Hacker News new | past | comments | ask | show | jobs | submit login
macOS unable to open any non-Apple application (twitter.com/lapcatsoftware)
2603 points by mattsolle on Nov 12, 2020 | hide | past | favorite | 1278 comments



All: there are multiple pages of comments; if you're curious to read them, click More at the bottom of the page, or like this:

https://news.ycombinator.com/item?id=25074959&p=2

https://news.ycombinator.com/item?id=25074959&p=3

https://news.ycombinator.com/item?id=25074959&p=4


Unbelievable. When I read the tweet (tried to post here as well), I suddenly realized why my Mac was unresponsive an hour ago.

Here is another tweet that describes the problem in more detail:

https://mobile.twitter.com/llanga/status/1326989724704268289

> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.

EDIT:

As others pointed out, I put this to my `/etc/hosts` file and refreshed it like so:

    sudo emacs /etc/hosts # add `0.0.0.0 ocsp.apple.com` 
    sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder # refresh hosts


So yesterday I wrote about the blurring lines of ownership, and people came back with some fairly disparate responses. It's fair to say that I was mostly dismissed. https://news.ycombinator.com/item?id=25058952

And this is why I won't be moving to Apple silicon. Apple already has the ability to restrict whats apps I can run (they can simply toggle a switch for all users to "no unsigned binaries"), and congrats! Apple is the sole decider of what we get to use on our computers.

Of course Apple's Craig Federighi assures us that the people making such assertions are "tools" (https://youtu.be/Hg9F1Qjv3iU?t=3177 , timestamp 53:33) and they have no intention whatsoever of taking away our ability to do general compute on the machines we buy and own.

Except...

Apple can already decide what binaries you can execute. Should they choose to.

Apple is now restricting what other OSes you can boot into. As they've chosen to.

Apple can now make their machine reject a new, third-party repair part like a bad transplant. Should they choose to.

It's clear where they're going. And I'm jumping ship. It's painful to do so, given how invested I am in the ecosystem, but we're already beyond the threshold that many of us would have left earlier in the decade.

---

edit - It's also really hard as a designer + developer + would-be researcher in the making to find a good computer. Most non-Apple laptops don't have very good color accuracy. They also don't have good trackpads, and their keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)

I'm trying to find a laptop with good build quality, long battery life, a good display that I can design on, a good trackpad so that I don't have to carry around a mouse, good speakers would be a plus, and light enough that I don't feel like I'm lifting weights while working on my laptop. And this package should ideally come with 512GB of SSD storage and, at least, 16GB to 32GB of RAM.

Oh and it shouldn't be more expensive than a Mac as many of these laptops are!

Any suggestions?


Yeah so basically in the windows world, a lot of the good laptops are under the "business class" of the various manufacturers:

Dell Precision, HP Elite Book, MSI Prestige

In the consumer world the Dell XPS, Asus Zenbook, Asus Pro Art are the way to go for a designer.

Dell Precision is probably the overall best laptop. MSI Prestige is targetted right at you though, with color accuracy and a good display. The only brand I can personally vouch for is Dell. I and my partner use XPS's, and a good friend of mine has a super nice Precision that I am jealous of (specifically the ports! I'm so over USB-C)


Lenovo Thinkpad is another popular line, seems conspicuously absent from your list. They're known to have good resale value, and to work well with Linux. If you're getting up to the Precision line, the Lenovo P series workstations are also worth considering, though given they're actually professional-grade machines with Xeon and Quadro parts they'll be more expensive than a Macbook Pro.

There are also boutiques like System76, that white label, upgrade, and manage driver compatibility for Clevo laptops which may be worth considering, they just came out with a new Lemur Pro like yesterday.


Check Thinkpad screens carefully as a lot of the new amd ones come with terrible 'business class' screens that I don't want to use as a developer, let alone as a designer .. and a repairman told me they are glued on these days so you can no longer swap them as you used to be able to.


Can confirm. I made the mistake of buying a T14s with a Ryzen 4000 CPU in it

The screen was something like 30% color accurate

Using something like F.Lux or Redshift to shift the color space at night resulted in...this

Linux: https://www.youtube.com/watch?v=UhLBx4mmPrM

Windows: https://www.youtube.com/watch?v=QgjqeDF9c50

Lenovo refused to replace the panel with a less atrocious SKU, claiming I could instead purchase it for a "mere" $600 USD(!)

Thankfully Australia has strong consumer protection laws and I was able to get the unit returned and refunded


Lenovo P series workstations are also worth considering

I have a P72 and it is garbage. Plugged into a docking station it works OK as really expensive mid-range workstation. Trying to use it as a laptop causes the fans to spin like crazy, performance throttled to shit and the and battery life of maybe 90 minutes for even fairly modest workloads. The similarly specced Dell Precision I had before was much better in every way and was actually usable as a laptop.

The P5X series that many of my colleagues have seem much better.


>Trying to use it as a laptop causes the fans to spin like crazy, performance throttled to shit

So, just like macbook?


I was going to say - that does sound very much like my MacBook Pro.


The P4X series is also working quite well - I went with that for the smaller footprint. Since I mostly dock it, the smaller screen is acceptable for the limited amount of time I use it undocked.


Lenovo might be known that way, but they are exceptionally bad at supporting Linux. https://www.notebookcheck.net/Lenovo-admits-ThinkPad-CPU-thr...

As far as I know this issue is still not fixed so I have to use this hack: https://github.com/erpalma/throttled

I’ve also had tremendous Thunderbolt-related firmware issues that could only be fixed in Windows. If you use Linux, there are much better options than Lenovo. I still use my T480 daily but I miss my old XPS 13, which gave me no issues ever.


Exceptionally bad is a bit harsh. Windows is first tier support with Linux coming in as a second. In my experience they are pretty good about fixing remaining issues in firmware updates, which can be installed using fwupd (I don't have a Windows partition at all). I belive there's even a GNOME Software front-end if you prefer things being very easy.

I don't need to use throttled on my X1 Carbon 7th and they recently added mainline support for the fingerprint reader. All I had to do was enable it in GNOME Settings.


I have X1 Carbon 7th and need to use throttled to get full power.

Try to run performance test with s-tui if you see a difference.

On Arch the command to enable the fix is:

sudo systemctl enable --now lenovo_fix.service


I love my X1 (also 7th). This is the laptop which made me retire my actual desktop. Bought a docking station and a MOTU 8A for sound connectivity, and have no need for a classical desktop since.

I am not into gaming or graphics though. Still, with my (unusual) usage pattern I get almost 10 hours battery life time on the road, and all the CPU power I need locally. For heavy stuff, I compile remotely anyway.


I can't stand the (lack) of brightness on my X1 7th gen. Is that not a problem for you?

I can't for the life of me get it to be bright enough to use in a lit room. A bit of hyperbole here, but I basically have to hide in a closet and stuff a towel under the door to see the fucking screen. I love the keyboard, but I basically won't use the thing now because it's such a drag to use.


I am blind (no joke), I couldn't care less about brightness :-) Well, actually, no, I execute a script after boot which basically does:

for backlight in leds/tpacpi::kbd_backlight backlight/intel_backlight; do dir="/sys/class/${backlight}"; if [ -d "${dir}" ]; then echo 0 > "${dir}/brightness"; fi; done


I had similar thoughts after purchasing my X13 AMD, not sure if you're experiencing the same thing I did. I was extremely disappointed with stock brightness when I first turned it on.

Turned out windows power saving and battery settings actually capped my brightness. So my user-controlled "100%" (via keyboard) actually becomes more like 60%, depending on the power profile.

As soon as I got a new m2 ssd, I shelved Windows and installed Fedora WS, which has no such issue. That is, if I say I want 100%, it obeys.

You can quickly test with either a live USB, or tweaking your power profiles.


I don't think I've ever even set my 7th gen X1C to full brightness, it's perfectly usable. Is this a problem you tend to have with screens?


This is the only screen I've ever had to fight with to get something bright enough, and I'm nearing 40 so I've been through a metric buttload of computers and screens. It is hands down the worst screen I've ever had (and I still have a couple ~ 2006 20" acer lcds pressed into service in various comms closets and shop space in my house). The brightness on these is appalling and it doesn't help that Mint insists on resetting the brightness to 60% on every boot so I feel like I'm trying to walk through a house of horrors with only a single birthday candle for light.

Edit: the joke is that the house of horrors is my code


Thinkpad was one of the first laptop series which supported Linux explicitly.

Their competitor was Compaq NX series (HP EliteBook of today). Dell was late to the party and closed the gap by actively developing software for Linux (DKMS, Privacy Drivers, etc.).


I don't think you can conflate classic Thinkpad and current "Thinkpad".


Are they doing anything to prevent Linux from running well on them? As far as I can tell, since all big three (XPS, EliteBook and Thinkpad) are considered enterprise devices and their BIOS, IO tables and hardware layouts are crafted with Linux compatibility in mind.

They're explicitly sold with FreeDOS option to imply that you can directly install Linux on them.

Even my run on off the mill desktop shows more soft-errors about IO layout and memory mapped devices on board.


Why not?

Lenovo's ThinkPad line is still quite differentiated from their other offerings. What are your objections to it?


When IBM didn't like the panels they could source for Thinkpads, they started a new company called International Display Technology to manufacture panels they did like. Thinkpads used to be special.

While it's entirely possible there's a connection between decisions like that and IBM's PC division being unprofitable enough they sold it to Lenovo, it might be reasonable to hope that Lenovo would make the effort to offer competitive panels when it's obviously possible for their competitors to source them.


>Lenovo might be known that way, but they are exceptionally bad at supporting Linux.

Absolutely no trouble on x395. It's been running Linux (Arch) for a year, and it is my main system.


Piling on to say I cut on teeth on Linux installing Breezy Badger on a Thinkpad T20. Since then I’ve never struggled with a Debian based OS on Thinkpads.


I run Linux (Debian) on my Lenovo X1 Carbon and it works perfectly.


Linux works perfectly on mine as well, but I use Fedora.

