isn't. Apple's view of the world is that computer users are non-technical consumers who need to be protected from others and themselves, and that Apple are the ones to offer that protection. Open source is antithetical to this view because it puts the responsibility on the user, which is the last thing Apple wants.
I can sympathize to some extent with this view. There's obviously a large (perhaps majority) share of computer users who it describes - just not small/independent developers/hackers. Those users are better served elsewhere.
E.g., a reader would have to understand the perspective of the developer to even start to guess what that might mean. (Why would a developer pay or not pay $99 to Apple for verification? How do the implications of that affect my decision to run this program?) It would be pretty much meaningless to the average non-developer user.
I agree the price of notarization should be a nominal incremental cost. I don't know if there are many level 3 people doing MacOS development, but if so, there needs to be a cheaper price for them. (The numbers of level 1 and 2 MacOS developers must be practically nothing.)
>>I also can't imagine $100 is easy to come up with in countries below level 4
Someone who is developing for Apple platform in specific, has already spent ~$1000 in devices. Say they couldn't afford to build explicitly for Apple, they instead develop for web using a Raspberry Pi and try to leverage smartphone capabilities using PWAs; Alas Apple throws in hurdles there as well so that your PWA doesn't function properly on Apple devices.
I get it, perhaps this is part of Apple's aspiration i.e. 'You should deserve to be part of the Apple ecosystem' which is enticing to its customers.
But what's overwhelming to me is, Apple's blatant hypocrisy.
Exihibit -1: Data
Apple calls Google by name, questioning its business model around data and proudly calims 'they chose not to do business with data'.
Then why does Apple advertise its products using Google Ads?
So, it's like 'I will call out dirty work, but I will use the results of that dirty work for my own advantage'.
Exihibit -2 : Values
Apple claims itself to be the beacon of human rights.
a. We know Apple was included among list of other companies supplying user data for snooping in the documents highly regarded to be genuine.
b. We know Apple actively cooperates with an autocratic regime and its highly publicised 'Privacy features' isn't applicable there. But, Apple never includes 'USA only' when it advertises it's 'Privacy'. More over when confronted with proof of Apple's platform being actively used for exploitation of minorities, it outright downplayed/dismissed the impact of it.
Ignoring the fact someone might have been given a Mac by someone else, or bought one second-hand for less, or that they might be working on a computer they don't own themselves, why is it that someone who can afford $1000 for a Mac can automatically afford another $100? Surely there has to be an amount that you assume they can't afford, right? If they can afford 10% more then why not 15%? Or 20% or 100%?
You're applying a sort of reverse of Zeno's Arrow to affordability, and I think shows a distinct lack of understanding of how money works when you don't have all that much of it.
My main machine is a linux one. Costs nothing to write software on that of course.
I get the feeling that developers who 'came of age' in the last 10-15 years will slowly discover RMS was right all along.
Someone who has invested in ~$1000 specifically to develop applications for Apple ecosystem has to invest $100 to release the application, that is the overall context of my statement in that sentence.
>You're applying a sort of reverse of Zeno's Arrow to affordability, and I think shows a distinct lack of understanding of how money works when you don't have all that much of it.
Cherry picking part of my sentence to make a statement, then claiming to throw insight about my understanding of how money works based on how much of it I have seems like using your own logical fallacy intentionally to make an ad hominem argument.
> ...Then why does Apple advertise its products using Google Ads?
Congratulations, this cracks top 5 oddest Apple hater argument ever posted in this land of many of 'em.
Why again? In the world of silos and proprietary platforms it's an absolute godsend that PWAs even exist.
If you could give a justifiable answer to what you've quoted from me, I'm all ears.
Apple’s alternative to google ads is essentially no online advertising.
"Here are the sources, here are the binaries, here you subscribe to get access to signed binaries that run without the scare quotes"
Not to mention it undermines the purpose of notarization, so if it became popular enough they'd probably just squash it.
There'd even be a conceivable but unlikely scenario where some automated scan deep inside the Apple publishing pipeline would detect an otherwise undetected malware intrusion in some upstream dependency or badly vetted commit and thereby indirectly protecting the users of the unsigned copy, by acting as a canary.
sudo spctl --master-disable
This removes all of these dialog boxes entirely.
