The power that tech companies accumulate with tactics like this, and the justifications for that power, are strangely reminiscent of autocratic governments: we decide which programs you can develop and run, and we can levy an arbitrary 30% income tax (on top of regular VAT). But don't worry, it's all for your safety and security!
While there is some truth to the security argument - security after all is sometimes at odds with freedom - good computer security can certainly be achieved without this degree of centralization of power. Maybe you can't protect a determined user from hurting themselves, but that seems like an acceptable price for freedom.
Frankly, I’m afraid your premise is a bit of a straw man argument.
I’m constantly running npm, mvn, sbt, docker and some that download hundreds of megabytes from unknown organizations, hosted on unknown servers, written by unknown developers.
Next to that, I’m running desktop applications downloaded roughly under the same circumstances, and was the update image it just installed when I opened it genuine? Transmission was 0wned, as well as Handbrake. Any other I was never aware of? Perhaps one that I’m currently using?
I have several GB of irreplaceable (to me) photos and financial documents on this laptop. When was the last time I tested my cold-storage restore procedure? (Hint: never.) What if I get hit by a ransomware? What if they grab my GAccount cookie and run away with my identity?
All this makes me fret, and aware of how much vulnerable my information persona has become.
I can run Linux, and trust Ubuntu or Debian or whatever to thoroughly audit and verify every line before PGP signing any package released for distribution (riiight, it’s already a gift out of free will, am I going to make demands now?) I could manage, begrudgingly though because I’m more interested in using the tool than to constantly grind it’s sharp edges.
But what about normal users? Not necessarily idiots. Just people that haven’t explored the dense thicket of Linux on the desktop and ACPI, and kernel driver (oh, by the way... what about those drivers?) Don’t they have the right to some trust and expectation of privacy? (that they can immediately forego and upload to Facebook)
Why must everyone constantly have to risk their own neck to defend someone else’s perception of freedom. Why should they all pay (in terms of risk and time mitigating against it) for something that someone else presumes it would benefit them?
Apple can abuse their grip on their integrated platform. Apple can turn this infrastructure into a rent-seeking scheme, into extortion.
But for the time being, they can’t deliver cryptographic app control soon enough.
Heavily sandboxing apps by default is fine, and some Linux distros are, slowly, moving to do this - see e.g. AppArmor and Snap.
Even giving warnings by default about unsigned apps requesting high privileges would be fine if the implied message weren't basically "everything we haven't checked is malware". Something like "We nor any other provider you've chosen to trust have no idea who made this and we haven't checked if it contains malware. This program may steal and delete all your files. Be really sure you trust the author before running this." would be much more honest.
Good security does not require a single entity becoming the sole gatekeeper and taxman for a huge fraction of users.
> Why must everyone constantly have to risk their own neck to defend someone else’s perception of freedom. Why should they all pay (in terms of risk and time mitigating against it) for something that benefits someone else alone?
I'm not advocating for Windows-levels of "install anything with access to everything with barely any warnings". And I wouldn't say you're "constantly risking your own neck" if you deliberately ignore warnings.
In computing as in society, I don't see how we can remove all possibility of getting cheated into hurting yourself (by installing malware in this case) without essentially submitting to some form of autocracy. And I think freedom benefits almost everyone, at least indirectly. As a concrete example, in the Apple/Epic case, an alternative game store would likely result in healthier competition i.e. lower prices. As another example, Hong Kong protesters with iPhones would have had an alternative way to coordinate: https://www.bbc.com/news/technology-49919459
> Even giving warnings by default about unsigned apps requesting high privileges would be fine if the implied message weren't basically "everything we haven't checked is malware". Something like "We nor any other provider you've chosen to trust have no idea who made this and we haven't checked if it contains malware. This program may steal and delete all your files. Be really sure you trust the author before running this." would be much more honest.
Well, what you ask is what's written in the very first prompt screenshotted in the blog post; it says "the developer cannot be verified", "macOS cannot verify that this app is free from malware." I don't see how this choice of words is much different from your proposal.
I don't want to go too deep into the "alternative store" discussion, it's much broader than this, but let me just say Adobe Flash. I don't think Apple will ever relinquish the strategic power to force developers to adopt APIs and track their lifecycle, and never again have to deal with the Flash scenario.
If they let the door open to "alternative stores" good luck explaining to the general public how it's not their fault if <insert major app> works like shite and kills hardware performance. As an example, to this day, people still rant about Apple's "proprietary music file formats" when really it's just bog standard mp4 (it's even unencrypted... you can copy it over to any industry-standard decoder and you're good to go. Good luck with WMA (if they're still around) or whatever madness Sony came up with.
The moment they would decide a major overhaul, you'd see "alternative app stores" advertising "backward compatibility", "freedom from Apple's treadmill", fragmenting user experience in an endless passing of blame about who's fault it is for the rot.
> Well, what you ask is what's written in the very first prompt screenshotted in the blog post; [..] I don't see how this choice of words is much different from your proposal.
There are nuances about the UI and wording as discussed elsewhere in this thread, but my main objection is about Apple positioning themselves as the only one who decides which apps don't get that warning.
> [..] I don't think Apple will ever relinquish the strategic power to force developers to adopt APIs and track their lifecycle, and never again have to deal with the Flash scenario.
I don't see how alternative stores would prevent Apple from breaking backwards-compatibility on an OS they would still control. Even open source projects do BC breaks as they see fit. And I think Microsoft demonstrates that proper BC is something a company the size of Apple could well afford to do if they cared to.
The Flash case could be seen to support my position as well. Wasn't it a case of Adobe getting into a dominant position (for their particular niche) and then "abusing" it by letting Flash stagnate with awful security? It's good that we eventually got rid of Flash, but wouldn't it have all been much easier if Adobe had never become that dominant in the first place?
You can of course say Apple would never let something stagnate in that way, but all companies have their (sometimes shifting) priorities and interests. Often they'll align with you as the user - that's the nice thing about capitalism - but there's no guarantee that they always will (e.g. that Hong Kong example), and a dominant player in the absence of healty competition is always incentivized to charge as much as the market will bear.
> If they let the door open to "alternative stores" good luck explaining to the general public how it's not their fault if <insert major app> works like shite and kills hardware performance.
Is this really that big of a problem? Seems like something platforms already deal with by surfacing and by default restricting apps' energy use etc, though this too can be a double-edged sword. I have a few apps on Android that need to constantly show a pointless notification just so they can run in the background, and they have legit reasons to do so, and I'm OK with the battery drain.
Again I'm compelled to draw an analogy to society: freedom indeed requires some degree of responsibility and understanding from everyone. Benevolent dictators are a great place to "outsource" all that. The trouble is that they (or their successors) rarely stay benevolent for long, especially if you're not in their ingroup. I've yet to see power accumulation have good long-term consequences in history.
We are fast becoming corporate citizens, for better and for worse: https://www.youtube.com/watch?v=l3pkkSNRug4
While there is some truth to the security argument - security after all is sometimes at odds with freedom - good computer security can certainly be achieved without this degree of centralization of power. Maybe you can't protect a determined user from hurting themselves, but that seems like an acceptable price for freedom.