The trackpad is bearable, and I have a 3rd generation so my 1080p screen isn't IPS, but it works well enough for $200.


Not sure about Carbons, but for T-series there are aftermarket IPS displays that you could swap for the original TN ones. Could be done in 30 min, with no previous experience, just with the service manuals from Lenovo and enough dexterity to handle a screwdriver.


The firmware issues are fixed just fine with fwupdmgr. It also integrates nicely with Gnome.


You can even buy thinkpads with ubuntu out of the box now, so hard disagree.


I don't know about Ubuntu, but Lenovo offers machines with Fedora already installed.


> Lenovo has now admitted to the problem – and announced that it will be fixed.

How is that exceptionally bad support? I'd say that's the opposite.

I get firmware updates on my X1C because Lenovo decides to work with fwupd and the open source community, something most manufacturers refuse to do.


I sent my Lenovo in for warranty service for a faulty SSD ribbon cable and... they lost it. And they haven't replaced it. They've told me four times over the course of the last five months that I'll get a call in 3-5 business days. It has never come of course.

I know I'm not alone; even just in my circle there are two other stories of horrible mishaps with this company.

Lenovo makes some decent machines, sometimes, but their warranty service is not to be trusted.


I have always used their on-site service. Tech always comes out the next day and fixes the issue.


Lenovo took around 100 days, within warranty period, to replace my motherboard of my Ideapad Y500 because the parts were not available. I am never buying any Lenovo product ever again.


I've got a P51. It's essentially always on fire and the fans are really loud.

Not sure I'd recommend it. Build quality is very good however.


P51S might have been a better choice then.


The P51S is "slim" and has poorer thermals than the P51. Why would it be a better choice?


It uses low-power components (U rather than H CPUs for example) and isn't capable of generating nearly as much heat, regardless of what you're asking it to do.


Switching from a core H to core U will cut your perf in half. I like my xps 13 but in all fairness it struggles to run Firefox with youtube+gmail+slack and Office open all at the same time. As someone who primarily uses beefy desktops, it feels about as snappy as a Core 2 Duo machines with DDR-400.


Having used everything from xps to surface book 2, no laptop comes close to a ThinkPad. I am pretty much a fanboy of ThinkPad keyboards


I used to be too, until they changed them


Big bonus of the proper "business" laptops also is support. Wouldn't want a work machine I rely on without on-site support anymore (of course ideally you want a machine that never needs support, but since you can't rely on that from anybody...)


Indeed. Worth looking at the Thinkpads with this as well. A lot of the 3 year old discarded corporate units still have a couple of years of warranty left on them and Lenovo actually honour it!


Lenovo has got to be amongst the top, imho.


Interestingly, Apple covers more than sRGB, their panels are now being set to the broader DCI-P3 gamut. Whereas these laptops (at least in 2019) were slightly less than the sRGB gamut on testing. Except for the surface book,

https://imgur.com/a/6dGz3LO

I got these results from, https://www.notebookcheck.net/MSI-Prestige-15-A10SC-Laptop-R...


I got a 2019 Dell Precision 5540 with an UHD OLED, 3.840 x 2.160 and have 100% DCI-P3. And i think many other OLED Screens have it too.

When i configured the Laptop i could choose from these options:

FHD IGZO4, 1.920 x 1.080, 100% sRGB

UHD IGZO4, 3.840 x 2.160, 100% AdobeRGB Touch

UHD OLED, 3.840 x 2.160, 100% DCI-P3


Almost no displays get 100% when tested for gamut coverage. I'm not really sure why, I think it's some testing artefact. At this point (around 99% sRGB) what you should be looking at is coverage in larger gamuts (here 84.8% AdobeRGB).


> In the consumer world the Dell XPS [...] are the way to go for a designer

I have to use a Dell XPS 9560 and had two issues with it, most people never realize:

1. The Intel Thermal management driver is buggy so the device shuts off on very high-load tasks. You have to find the old driver on the internet and install it, and prevent windows from reverting to a new driver.

2. Only after two years of hanging connections and dropped UDP-packets I ran a speedtest and realized that this is not my home-internet being weird, but a systemic problem of the Wifi-card, which others have reported on the internet as well. Switched cards - getting windows to recognize the new one was difficult - and now I have normal Wifi.

Both of these issues are terrible for customers, and I still wish I wouldn't have ignored/overlooked the Wifi-issue for so long, as it interrupted work for a very long time.


Dell XPS 9360, good keyboard and touchpad, but my two issues, Dell software for updating drivers is just buggy. In general Dell can't write good consumer software.

Second is the same as yours, the Killer Wi-Fi is subpar. Can't keep a steady connection. Can trigger bluescreens if resuming without power cable and running Firefox (I think). Have not changed my Wi-Fi card yet.


I seriously recommend the switch. I went for an Intel ax200, costs about 50$, and my download speed went up 8 fold.


I got an XPS 15 7590 in part because I read that the "Killer" Wifi problems of old were finally fixed. Well not for me, after waking the laptop I have to manually disconnect and reconnect Wifi for it to work. Have not had time to contact support about it yet, but I'm very disappointed that they've stayed with "Killer Wifi" after the long history of problems.


I looked up the MSI Prestige and apparently there exist a limited edition of it that's completely pink, I mean really, really pink: https://www.msi.com/Business-Productivity/Prestige-14-A11X-P.... Not a big fan of the color, but it sure is interesting to see. I now wonder if the color would be a good deterrent for thieves.


I use MSI laptops almost exclusively although they're definitely wiped and reinstalled to win10 ltsc or freebsd.

In as much as I love the Mac touchpad for kanji/hanzi input the 2015 pro will probably be my last.


Wow, the way Craig is laughing at the question and so dismissive of it is really insulting. Maybe it's the more casual nature of the interview/discussion, but this really is the crappy icing on the cake of Mac users' continuously-declining control over the machines they spend their hard-earned money on. "Where do you even begin to come up with that theory"?? I mean, maybe we're seeing the gradual hampering of control over our computer with every OS X release in the past 5-10 years?


Get a Thinkpad. I replaced a 2015 MacBook Pro with a Thinkpad P1 Gen2 and love it. The trackpad isn’t as nice. The keyboard is better. Running WSL2 you have a great Unixy development environment in Windows. Or just install Linux. As thin and light as a MacBook Pro. Much better thermals, though still not awesome. Other, somewhat larger Thinkpads have better thermals. You can upgrade your RAM, add 2 SSDs and other peripherals like a 4G card etc if you like. Thinkpads come with fantastic service. Next business day on-site repair including for accidental damage and they mean it. Looks: It’s the design Apple copied for their very first laptops and is IMO better looking. They got it right the first time and haven’t changed it materially. Built like a tank. Not quite a tough book but they will take some abuse.


Lenovo was caught 3 times installing spyware on their machines. I don’t know why people forgive that


Because any self-respecting developer will reformat and reinstall Windows or ideally Linux and problem solved, no spyware.


Not when they’re doing it at bios level, formatting is useless.


Yep, here's a nice summary of that situation that someone made on Reddit: https://www.reddit.com/r/SuggestALaptop/comments/3gxoh9/psa_...


That BIOS level requires the operating system to execute certain ACPI table as a Windows executable.


I have that exact laptop (work provided) and I’m not a fan. Trackpad is OK but not nearly as good as my Mac. 4K display sometimes looks amazing but the color accuracy is terrible and there’s a weird speckle texture that I assume comes from the touch overlay. I have a thunderbolt dock that supplies 85w of power but the machine refuses to charge from it and requires connecting the huge external power supply. But the worst part is I’ve gone through several incidents where some update occurred (never could narrow it down to one in particular) and I started getting multiple blue screens a day.

Edit: forgot one more annoyance. The laptop seems to frequently power off completely overnight even though it should just be sleeping/hibernating.


I am still suprised by the number of people that want trackpad's

If lenovo would come out with a laptop with no trackpad I would be the first to order it, I normally disable the track pad completely..

Traditional mouse or even a trackball are far far better


> I am still suprised by the number of people that want trackpad's

I occasionally have need to use a laptop in conditions where a mouse is inconvenient, so i prefer to have a trackpad, but I find that even the best trackpad is far inferior to a mouse. (Trackball, at least the kind that gets integrated into a laptop, isn't an improvement, IMO over a trackpad.)


On my Macs I have always used both mouse and trackpad. When I use a PC like the thinkpad I usually ignore the trackpad.


Never had a blue screen. Haven’t had the power off problem though there is a distinction between regular sleep and deep sleep. When coming out of deep sleep it boots up like normal and restores RAM from disk. Don’t have a touch screen but have the highest end, non-touch 4K screen Lenovo offered. They also offered a very good HD screen and a not so good 4K screen. Display is not as good as on a Mac but this is more a Windows problem than a hardware problem. If color calibration is an issue, you could have had them calibrate it for you for 25 bucks when you ordered it. I believe Lenovo support can send someone to calibrate later on too for a somewhat higher fee.


If I got a Thinkpad I'd switch to Linux. I absolutely can't stand the Windows UI.


Linux UI is far worse than Windows. It's not even close. I use Linux but definitely not for its UI.

Windows can out-of-the-box do HiDPI, multiple monitors, multiple desktops, trackpad gestures, hardware accelerated UI rendering, facial recognition logins, and more. It was designed as a desktop OS.

On Linux some things are getting better if you stick to the Wayland+GNOME stack, but it's still so bad I can't recommend it to people on technical grounds. Use it if you believe in free software, not because you think it's "better" (it's not).


I am seriously wondering why Linux UI development is lagging so much considering it’s at the forefront of many developments, and probably with the worlds best devs using Linux. I can only come up with that it’s console centered approach doesn’t attract a lot of UX designers of caliber to take it to a new level.


Most of the money being thrown at Linux is to make it better on a server. The laptop/desktop market is dominated by Microsoft, with Apple a distant second.


My thinkpad works very well with linux, I recommend Zorin or Arch


Arch is only a recommendation for people with a fair bit of experience. I have some experience, and I still needed to check some webpages to find out what I was missing when I tried installing Arch as the official manual doesn't spell out every step that is needed.