Does this change affect running unsigned binaries from the terminal?
Apple has as low as 0% penetration in those countries. The market has solved this problem. They still use technology; there are alternative platforms. Android, Windows, ChromeOS, KaiOS, and desktop Linux (which has as high as 5% market share in India) are cheap to use and develop for. It was always going to end up this way. There's the brand for the haves and the brand for the have-nots. Although even people on welfare in the United States have iPhones, consider that they're still the elite in global terms.
What they primarily "do" is have an identity to sue or pursue in case of issues. That keeps everyone in line.
They do the same on Windows of course and on Linux package managers.
When Windows 10 finds an unsigned installer it shows a dialog with a Don't Run button and as the name suggest clicking that button does not run the installer.
To run the installer the user needs to first click on the More Info link which will then present the user with an option to Run the installer.
Here's an example: https://www.zeusedit.com/images/zeus_install.png
The CCADB can tell you which CA roots are trusted by Microsoft for this purpose:
You're looking for a CA which has Microsoft Trust Bits including Code Signing, and Microsoft Status of "Included"
Price: A couple of hundred bucks per year. Vendors with very well known brands like DigiCert's "Symantec" brand (famous despite the fact Symantec actually ran their CA so terribly they ended up selling the brand to DigiCert... the CA they'd operated was distrusted) maybe $500 and year and higher. But your users don't care about the brand, so pick a cheaper product like Sectigo's they work just the same.
It's a little more expensive if you want "Extended Validation" aka "EV Code Signing". If you write Windows kernel drivers you need this, otherwise it might only make the UI shown to inquisitive users nicer so don't bother unless you hate money.
NB. Yes ISRG (the people behind Let's Encrypt) are trusted by Microsoft but no they aren't trusted to provide Code Signing certificates, even if they wanted to, which they do not.
And this is why out of spite I developed "ClickTwice". It's certainly not as good as ClickOnce but least I ensure they use the latest version of the apps I dev.
KSoftware has a really good reputation.
For years, Windows got laughed at by EVERYONE because there was so much malware on it - in part because of its laissez-faire approach to letting the user install anything from anywhere.
Mac went for the closed garden approach and there's hardly any malware, adware, scareware or whatever -ware you can think of on the platform, which is one of the reasons why Mac is safer and considered to have a better user experience.
Curation is not a bad thing. And if an open source application wants to become popular for the masses - not the HN power user crowd, which represents only a small percentage of potential customers - they have to conform to its rules.
Likewise, they will want to be available through the Windows store as well.
Using the tools and platforms offered by the OS developers is the lowest friction option for installing software.
As for poorer people and countries, isn't this where the open source charities come in? Isn't this where the big FAANGs - including Apple - and the investors and everyone that earned billions off of software should come in? I mean come on, it's only $99.
Gatekeeper is a commercial boiling-frog lock-in strategy sold as a security feature nobody asked for.
> open-source charities
Open-source, as a term, was invented in order to sell what was then called Free Software. It has nothing to do with charity.
> Curation is not a bad thing
Apple does little or no curation on the Mac AppStore, because the amount of developers using it is still relatively low.
This comment makes it seem like installing software outside of a curated store is responsible for security issues, but this is exactly what Linux and other like OSes do. You can install apps from anywhere and I'll wager you'll find less malware, adware etc. for them in the wild, than the Mac. Granted usage of these platforms as a Desktop is way lower making it a less attractive target for bad actors, but much of it owes to inherent OS design.
> And if an open source application wants to become popular for the masses - not the HN power user crowd, which represents only a small percentage of potential customers - they have to conform to its rules.
Open source applications have been popular with the masses way before the curated store app store model came into place. Publishing on an app store has a good chance for increasing outreach, but it should not make distribution and installation of applications in the classical way more cumbersome, should the user so desire.
The difference is that there is no rent seeking and you can choose your curator.
It would be hilarious if Facebook, Apple, Google, Microsoft, Amazon, Netflix, etc. decide to start a charitable foundation which just deposits $99 checks into Apple's bank account. They should do it. I wouldn't be able to stop laughing.
Curation, in the sense that Apple uses the term, is a bad thing because it creates a false sense of security. It blurs the line between protecting users from security threats and protecting Apple's business interests.