For "easy" for people who don't have time or experience, I would instead recommend Pop!_OS https://pop.system76.com/ flash a liveusb stick and you can try it out on your hardware without needing to install it first.


I've been using Ubuntu for over a decade because my days of fiddling with my computer to get things to work are over. In general, Ubuntu just works without much configuration on the user's end.

I've noticed a trend where people who are new to Linux will jump on Arch because they believe it'll give them more power, or that they'll learn more by using it. Or people will install Kali because they think it is what hackers use, and completely miss the fact that Kali isn't meant to be installed at all.

It's all Linux under the hood, and you get the same amount of power no matter which distro you use. And when you use a distro with sane defaults like Ubuntu, you're able to dig into the internals whenever it suits you, and not because an update broke your computer.


The biggest problem with Linux is not enough people use it so you run into all kinds of edge cases with hardware and software. I just stick with Ubuntu because it's the most popular, so the most likely someone bumps their head on the problem before I do, and maybe I find their stack exchange question or bug report when I search.

I've been very happy with Ubuntu 20.04. Not without issues, but overall it's been quite stable and snappy (pun intended) and I prefer it to macos and windows.


Arch is neat, and their documentation and forums are amazingly great. However, I have zero desire to be my laptop's sysadmin. Pop! OS runs great on my Thinkpad.


If you have a simple setup and friendly hardware (e.g. all Intel), the sysadmin burden is super low.

In this regard, only NixOS compares. Even macOS is much much worse, as you need to go through upgrades. I have used the same Arch install for 8 years.


If the only concern is the install process, I would recommend Manjaro. It has its own installer, but you still get the powerful pacman package manager and the Arch repositories which are the most cutting-edge around.


I've had Manjaro bork itself a couple of times. I'd recommend against it.


How do you run photoshop?


Photoshop works pretty well in Wine, and Windows runs quickly using KVM.

Linux also has native support for hardware pass-through if your machine has an IOMMU, so you can give virtual machines direct access to graphics cards and get GPU acceleration in your VM, along with USB devices, etc. VirtIO is built into the kernel and can provide you with paravirtualized network and storage access, which can speed things up considerably.


People working in Linux will use GIMP, but you can also use Photoshop in a virtual machine, or possibly even natively using WINE. Here is a link for someone who did just that: https://www.archviet.com/how-to-run-photoshop-on-linux-with-...


Or Krita, some people have a strong preference for it.


> they can simply toggle a switch for all users to "no unsigned binaries"

That switch was toggled with Big Sur and Apple silicon: https://mjtsai.com/blog/2020/08/19/apple-silicon-macs-to-req...


While true, that doesn't mean that an Apple-controlled key decides which apps will run:

> There isn’t a specific identity requirement for this signature: a simple ad-hoc signature issued locally is sufficient, which includes signatures which are now generated automatically by the linker. This new behavior doesn’t change the long-established policy that our users and developers can run arbitrary code on their Macs, and is designed to simplify the execution policies on Apple silicon Mac computers and enable the system to better detect code modifications.

(Source is the link you provided.)


NotebookCheck is a great website for laptop reviews. They even get into the nitty-gritty details of display calibration, input devices, power consumption, etc.

Here's a list of the laptops with the best displays: https://www.notebookcheck.net/The-Best-Notebooks-with-the-Be...

And here's a list of general multimedia laptops that would be roughly equivalent to a MacBook Pro: https://www.notebookcheck.net/Notebookcheck-s-Top-10-Multime...


I find that their reviews are amazing but their "top 10" lists are lacking. Their search: https://www.notebookcheck.net/Search.8222.0.html is marginally better, but in general, they're for researching specific models, not finding models, imo.

Edit to add: The other thing is that for their percentage laptop score, you should generally subtract 80 and multiply by 10. I've never seen them review a laptop below 60% or above 92%.


My partner bought a razer 13 inch to replace a MacBook Air. It wasn’t cheap, the build quality is excellent and it handles everything (she’s in an orchestra and records her parts on it, does graphic design and sometimes plays fortnite.). The screen is quite nice and the build quality is better than my system 76 (onyx pro) which I really like too.

Dave2d on YouTube gives pretty short and decent laptop reviews. I think he has a discord channel discussing the machines too


My 2017 razer stealth 13" has rather questionable build quality.

* Once a month or so, the touchscreen flips out and starts registering dozens of random finger taps per second. There are tons of complaints on the internet, but Razer never acknowledged it as a known issue.

* One of the long rubber pads on the bottom fell off after about a year and a half.

* The USB-C power cord's insulation was frayed from day one.

* When running Linux, the kernel continuously reports "correctable" pci-e errors, indicating a signal integrity issue. I had to turn down the verbosity of the messages to keep from spamming the journal.

* When running Linux, a monitor connected via HDMI has random "snow" noise. When playing any sound through the builtin speakers, the monitor blacks out every 10 seconds or so. Plugging in headphones "fixes" it.

* The bios' ACPI implementation is buggy and doesn't properly report whether the lid is open or closed. As a result, the laptop sometimes fails to go to sleep when I close it, and sometimes fails to wake up when I open it. It works most of the time but not always in windows, and linux got into a perpetual sleep-wakeup-sleep loop until I found the right workaround.

* A plugable brand thunderbolt dock "glitches" every 10-20 seconds when typing on a USB3 keyboard. Plugable claims it's due to buggy Intel firmware in the laptop. To be fair, a different brand of dock works fine, though.


Many of the signal issues can be caused by a faulty or low quality power supply. It took me a good half year until I finaly fugured why my Thinkpad touchpad and screen was acting up similar to your description. Turned out that my 65W power supply from Amazon was causing all the issues.


I never bought a Razer product because every time I'm looking at one I see negative reviews about their reliability.

It boggles my mind how they can be so successful.


Probably in people mind there is nothing better.


Manjaro GNOME on any of the Thinkpad models.

I switched away from Macbook Pro about a year ago, after using Apple hardware for about a decade.

It's working great, GNOME interface is solid and productive, Manjaro and AUR libraries just work. Highly recommend making the move, sooner the better as I'm sure you see the writing on the wall.


My Huawei Matebook Pro has been everything I wanted in a Mac, in a way I couldn't get from Apple.

Pros that Macbooks don't have: USB-A (along with USB-C), no touch bar, 3:2 screen, can enable secure boot if I choose so feel like I'll be able to run whatever I want on it, replaceable SSD, etc.

Pros that Macbooks also have: still has a great build quality, full day battery

Cons that both have: Non replaceable RAM


I can second this, I'm on the Matebook 14 2020 with the Ryzen 7 I think rather than the Pro. But after a dreadful run of luck with the XPS15, the Matebook (so far) is an amazing bit of kit for almost half the price.

It feels like if they play the next iteration right Huawei could blow most of the top end out the water, there's so little choice at the top end and they all seem riddled with build quality, hardware or software issues.

I'm glad I took the risk on the Huawei and I don't really regard the Chinese spying moral panic as an issue. If they want to spy on you I'm sure there's far easier ways online than trying to backdoor a highly scrutinised laptop.


My huawei matebook pro is the best laptop I've ever owned.

The only downside is that I have Windows 10 on it, and considering Microsoft actively destorys user data and has for 15+ years as company policy...I won't use it for serious work, only entertainment. :(

User state is also a time investment, so rebooting and destorying this is not ok even if all files by some stroke of luck were saved first


Are you not worried about your data going to China? Huawei looks indeed great, but I would never use it. Maybe if there was a way to replace components with ones from legitimate source like Mouser or digikey, to ensure there is no spying going on.


I think a firmware- or hardware-level exfiltration system that works anywhere would be valuable enough that they are not likely to burn it by putting it in systems sold widely to consumers, where it would only be a matter of time before it was detected. Unless monocasa is someone fairly important, that is!


  > 3:2 screen
I'm sold on the screen alone. Thank you!


Over the generations, I have had three Macbooks, four Vaios, a ThinkPad, a HP, multiple ASUS and Huawei. Most of the devices I have killed by travel: dust infiltration, vibrated the BGA chips off the boards by motorbike vibrations..

My requirements have all been fulfilled with the Huawei MateBook X Pro.

You could say it's heavily inspired by the MacBook. Aluminum case. Chiclet keyboard with decent travel. 2000x3000 display (2:3 ratio!). Awesome trackpad. Good battery life. Portable. Solid. 2x USB-C and 1x USB-A. Sustained multiple drops.

For context, I am able to pull solid 12-hour days on the device, without a mouse, without fatigue or frustration.

Cheaper than a MacBook. Might be worth a look.


But then you have to buy a Huawei ...

Not the best idea security and privacy wise.


I was skeptical initially. The laptop has been dissected and scrutinized by multiple people with nothing suspect discovered. On the other hand - which brand is safe ? Thinkpad has installed rootkits multiple times. Until there's proof to the otherwise, I think it's worth withholding preconceived ideas.

In any case, everyone has their own level of comfort, and that's important.


Are you talking about the Superfish vulnerability? It's never affected the business class Thinkpad lines [1], but it has affected a lot of the other laptops that Lenovo has shipped.

[1]: https://support.lenovo.com/us/en/product_security/ps500035-s...


Assuming you were going for a Macbook Pro "15 for 2399$

Recommendations for linux laptops (or checkout https://linuxpreloaded.com/ ):

* Tuxedo https://www.tuxedocomputers.com

~1000$ 1.5kg, Their "15, 1080p flagship is configurable with AMD Ryzen 7 4700U, 32GB RAM, 500GB M.2

They also have more expensive versions with 4k OLED displays if that's what you're into. Also "13.

* KDE Slimbook https://slimbook.es/en/store/slimbook-kde/kde-slimbook-15-co...

~1200$ 1.5kg, "15, 1080p, AMD Ryzen 4800 H, 32GB RAM, 500GB NVMe

* System76 https://system76.com/laptops/gaze15/configure

~1350$ 2.2kg, 15", 1080p, i7-10750H, 32GB DDR4, 500GB NVMe

* Purism http://shop.puri.sm/shop/librem-15

They're trying to become and opensource Apple --> high prices, own linux distro, trying to make their own ecosystem, etc.

~2000$ 1.8kg, "15, 4K, Core i7 7500U (Kabylake), 32GB RAM, 500GB NVMe


> keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)

Those are laptops with numeric keypads, the trackpad is still centred relative to the "main area" of the keyboard (the home row and in particular the rest keys - the two keys with a little bump, F and J on a QWERTY) but it is off-centre relative to the body of the laptop due to the presence of the keypad.

Macs don't have numpads so if you've always used Macs it's understandable that you're not familiar with this type of layout.

In any case that type of placement makes no difference while you are using the laptop, because keys and touchpad are still where they are supposed to be relative to each other.


A lot of laptops, Dell for example, offset the touch pad to the left even though there is no keypad. You might be right that these are technically centered on the q to p span of the keyboard.

https://upload.wikimedia.org/wikipedia/commons/thumb/b/b4/De...

https://i.pcmag.com/imagery/reviews/05RhNkV9HnULG0LW4YRfKzZ-...

https://www.tec-int.com/media/catalog/product/cache/2/image/...


Good eye! I had never noticed those before. Yes I think those are centred to j and f. on the Macbook Pro I'm using right now, if you look carefully, the touchpad is centred relative to the body but it is slightly off centre relative to the home row.


I use my laptop on my lap, and usually when I sit with my hands folded in my lap, my hands fall along the center axis of my body. We are bilaterally symmetrical beings (with some internal asymmetries).

So unless I scoot the laptop off-axis or I have to move my hands off axis to type.

I'm unsure how this isn't unergonomic. It's not something to get used to. It's bad design. Period.


If you're using a laptop on your lap you've already given away any chance of ergonomic comfort.


Yes this has always annoyed me; having it centred under the keyboard makes no sense except in some weird universe where everybody uses only their thumbs to operate the trackpad. Trackpad alignment was one of the major causes of my RSI due to the horrible bend in the wrist it causes.

I haven't used a Mac in years but the one thing they always nailed was the trackpad. It's big and actually centred on the laptop body.


I think it depends on how much you type. If you type most of the time, your hands will tend to stay centred on the keyboard. Of course this is highly variable based on so many factors...


Yes this is true, I see your point, with a laptop on your lap, in order to balance its weight optimally, you need to centre it relative to its mass, not relative to the hands rest position (F and J keys) so then when you have to type you need to move your hands sideways and it's not very ergonomic.


But you want to align the keyboard and the touchpad with the vertical axis of your body so you end up with 2/3 of the screen to your right. That's why I'm advocating no number pads on laptops.


I’d rather align myself with the screen, otherwise I’m mostly constantly looking towards a slight right, which is a terrible twist for the spine.

It’s much easier and more comfortable to adjust my hands over a slightly offset keyboard.


Is this what you're actually doing?

I gave it a try for one minute when I unpacked my new laptop in 2014 and I immediately shifted it to the right: typing as you suggest was terrible for wrists, shoulders and probably the spine.

My workaround: I move the windows I work more often (eg: the editor) to the left part of the screen.

To be fair: there is no way to fix an ergonomically broken design. There are only mitigations and those a probably subjective: everybody is a little different and muscles/skeletons/etc can accommodate different twists.


Get a Thinkpad, P-series, lots of options. Run Fedora on it. Great machines, great keyboard, 4k screens, good color, goot battery life, lightweight. Everything works. Mac-level price, and worth it.


I would like to get a thinkpad, but I'm not sure Lenovo can be trusted any more than Apple can, especially since Apple atleast pretends to care about customer security.

https://slate.com/technology/2015/02/lenovo-superfish-scanda...


Lenovo is junk for anything but business class laptops. That the thinkpads X P W and T. The rest is the disposable, unrepairable, bloated junk you’d expect from consumer level products.


"Disposable, unrepairable, bloated junk" describes pretty much all non-business laptops these days. I don't think Lenovo is special (and the Yoga often reviews as "good for the price")


Seems like I am working since four years now on my junk Lenovo Yoga 13 under Manjaro and didn't realize that.


Don’t feel bad, Lenovo intentionally blurs the line by calling everything a thinkpad. But they’re not all the same.


I work with thousands of their business class Thinkpads and they are also junk. They seem made for corporations to just churn through. I see harware/bios bugs that carry through generations.


Could be. I stopped at the 2011 and 2013 variants. Still powerful enough for me, cheap to repair, and the intel me can be entirely erased/corebooted. I don’t know about the more recent business class TP.


Well, if you immediately overwrite the hard drive of the machine with some Linux variant (as I think the GP implie), I think it will solve a lot of problems like this from any manufacturer.


No it doesn’t. If memory serves, Lenovo rootkits have been in the UEFI firmware which auto-install hooks into the OS after boot.

Linux is not magically immune to this attack. One could argue it is more susceptible than other OS due to lack of binary signature checks on executables at runtime (at least by default).


That would be a worry. At least the people using Apple cares and tell you. And observe them very closely.


How is 4K support and fractional scaling? Does it work well?


In my experience, fractional scaling and 4k support is finally fine on at least whatever GNOME and Wayland Ubuntu 20.04 ships with, with two major caveats:

* Chromium-based applications (the browser and Electron apps like VS Code) still don't know how to render themselves with fractional scaling and end up ever so slightly blurry (but correct sized) on fractionally scaled displays. Think like very old applications (like Control Panel) on Windows 10. I use Firefox so it doesn't bother me that much. There's a issue in Chromium bug tracker following this, but I can't find it right now.

* Screen sharing full screen or other windows than browser tabs doesn't work on Google Meet / MS Teams. This is and has been an issue in Wayland since forever.


> Chromium-based applications (the browser and Electron apps like VS Code)

This is most likely because they don't support Wayland. The scaling with XWayland doesn't really work great a lot of the time.

I don't use scaling for my 4K monitor, and just set text sizes larger. It feels a bit weird for a while but eventually it's actually quite a nice balance where the content is relatively larger vs. the chrome.


> * Screen sharing full screen or other windows than browser tabs doesn't work on Google Meet / MS Teams. This is and has been an issue in Wayland since forever.

Chrome has experimental Pipewire support; enable it in here: chrome://flags/#enable-webrtc-pipewire-capturer

Firefox (at least on Fedora) has enabled it out of the box.


Cool, I don’t use chrome or VSCode or chromium apps. And no ms teams or google meet either. Sounds like limitations I could live with.


Not op here. Using Gnome on Manjaro with Wayland. Fractional scaling works very well on a external 4K monitor and with internal HiDPI display.

Electron apps are blurry, tracking https://github.com/electron/electron/issues/10915


Good battery life? You must be joking? Less then 4 hours of light usage on x1 carbon gen 8. No hibernation.


Aren’t those all huge?


P1 Gen 3 is 0.72" x 14.24" x 9.67", compared to the 2019 15" MBP which is 0.61" x 13.75" x 9.48". Slightly larger? Sure, but I wouldn't call it "huge" if the 15" MBP is what you're used to. It's only 0.11" thicker than the MBP and half an inch longer. (And it weighs less.)


If you think so, then I recommend you get an X-series instead.


I have a 15" MacBook Pro and I like it just fine.


> edit - It's also really hard as a designer + developer + would-be researcher in the making to find a good computer.

I woukld agree on desginer.

Absolutely not on developer or researcher.

Actually MacOS is for the reasons you mentioned incredibly developer-unfriendly (unless you target is of course the iOS ecosystem).

And for research there is no better platform but Linux. Unless you are in clicky-colorful frontend applications where I would doubt you are doing serious research.


>Apple can now make their machine reject a new, third-party repair part like a bad transplant. Should they choose to.

It seems the iPhone 12 is already rejecting non-original parts, even if the part comes from another iPhone 12: https://news.ycombinator.com/item?id=24924761


Try metabox. (https://www.metabox.com.au/). They have a wide range of laptops at various specs and prices and form factors and whatever else. A lot of the guys at work have started to switch to them and they feel nice to hold and fondle.

I'm currently in the same boat as you and my next machine will be from these guys when my (admittedly very new) Macbook Pro gives up or gets taken over by Apple.


It's hard to say who is now Apple's target audience. It seems like their products are ideal for people who don't know much about IT and just want to watch a video or edit their holiday photos and maybe create a CV and will probably never go beyond that. Other people still enjoy Macs from 2012, but things are moving on when you look at desktop PC and what you can do. Apple looks more and more dumbed down.


It's like being trapped in a beautiful plastic cage. I used a MacBook Air (2012) for years as my primary development machine and really loved a lot about it, and it had some fantastic apps in the environment like QuickSilver, especially since it just worked compared to some of the Linux distros I had before that. But I'm glad I jumped ship when mine went obsolete.


>> It's like being trapped in a beautiful plastic cage.

To be fair, it's like being trapped in a silver gray aluminum cage with uniform body and irreplaceable bars. I wish more companies would make a PC laptop that doesn't suck aesthetically. Even when they use aluminum, most PC manufacturers don't spend much time on designing a good keyboard (arrow keys not having the same shape comes to mind.)


The feel of the keyboard is far, far more important to me than the look. Lenovo Thinkpads (business class, not the consumer ones chasing after the foolish "thin" trend) are the only ones that have are the only ones that have a reasonable shape and response. This includes Apple, which tends to be one of the worst offenders in the feel of a keyboard. I want to have some amount of vertical movement to the keys, not to jam my fingers into a hard surface repeatedly.


I understand people doing live music with it. Think about what would happen if Windows forces you to update during your performance^^

Graphic designers because the nice display...

Otherwise i don't get it. I think for most other people it's a status symbol ;)

I especially don't understand why IT affine people buy it. Just buy DELL, HP, Lenovo, Alienware and install linux. Gives you more bang for the buck...


Very small audiance, but people with bad vision do enjoy the good displays on their machines and the GREAT built in zoom in OSX. Zoom in Windows is a joke.

Unfortunatly Linux isn't really an option just yet for a lot of us.