If Apple was truly interested in protecting users, they would keep these things separate as much as possible.
But they're doing the exact opposite. They keep mixing these things up as much as they can in order to shield their questionable business practices from scrutiny.
On top of that, the iOS side-loading ban is clearly aiding and abetting human rights violations.
So small utils and stuff, smaller open source projects etc. are not legitimate? Or should they shell out $99 extortion fee to have the pleasure of giving stuff away for free? This is just one of thousands cuts that will kill traction for Mac software.
I mention this since these stores are more comparable in size than Mac v Windows.
> As a Mac developer, it's nearly impossible to run a viable software business when this is the first-run experience of new customers. You'll never get any new customers! This is why every Mac developer I know signs up for Developer ID and ships only signed, notarized apps. It would be financial suicide to do otherwise.
If you have hung your shingle out to make a profit, then the developer account, signing, notarizing, etc. is a cost of doing business, and you can easily justify it. The more customers you get, the more money you get, so you are motivated to reduce the first-run friction.
If you are not in it for profit, you probably have a lot more tolerance for a little first-run friction, and having users drop out of the funnel. Fewer users does not affect you financially. As a hobbyist programmer, I wouldn't care. I'm just releasing a program--not looking to dominate a market.
I don't need to many money on my side projects. I do, however, want to help people. If I can't help people on a Mac because of the install friction, then it isn't worth my effort to create a MacOS port of my software at all.
But what if I'm not doing this for profit? Can Nirsoft or Mozilla apply for a waiver? Can I? We may not be looking to dominate the market, but it would be a shame if our work just went to waste because people would rather pay for something crappier that is closed source rather than our free (as in freedom & beer) software.
(Yes, Mozilla is a huge project where it isn't worth employee's time to apply for a waiver, I just needed at least one name that people know is a non-profit software developer as an example.)
Because that's part of what this mechanism tries to provide...
There is no universally agreed-upon definition of malware. One man's operating system is another man's malware. For me, an operating system that "calls home" for each new executable you compile is a crystal clear case of malware. In the case of this article, then, the only malware in question is macOS.
Sorry to the grandparent, but this is nothing like the halting problem...
Close your browser and monitor your network traffic. Compile a hello world with a unique text string. Run it. It calls home the first time you run it. Then it doesn't.
If you are not connected to the internet, it does not call home indeed.
Here is a concrete description of this experiment: https://sigpipe.macromates.com/2020/macos-catalina-slow-by-d...
I just reproduced it on a newly installed macOS 10.15.6
Doesn't have to be. Just the common user's definition is OK.
>For me, an operating system that "calls home" for each new executable you compile is a crystal clear case of malware. In the case of this article, then, the only malware in question is macOS.
Which is neither here, nor there.
Users who know how to verify checksums know how to work around unnotarized Mac apps.
That's the whole idea to protect from malware. You don't want the software publisher (which could just as well be a malware publisher) in control.
It's impossible in the general "is this file malware?" case.
It's totally possible in the "is this file a copy of known malware?" case.
It is clear to you that you're writing fine open source software, not malware. But how is the consumer supposed to tell?
If people trust you, why bother with the checksums? (Over HTTPS, the downloaded content cannot be tampered with. If someone tampered with the content on your website, or performs a MITM, they can also replace the checksums.)
1. You submit your app bundle and your credentials to Apple for notarization.
2. Apple records your information and goes through each library, framework, and your code, checking the code signing info and "fingerprint" of each for known malware.
3. Apple issues the ticket for stapling to the app bundle.
Now say, for example, that libffmpeg-0.1.2-beta2.dylib is found to mine cryptocurrency:
1. Apple goes through their database and finds the app where the malware was reported.
2. Apple marks that fingerprint as malicious.
3. Apple now flags any other apps that use libffmpeg-0.1.2-beta2.dylib (by checking the fingerprint) and disables any versions of any app running that version. Additionally, any other attempts to notarize apps with the malicious dylib are rejected.
Notarization provides 2 major benefits for devs that I can see:
1. Apple doesn't need to revoke your entire certificate just to block one version of an app.
2. Apple's audit trail of who notarized the app (and from where) prevents cases where stolen credentials result in a DoS of the victim (e.g. your account being locked, your name and address permabanned, and funds frozen).