I really like my surface book. They are priced like MacBook pros (and spec'd like them too). The track pad is great, the pen input and detachable screen come in handy more than I'd have guessed when I first switched.

Apple has a pretty broad utility patent around their trackpads, which requires other manufacturers to work around what would seem like pretty obvious things.

PDF: http://assets.sbnation.com/assets/2017767/USD674382S1.pdf


Are there no other suggestions beyond the 2012 MBP?

I use arch linux on a Lenova Thinkpad T580, and I'm really happy with it, but I'm not sure about the colour accuracy of the screen. I doubt it's as good as you find on an Apple.

I, for one, am really interested in good, high quality alternative to apple laptop hardware, that meet the parent's criteria.


I just got an eluktronics. Basically barebones powered up systems. I got one running windows but that's only because I need the ableton software.


I agree with you that Apple is doing way too much to restrict users. But I also agree with Craig in that I don't see how Apple silicon is useful for them in helping to restrict users.


It is useful as a justification. Not from a technical point of view, but just to support the pathway they have planned and the story around it.


How is it useful as a justification? I don't see how forced signature verification can be more easily justified on a M1 Mac than on an Intel Mac.


Yet mandatory signing of binaries is enabled on the ARM build.

It is basically a milestone; since new binaries are needed, they might be as well as signed.


Dell XPS have an option for a fantastic 4K screen. After calibration it's better than the Retina screen on my 2013 MBP.


I don't know why they don't use a 2560x1440 for the 13" model


I have the 4K version. You can’t use it, you have to downscale to 1440p because you get lag at 4K. They released a 4K laptop that isn’t powerful enough to run at 4K.


I don't have any problems with the video. Are you trying to game on it?

Laptops and gaming is a terrible combination because of the thermals.


X1 Yoga 4 is what I went with recently when my 2016 macbook pro died for the 4th time since owning it.

Its very similar to the x1 carbon but converts to a tablet and it has an aluminum body.

I can't say I'm out of the apple ecosystem entirely, but I decided to spend my money elsewhere given the abysmal quality of the macbook pro line these days.


Thinkpads. Lenovo is far from perfect, but they have been good stewards of the brand.


I like Lenovo ThinkPads and even IdeaPads (I own one for personal use) but I do hesitate dealing with potential Chinese spyware from the factory for work uses.


I’d suggest using a Mac until it doesn’t actually work. Then you can find a new computer to compromise with.


Owning a Lenovo X1 Carbon 7th gen, 2019, 4K screen, 16GB RAM. extremely impressed with the hardware, running Linux Mint and going to move to Manjaro. Initially i tried PopOS! but they removed from Gnome the intermediate scaling (1.5X) of the UI, just like in MacOS you have Display - Scaled options. I really like the per monitor setting which you don't have in Linux. (or i didn't research enough); e.g. More space on main display (external 4k monitor) and Larger Text on the macbook screen. I'm also jumping ship due to the worst experience i had in 25 years dealing with technology, 1 month to replace a swollen battery with a 3rd party repair service. Apple throws now all this "complex" hardware issues to 3rd parties since their employees are pressuring them not to execute hazardous repairs in their own "centers"


Their SSL certificate revocation server (the default for macOS) goes down an you try to tie it to Apple Silicon being created to lock-in users? I understand the feelings people have about this but today's failure seems orthogonal.


It's just one of many recent actions that they've taken that have made people wary. The changes to app signing in recent OS X versions was another example of this


Huawei Matebook X Pro. A friend has one, 2019 model. Runs Ubuntu on it.

Trackpad is as good as it gets outside Apple, I'd say.

The display looks gorgeous. Can't say about color accuracy/fidelity though.


Re colour accuracy, checkout thinkpads, they even come with a colour calibration sensor so you can have them autocalibrate daily/weekly or whatever suits you.


> Oh and it shouldn't be more expensive than a Mac as many of these laptops are!

Clearly there's no need to jump ship if it's more expensive on the other side.


Do you _really_ need a laptop? That's my solution to the problem of no good Linux laptops. I've got a desktop at home now, and when I go back to the office, I'll pick up a mini desktop. I'll keep an old MacBook in a drawer if I need to take it into a meeting. When I used laptops only, they were just plugged into a monitor/keyboard/mouse at all times anyway.


What would make a good linux laptop for you?


One that reliably goes to sleep when i close the lid and then wakes up again when i open the lid.

Wifi that works... Audio that works... Plugging in and out external monitors that work... Netflix/Youtube in HD without burning the cpu and draining all battery

Basic hygiene essentially.

I use linux on a laptop every day for the past years and have tried Dell, HP, Lenovo, Asus, Ubuntu, Arch, Mint. Lately things are working, but only most of the time, never really really 100% as a Windows/OSX machine does. You always have to live with those 1/20 times sleep did not wake up or oh time to reinstall pulseaudio again for microphone to work.


We need new touchpad drivers (which are in the works) and screen resolutions that work at either 1x or 2x, not something in between.


> their keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)

Buy something without a number pad. Unfortunately most 15" laptops do have one.

If anybody from HP is reading this, I'll pay an extra for a keyboard without number pad on your 15" ZBooks with 3 buttons on the touchpad. Space bar and touchpad aligned with the center of the screen please.


>it's off-center in a lot of cases! How weird is that

It is off center if they have a number pad to the right of the normal keyboard layout. At first glance it looks weird, but it is 100% what you would want if you were using the laptop. Otherwise the trackpad would end up being right over where your right wrist is.


> I'm trying to find a laptop with good build quality, long battery life, a good display that I can design on, a good trackpad

Sounds like you might want a Microsoft surface (or surface book).

Not sure about the TouchPad - but at least there's a pen for drawing on the screen.


I came across this sometimes ago, I don't have any personal experience with their laptops but they seems promising.

https://starlabs.systems/pages/laptops


I just gotta say that I don’t think it’s clear where they are going. You are of course free to do however you like. And if you are leaving because of what they already have done, that’s reasonable, but if you are leaving because of what you are guessing that they might do tomorrow, is that really wise? I mean even with the ARM switch won’t it be as easy to switch to win/linux intel after a year if you are not satisfied?

I don’t like the boot thing either, and it’s a bit scary not being on intel as everyone else is right now, but I also think ARM feels really interesting and it might turn out to be a great new platform!

Edit: i mean it is not like they never listen, they did take bake the mac pro, they did fix the keyboards, you have cli tools to make a lot of changes in how macos works, etc. Of course I would like hundreds of things to be different, but I believe that is true of all platforms.


2012 Macbook Pro. Get the highest-spec Magsafe laptop you can find.


I second this. Catalina runs great on my 15" mid-2015 16GB/1TB, and it even runs shockingly well (bootstrapped) on my (unsupported) 13" mid-2009 8GB/512GB.

The 2009-2015 era of Macbooks are, not were, truly phenomenal machines.


Ugh i actually considered buying a 2015 mbp to replace my 2016 when it died for the last time THIS YEAR


What does bootstrapped mean? I’m surprised with Catalina running well on a 2009 MacBook. I felt it was slow on a Mac Mini 2014 where it is supported and went down one version.


The Dell XPS line is my recommendation. But it’s not that much cheaper than the Mac equivalents


You can disable this behaviour by listing terminal under Dev tools, and launching from there.


My ASUS Zenbook has been solid ! But the macs are definitely prettier.


System76 may be good


I have one. It’s not the finest quality hardware (rebranded Clevo I’m told)but it’s lasted and the os has been trouble free. I’d get another.

The onyx pro model, it’s not great on battery when using the nvidia graphics but it can play 3D games via steam.

I do kinda like the pop! Os Linux distro.


Buy an Intel Macbook Pro and boot Linux.


Then you don't get to use what is probably the biggest selling point of MBPs, their patented touchpad and gestures.


The only tool in that video you linked to is that dishonest cheerleader Gruber.


I don't think there's a one-sized-fits-all solution without something custom and extremely expensive ($15k+). Maybe a Lenovo T480 for most purposes and a dedicated second screen for color correctness? I had a Dell Studio XPS 1645 with an RGBLED screen with an insane gamut. It begs the question: Why aren't such screens widely available?


What about getting a T480 and replacing the screen itself? You can find a decent one for ~$400 USD, and a 1080p or WQHD screen for another $100.

As for screen availability, I think it's more to do with the fact that these are business computers. Lenovo only recently started blurring the line between their premium and business class devices.

I think every post-Haswell ThinkPad comes with a 720p screen in it's default configuration. At least up until Tx90/5 series.


Wow so many words to just say “this product isn’t for me”


I think you should stick to Apple, frankly. Every time Apple comes up with something new (or just a new software release), people come out of their sheds to warn about all the bad things that will happen.

And then almost none of those bad things happen. I've witnessed this dozens of times now, so a safe interpretation would be to assume that this time none of those things happen.


Except bad things did happen. Like their capricious application of Appstore “guidelines”; the increasing difficulty of running software on Mac where the developer won’t pay Apple a tithe; the drop in Linux support for the platform, as they locked it down more and more at hardware level; the imposition of their authentication and payment portals (and hence 30% taxes all around) on web apps... etc etc etc.

We have been effectively boiled like obedient frogs.

I love macOS but my next laptop won’t be a mac and my next phone won’t be an iPhone. Divesting from the ecosystem will be painful but we’re well past any grace period at this point.


"I love macOS but my next laptop won’t be a mac and my next phone won’t be an iPhone. Divesting from the ecosystem will be painful but we’re well past any grace period at this point. "

same here. I hope this will lead to a leap in quality in alternative mobile & desktop OSes, because at the moment the situation looks pretty bad.


I have not experienced any difficulties in installing or running apps from outside the Mac app store (if that’s what you mean by paying Apple a tithe).


First they restricted execution of unsigned binaries unless you run in a substantially-unprotected mode: https://github.molgen.mpg.de/pages/bs/macOSnotes/mac/mac_pro...

Then they disabled execution of all unsigned binaries. To run on a default Mac, you either pay Apple or compile on the user's own machine which is obviously unsustainable. https://eclecticlight.co/2020/08/22/apple-silicon-macs-will-...

They've also removed any 32bit support, in case you could make do with old programs that don't make Apple some money.

I'm still on Mojave and will not upgrade. Personally, my last MBP was bought in 2016 and I have no intention of getting another one as long as they continue exploiting developers and the public in this way.


> To run on a default Mac, you either pay Apple or compile on the user's own machine

This is not true. Apple silicon runs code with any signature, even an ad-hoc one.


What exactly do you mean ad-hoc? Can my friend without an apple account compile an executable with GCC send it to me and I can run it on my new Apple Macbook?


Not running 32bit code anymore die definitely happen


It was rumored for like a decade. The last 32-bit computers were sold in something like 2007-2008? High Sierra started throwing warnings when you launched 32-bit apps. In 2018, they announced Mojave would be the last version to support them. Mojave just got an update yesterday and will likely get updates for at least another year. So nobody has been forced out yet.

I'm aware end users with discontinued software were forced into some no-win choices. But as an ecosystem, it's one example where this happened and was given a ~15 year possible window and an explicit 4 year window to transition.


And it couldn't have happened sooner.

Do you want to be burdened with layers of backwards compatibility and end up like POSIX or Autoconf with provisions for things that once run on some long forgotten UNIX OS version?


32 bit support certainly isn't going to Bury you in backwards compatibility. It just runs


Just runs with 2 versions of the same library (32/64), and with older programs that can't take advantage of 64bit ABI / arch changes...


I started panicking mildly thinking my drive was failing or something.

And just before this, I finally managed to fix Spotlight pegging one core at 100% constantly. Next thing, I reboot into a laggy system. macOS is my favorite OS, but the shit I put up with... it's basically an abusive relationship at this point.


Same. Panic attack. Thought the SSD was dying. I ran Disk Utility diagnostics and started coming up with plans to reformat and restore as a last resort.

Apple folks in this thread, this was terrible


I genuinely thought the same thing. I opened my MBP and it was sluggish, felt like it was dead. Browser wouldn't load, Zoom wouldn't load, I rebooted and the same problems persisted. I honestly thought the hardware was giving out.

I almost cannot believe the actual cause. Absolutely awful experience.


Incredible I had the exact same thing. 2019 MB pro I bought for music production and ableton started to lag incredibly badly and the whole desktop was unresponsive. I started to search my email to see what warranty I had.


My condolences friend. Next time, be more lazy :)


> macOS is my favorite OS, but the shit I put up with...

Idk, the several Linux distros I’ve used recently, and Windows, have a much longer list of “shit _I_ put up with”


The thing you get with Linux is "more _predictable_ shit to deal with", not "less shit to deal with", no large capable desktop OS is perfect and never will be.

Anxiety from what Apple's agenda will do to your computer next update? anxiety from if a 1hr windows update is awaiting you when you turn your pc on? ... Linux awaits.


Linux awaits and then when it comes it borks WLAN driver, because canonical decided to replace a perfectly working one with WIP FOSS alternative, forcing users to switch to cable LAN until it reached feature parity.

Linux awaits and then when it comes it borks AMD driver, because AMD decided not to support older cards on the new FOSS driver, and the old perfectly working driver is not compatible with modern kernels, driver ABI be dammed.

Linux awaits and then when it comes it breaks hard disk encryption forcing a full install, and feeling lucky that I actually backup /home regurlarly.

Linux awaits and then when it comes half of the stuff doesn't work in Wayland.

Eventually I rather just deal with macOS, Windows, Android and leave Linux just for the kernel itself.


I haven't had to deal with any of that, but I've had Windows straight up refuse to boot multiple times and the only fix I found was to reinstall. I've now had to advise multiple people who couldn't turn on their WiFi in Windows (the switch just did nothing). I also couldn't fix that without a reinstall (not for a lack of trying). My family iMac refuses to import photos from an iPhone into Photos, failing the transfer silently. I have no idea how I'd even go about fixing that besides calling Apple and forcing them to fix it.

No man gets to deal with all of the possible computer problems, thankfully. But in my experience, most Linux problems have been fixable and I managed to fix them, while more closed OSs have left me stumped many times. I no longer believe that a computer can work without problems, so my priority is making sure that when problems appear, I can diagnose them and fix them easily.


Windows sometimes has these artificial problems, purely for market share play. Hell, I'm still a bit angry at them because of what they did to RE-DOS with Win 3.1 Beta. I was working in a small computer shop and we were blindly recommending MS-DOS as we were sure RE-DOS had compatibility problems. The tracking, and the constant nagging, silly software signing shenanigans...

So I agree, Linux problems are usually much more fixable.


You can see debug logging about photo import in Console.app. When I do it, it takes forever but eventually works.


Thanks, I already tried that. It does give an (easily missed) error from the underlying library there, but it's just some number that some other people are also complaining about on support forums.

If you have any other insights, I'd be happy to hear them. We have a workaround, but It'd be nice to get imports working again.


To each their own I guess, but in 20+ years of using Linux I've never had any of those issues. Maybe it's because I'm cheap an I run it on older laptops.

As for Windows... really no issues there other than forced errors of whatever absurd company policies are in place that cause software I don't want or need being forced on my machine.


Well, that's why I use nixos where I can just easily rollback select programs or even my entire system if some upgrade goes wrong.


Hell no. I work with RHEL every day, and while I'm by no means an expert, I would say I'm reasonably proficient with Linux.

Every time I've tried using Linux on the desktop, it's worked just fine until I tried to update something. Sooner or later, there's some broken patch or some incompatible thing here or there that breaks my window manager and throws me to the command line, ruins my network settings, overwrites my boot config or some other maddening mess. Linux works brilliantly, AS LONG AS YOU NEVER TOUCH ANYTHING


That's true in most Linux distros, I've been there, even with the most robust ones (like Debian). But then I found Manjaro, with a semi-rolling update system, that is a perfect balance between recent version updates and rock-solid stability.


I've been using Linux as my primary OS since 2008

Today my mouse and keyboard were acting as if they weren't plugged in. Just no power, no reason, no change. Reboot fixed it for now

The thing that's changed recently is that I had to update the kernel to support my audio interface.. which was also a pain in the tits

The only relevant search results are StackOverflow spam talking about a version 10 years old

Linux awaits


Well, you're using the wrong distributions then. Use something stodgy but solid like stable Debian or a recent but not bleeding edge version of Mint and you should not have all too many things on your shit list. It won't be empty - printing will still trip you up every now and then, just like it does everywhere else to give an example - but it will mostly ' just work' unless you're trying to install it on truly exotic (as in "released this week") hardware. The overall facepalm experience will be comparable to that on Mac OS, better than that on Windows. Add to that the fact that it is free in every sense of the word as well as the glaring and welcome absence of draconic "features" like the one discussed in this thread and those Linux distributions will start to look very tempting.


Debian has abysmal hardware support( well gpus mostly). They need to do something about their kernels, my RX5700XT is miles ahead with the current kernel compared to whatever debian 10 ships.


Debian's default position is to only ship "free software" (OSS, libre, etc).

It is my understanding that a lot of modern GPUs that are cutting edge ship with non-oss binary blobs, which goes against Debian's core principals.

Unfortunately, it means that Debian has poor support for hardware vendors that mandate these binary blobs.


Neither AMD graphics nor Intel integrated graphics require a blob. nVidia is the only one of the big three that requires a blob for full performance.


AMD graphics require a firmware blob for all modern cards [0]. It used to be that the firmware was only needed for 3D acceleration and you could run X/text mode without the blob just fine, but that hasn't been true for years (I think since HD6000 series in 2010).

[0] https://packages.debian.org/buster/firmware-amd-graphics


My gpu works fine on newer kernels. It's not about blobs, debian is just slow.


Debian stable is meant for servers, use unstable (it's quite stable!) or stable-backports if you want a recent kernel.


Can you really think of a single thing worse than this?


My Lenovo Windows laptop came installed with malware that MITMed all my https connections and also allowed anyone else to MITM all my https connections.

https://en.wikipedia.org/wiki/Superfish#Lenovo_security_inci...


That's terrible, but it's not the fault of the OS vendor; presumably such a malware could be distributed with any OS.


Ironically, it couldn't be with macOS, which this whole thread is about avoiding.


It certainly could if Apple wanted to do the same thing that Lenovo did.


Would MacOS actually have prevented it? Would Superfish just have simply signed the binary? Sure it wouldn't have started up when the Apple servers are down, but that's a very small percent of the time.


Computer failing to turn on as a buggy, mandatory update has replaced broken or replaced a driver with a non-functional one.


Fair enough, but that's not a typical experience on either Windows or Linux in this decade - if that's happened to you, then I think you've just been incredibly unlucky.


On the other hand I was gifted a 2015 MacBook Pro 15 and I can't run away screaming fast enough from it. I know people rave about the touch pad, but when I use it I find apps get minimized, or don't launch or some other weird gesture causing behavior. I guarantee that this is classic PEBKAC. The other day a family member with a MacBook Pro asked me to assist them with Safari which on launch wouldn't appear. I was able to get it to appear by using the Finder or something which allowed me to pin/size Safari to one side of the screen, but on appearing the window simply displayed a single pixel frame with a black interior. I liked the process, launched it again but it did the same thing. I told them they would have more success with Google than me. I have never had those experiences with Windows. Yes I've had other lame experiences, but I can always solve them, it at least find a solution online. Again probably PEBCAK so no fan boy retorts please. In the end all programs and operating systems suck.


I have to say I also don't understand all the fanfare for the MBP trackpad. I have a 13" 2016 MBP, and I actively dislike the trackpad. You need to use far too much pressure to "click" (even when the resistance at the lowest setting), and there is something "off" about the mouse pointer tracking - I can't figure out what it is, like if it feels too smooth, too jerky, I don't know, but it feels wrong somehow.

Oh, I do like the gesture support, though even Windows 10 supports gestures nowadays.


I think you can enable tap to click


I’m personally quite a big fan of the trackpad and gestures but I understand that they take some getting used to. If they are causing you frustration then you can turn them off under system preferences > trackpad in the “scroll and zoom” and “more gestures” sections. I’d recommend keeping most of the scroll ones and disabling most of the others, then one by one turning on any of the ones you think would be most useful as you get more used to them.

As for the Safari issue, I have no idea off the top of my head.


Disagree with Linux. I make an LVM snapshot before making any attempts to upgrade the graphics driver. It's a disaster. And don't say proprietary code, that's beside the point. Windows runs drivers in a way that one that crashes can be restarted without bringing down the kernel or the whole system.


FYI I've had the issue you describe half a dozen times with CentOS but literally never with Arch Linux (on both machines with similar nVidia cards, using the proprietary driver). In general I'm pretty impressed with Arch's package quality, I seldom encounter any issue and when I do it's patched very quickly.


I tried Arch Linux in a dual boot scenario on this System76 laptop and I don't recall why I switched back... I think it's because I tried to upgrade the graphics driver and got into state where I couldn't get X to run at all.

A co-worker keeps telling me to try Manjaro. I'm just not sure if I want to spend a weekend reinstalling all the stuff I use.


Very true. I have used Ubuntu and Fedora for a while, but when I switched to Arch, I never go back. Arch is described as bleeding edge, but another way to put it is it always has latest software, which is what a dev machine should be. My experience with installing Nvidia driver in ubuntu is nightmare. Tried official repo then failed, and tried different ppa and then failed again and again. At last, I found that I have an older kernel version and I need to compiled a latest kernel which is not in official ubuntu repo. I gave up at this point because I don't want to compile kernel every time I need to upgrade. With Arch, you always get the latest kernel and you won't usually missing feature from using an old LTS kernel.


My windows box has crashed over a dozen times in the past few years because of GPU driver issues with nvidia and amd


Nope, there have been a few issues with BSOD that have impacted quite a lot of people. The latest one was with nvidia drivers being old that caused BSOD after update.

In a previous company the IT dept had to revert a forced by MS update manually on each machine by “hacking” and deleting and replacing files as it was causing BSOD.


It happens with forced win10 updates.


It happened to me pretty much every other forced windows update, from broken graphics drivers to non functional start menu.

I just replaced that pos with a mac mini....

I use centos 7 for my daily driver, it'll get 8 on it next hardware upgrade. Touch wood not a single problem with that for years now, and amd5000/nv3000 are looking very tasty.


Albeit rarely, and with the diversity of commodity hardware out there, I would say that Microsoft has done pretty well with updates.

(P.S. I despise Windows from a technical standpoint though)


> with the diversity of commodity hardware out there, I would say that Microsoft has done pretty well with updates

This is a good point actually - with their walled garden approach, Apple has a much easier job with drivers than Windows or Linux have.

Of course, the end user may not care a jot, but it's an interesting point from a technical perspective.


It shouldn't be their business.


Happened to me with a stock install of ubuntu after an update about 9 months ago.


If by this decade you mean 2010 - 2020, I have enough Linux examples.


I presume you mean desktop Linux - I admit haven't tried a desktop edition Linux in this decade, so I might me off there.


Desktop Linux on an Asus laptop officially sold with Ubuntu on it.


I believe you must have been using Windows 7 without updates for the decade, because with windows 10 every[1] update[2] borks the system so much that Microsoft had to pull updates. And last but not the least, a big guide to fix problems caused by a forced, mandatory windows update[3]

[1] https://www.techradar.com/in/news/microsoft-kills-off-window...

[2] https://www.techradar.com/news/dont-install-this-windows-10-...

[3] https://www.techradar.com/in/how-to/windows-10-may-2020-upda...

Meanwhile on Linux, I cannot upgrade to the new kernel that contains a lot of support and fixes for my new shiny AMD Ryzen chip because it completely breaks the Nvidia driver, refusing even to boot.

Apple may suck, but it still sucks less than the alternatives


> Meanwhile on Linux, I cannot upgrade to the new kernel that contains a lot of support and fixes for my new shiny AMD Ryzen chip because it completely breaks the Nvidia driver, refusing even to boot.

Well that's the problem with Linux distros for the desktop in general. A user upgrading a newer version of a single system component risks breaking the whole desktop: systemd, libdrm, x11, whatever and something else doesn't work. I'm even excluding drivers here but again it's clear what happens when a user finds that out for themselves on Linux. If they even have the time and energy to do all that digging and googling of cryptic errors.

To save yourself the time and frustration, Just keep using Windows 10 with WSL2. I don't have any reason to dual boot to a Linux desktop any more due to this.


And I believe you must not have been using Windows, and are relying too much of news of incidents affecting small numbers of people.

It is - quite clearly - a gross exaggeration that "every update borks the system".

Aside from MacOS, I use Windows 10, and have done for several years. I have the Microsoft Action Pack, which means I get multiple Windows 10 Enterprise licenses - and no forced updates.


Why wouldn't Windows update deleting the user's files be worse?


That might have happened for a small number of users, but it was an isolated incident, not a "feature" pushed to every Windows user.


That has happened for the last three years in a row.


When there's filesystem corruption on boot, Ubuntu throws you into an (initramfs) shell and tells you to fsck manually.


Is it better than a message to take it to service center?


Depends on what technical level you have, how much time you have, and what's on your storage device.


- Eternal maze of control panel that's now split into two.

- Lack of little useful apps in the $10 range. Windows seems either freeware or costly bloatware.

macOS' problem is fixable but OS being worse isn't something you can wait to get fixed quickly.


Perhaps the issue is, it didn't used to be like this.


Linux doesn't force you to sign your binaries or lock you out of devices you own.


> Windows, have a much longer list of “shit _I_ put up with”

Yikes. This is painfully true. Maybe Apple knows they have a ton of breathing room here.

I’ll jump through a few more hoops to continue using the machines they make. Then again all I do is edit text.


> macOS is my favorite OS, but

Ain't that the truth with every OS. I use Windows for gaming, PopOS for work on my desktop and MacOS for work on my laptop. The amount of weird issues is about constant.


> The amount of weird issues is about constant.

But linux is free both as in free beer and in free speech, windows required you to pay the Microsoft tax to use, and lastly macOS required you to pay a premium on hardware.


That freedom of Linux comes at a cost that people aren't paid to take care of the level of details other OS have.

Paying $100 for Windows seems like a better solution if you just want a working OS without a hassle.

And what premium do Mac hardwares have? It seems I paid what they deserved as I can't find anything better in the market. Even moreso now that M1 is out, it seems all Windows machines have premium.


> That freedom of Linux comes at a cost that people aren't paid to take care of the level of details other OS have.

What do you mean "take care of the level of detail"?

I can download Debian right now, install it on hardware in about 10min, and get everything to work rock solid without any hitch.

I can't say the same about either Windows 10 or macOS.

In fact, I had mojave crash and reboot more times in the last month than Ubuntu 18.04 since it was released, and mojave is preinstalled in its own target hardware, which is supposed to be high-end, while Ubuntu is installed on a cheap laptop that cost between a third and a fourth of my apple laptop.

What exactly do you mean by level of detail?


Maybe the desktop environment itself is fine but for third party apps I don't see $10 range nifty apps that boost productivity on Linux.

Half of the apps I use are on Linux as well but that won't get me to the productivity on macOS.


macOS I understand, but what machine do you have that Debian will work but Windows won’t?


>> That freedom of Linux comes at a cost that people aren't paid to take care of the level of details other OS have.

>> Paying $100 for Windows seems like a better solution if you just want a working OS without a hassle.

I've been running Fedora for 15 years and haven't had any of those pesky Linux issues for at least 8 of those years. Meanwhile, I was issued a new Windows laptop at work just last week and it Sucks pretty bad. It's smooth and polished, but with all the advertising and "first ones free" preinstalled shit it feels a lot like Facebook rather than a computer. I'm glad its me-at-work being monetized and not me at home...


> working OS without a hassle

I can't help but think you meant, "I've accepted there's no real way to salvage and diagnose my computer when it breaks so reformatting it has become second nature. I always keep an up to date Win10 install USB ready, and I even have a second hard drive that I keep all my files on."

With Macs, you have to put up with MacOS and Apple (one big premium is lack of choice). It's also not that easy to self-administrate without MDM, and software options are relatively limited if you come from either Linux or Windows.


Oh come on stop spreading the Windows 98 old stories. Windows 10 is a piece of crap spyware but it is stable.


We have >8K active Win10 workstations on our domain.

I wish you weren't wrong.


I'm a software dev but since we're only 2 techies at work I also maintain about 40 Windows PC, 3 Hyper-V hypervisors (with something like half a dozen Windows server, the rest are Linuxes) and the printers.

If Windows 10 was unstable I should be swamped. But I spend more than 90% of my time on software dev.

And the machines are not new with fresh installs, I all migrated them manually from Windows 7.


They completely broke Alt-Tab in 20H2 so no, it's not.


The unspoken rule didn't change because it's Windows 10: never install a fresh release of an OS right away (I'm still on 20H1). And judging by the comments I read here it's true for MacOS too.

FWIW I switched from XP to Vista 1 or 1.5 year after its release date. It has been a great OS for me, I never had a problem with it (except that it's then they started with the bullshit telemetry).

Of course YMMV, but since late Vista stability isn't a major issue anymore.


Never reinstalled Windows unintentionally at least for the past 10 years.

> software options are relatively limited

When was the last time you used macOS? I see the options limited on Windows rather and even moreso on Linux.


If Windows is working for you "without a hassle", you must be using some version that us mortals can only dream of.


What hassle do you have these days?

Yeah, I don't use peripherals as it's only a gaming machine (I don't see other reason to use Windows) but it's working as intended for years.


I also don't get about this complaint about Windows. I had as much problems with as my Macbook...which is almost always never.


Activation, for example. An activated and running Windows system can turn into a nagging SOB by something as simple as enabling a motherboard's Ethernet adapter in BIOS.

A level of detail I value is that none of that BS is baked into systems I use. Doesn't matter whether those who did not do so were paid for it or not.


Had this happen to me after installing a secondary SSD. Windows was deactivated, and wouldn't reactivate. I ended up having to use the Windows Restore tool before I could activate again. Having to reinstall all of your programs is never fun.


I didn’t even have to reactivate after changing my MB. I never had to reactivate an activated Windows 10 in general.


I had a new mobo broken in 1 week and replaced it with the same model and it ended up license being invalid despite the mobo being the exact same model.

I had to make a phone call since none of the methods Windows or the internet suggested worked and that phone literally took 30 min to reactivate my license again. That wasn't fun.


If only there was a way to get LTSC as a non-institutional customer and a way to activate it.

(wink wink)


True. Linux is the best value and the best developer experience IMHO - unless you need commercial software that is Win/Mac only. Even then you can virtualize which is safer too. I can also easily get a Darcula theme OS-wide for Gnome so..


> macOS required you to pay a premium on hardware

Or just run macOS in a virtual machine


Just wait until you can only run signed binaries.

As developers and engineers, we ought to be jumping off this platform like a sinking ship. It's clear that they want to lock it down like the iPhone. Why else would they be measuring which apps are in use if they didn't want to control it?

If your argument is "compatibility research", you're missing the other warning signs.


If I do any simple math calculation in Spotlight it pegs all cores at 100%. Its easily reproducible and really annoying because I've used spotlight as a calculator for years.


I finally think I found a fix for this, toggle off and back on the Calculator service in System Prefs > Spotlight.


My music software became completely useless on catalina, and I was also running into issues with spotlight so I disabled it. I downgraded(painfully) to Mojave and my system is so much speedier. wish I could completely switch to linux.


yeah, but in the end, choice of OS is secondary to choice of application. I'm staying on Mojave for the foreseeable future, but I'll stay with Mac because Logic Pro is not available on any other platform. Sometimes applications are fungible, or you're lucky and your critical application is available on multiple platforms, but sometimes there are only certain applications that can do what you want. I run a MacOS System 7 for software to edit my Yamaha VL-1. I run MacOS 9.2.8 due to hardware drivers for a Korg OasysPCI. I run MacOS 10.6.8 Snow Leopard because is is the last OS that runs rosetta and keeps numerous PowerPC apps that never made the jump to Intel. I'll keep Mojave running when eventually I have to jump to Arm because I'm sure a lot of the software I run won't make the jump to Arm. I'd LOVE to drop any of those systems, but each exists because there are applications that do not have replacement on modern OS'es.


And that, my friend, is exactly why they bought Logic. Don't know if you were in the music game back then, but they way it played out was:

- Logic had the pole position for non-pro-tools music at the time, and sold (IIRC) for about $600

- Apple bought Logic and stated publicly "we will not discontinue it on windows"

- I think a year later, might have been two, they cancelled it on windows

- Some time later, they dropped the price, and also put out garage band, using Logic's engine.

- Logic's product roadmap (from what I've heard) became more general user friendly (can't attest to this personally though)

Basically, anything Apple owns becomes part of the plan to get you on a mac and iEverything, secondary to whatever it's originally purpose is. I won't touch any music software now that doesn't run on at least 2 operating systems. Fortunately most of them now realize the importance of this.

I'd recommend looking at other options like Reaper, Cubase, or Digital Performer, all of which have been improving steadily and can on windows or OSX.

Personally I'm sticking on High Sierra, and doubt my next machine will be a mac. Man I'm going to miss Bash everywhere though. Sigh


> macOS is my favorite OS, but the shit I put up with...

Right there with ya.


I never have problems with the new MacOS or iOS. The trick is to just wait for the X.1 update.


This is happening to Macs running Catalina and Mojave, not just those that upgraded to BigSur.


High Sierra it is then. ;-)


This happened to me too! What the hell.


yeah, I had spotlight thrashing my disk too. Odd.


How interesting...Apple, couldn't, be doing a pied piper, right?

/s obviously.


> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.

That's another case of a product not doing its primary function - OS running apps - because company placed their own (data gathering) objective above it. See thermostats not turning on heat when the internet connection is down and other equally stupid examples...


See also: all electric vehicles (except a few very old designs).


Tesla is not all electric vehicles.

My Twizy and Ioniq haven't got a single touch of data gathering neither a SIM card/wifi connectivity.


Yeah those are golf carts.


Pretty sure Apple is doing this for security reasons, not data gathering reasons.


Well, security starts with Availability.

Otherwise, my car is very secure when I never use it. Like, totally. Flying also has become very very much safer.

Edit: is/use/


Correct, I believe the main intent is to stop worms and ransomware.


Like most times in life intent is not relevant. Actions are.

Nobody cares what you intended, they care how you actually affect them.


Fair enough.

What actions on Apple's part have tangibly compromised their user's privacy?


Suuuure.


Please. It's just data gathering. Security doesn't means giving away privacy.


I discovered this by running unbound – a DNS server – locally (block some unwanted hosts and do dns over TLS). I guess the rest of the story is pretty obvious; having your default dns server not being able to resolve because you're trying to verify it – since you cannot resolve your verify hostname – is obviously Not Great. As you can imagine, there is no waiting in the world that fixes this. I couldn't kill (-9) the process either; had to reboot into safe mode, rename the binary and switch the default dns on the network.


Currently the workaround seems to be /etc/hosts override or firewall-level blocking.

Just a small reminder that this can soon stop working: Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur - https://news.ycombinator.com/item?id=24838816


Will they prevent changing hosts file as well?


It's more likely that their will be an Apple-only private API that uses /private/etc/hosts which already exists, but is editable (for now) instead of /etc/hosts.


Note that it's ocsp.apple.com, not oSCp.apple.com.


I'm sure if the SCP Foundation gets involved in filtering our applications, they have a very good reason, like keeping Zalgo out of our reality.


I would want to see what applications foundation is hiding from us. Like a FOSS version of Windows 10


Ahh, thanks for the hint. It was a bad typo, but I can't edit my post anymore.

Edit:

Just reached out to Dang with a request to correct my typo.


Blocked both.


dns is case insensitive


OP was commenting on the order of the S and C


parent is using case to highlight a typo in the domain name, not to imply that the problem is with the case.


it's transposed, not case difference


"oSCp".ToLower() != "oCSp".ToLower()


The server is called OSCP which suggests to me that if we look at Apple in the most positive light - they sign and certify binaries as safe. If an app gets later reported as malicious, they need to revoke the certificate that has been used to sign said binary.

So when you open an app, how else are they going to check whether the certificate is still valid or whether it has been revoked?

Can anyone confirm whether this lookup applies to unsigned as well as signed binaries? As far as I know if I build a brand new binary with cargo, and run it, it doesn't do any checks.


Here's a wild idea: don't block executables from running.

Or if you do, only do it for a set of known bad ones, as antivirus products do.

Do not put a cloud service (or anything for that matter) between the users and their ability to run what they want.


Sure but how does that work? If a cert-revoked app is allowed to run, the damage is already done.

I think perhaps a better tradeoff would be if a revocation list could be synced hourly or so and the app could be checked sync locally and then asyncronously on open. And of course, always give the power user an option to ignore things.


Here's an idea: log all opened binaries somewhere and then every hour or so check them against the list.

Never block me from opening something, but warn me about bad stuff on a regular basis.


They could also keep the current solution and just use a CRL as a backup to OCSP to check the revoked certificates and update it every other hour...


Yes but with your solution if an app is malicious, and did malicious things, it now has a whole hour to fuck your shit up before being disabled.


OCSP not OSCP

You can also run these commands to disable ocsp (and crl) since it can no longer be accomplished in Keychain Access → Preferences:

  defaults write /Library/Preferences/com.apple.security.revocation.plist CRLStyle None
  defaults write /Library/Preferences/com.apple.security.revocation.plist OCSPStyle None
  defaults write com.apple.security.revocation.plist CRLStyle None
  defaults write com.apple.security.revocation.plist OCSPStyle None


That oscp server must be compiling a huge set of stats on application usage. That doesn't sound right, privacy-wise.


It probably just gets a fingerprint, or the cert’ information.

But when the endpoint is dying and it gets called every time you try to run any binary…


I thought this was an old issue that was known or resolved months ago. Is this still an ongoing security practice that kills devs on MacOS?

This is about when I remember seeing it: https://medium.com/@acecilia/apple-is-sending-a-request-to-t...


Can apple not use security certificates to verify publishers ? why does it need to go to their servers ?


The URL mentioned in sibling comments suggests this has to do with certificate revocation (OCSP): https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...

I agree that breaking system availability when an OCSP server isn't available is user-hostile and unnecessary.


> I agree that breaking system availability when an OCSP server isn't available is user-hostile and unnecessary.

Based on the OP tweet... depending on the way it is unavailable, the failure is indeed ignored in some cases. "Denying that connection fixes it, because OCSP is a soft failure (Disconnect internet also fixes.)"

So it may be an actual unintended bug that a particular failure path results in a DoS instead?


Normally if there's no internet Gatekeeper instead checks the "stapled" notarization ticket from the notarization process. But since there is internet, and the ocsp server is technically "up" gatekeeper isn't checking the tickets.


actually I think the problem is not that it is not available, heck /etc/hosts fixes wouldn't work than. it's that it is unresponsive as hell, and they have no system wide circuit breaker, if it is slow.


If it were unreachable then the daemon would fail fast. A slowdown on the other hand just makes requests to the daemon queue up.


I am calling an unresponsive service unavailable. I think we agree about everything else.


What’s the alternative tho?


A limited change would be to fail-open more of the time, e.g., if the OCSP server does not respond within a few milliseconds. (MacOS already fails-open in some internet scenarios.)

A better option is to asynchronously update a Certificate Revocation List ("CRL") and perform any check local to the machine. This avoids disclosing to Apple every single time you run a program, which program it is, and what network you're on. It could also emergency-revoke certificates just as quickly as the OCSP design by polling at the same frequency (every app startup).


This is exactly right, and given Apple’s privacy commitment should have been implemented already.


Publish revocations as security updates to the OS?


Security updates take too long. How bout each copy of MacOS keeps local copy of revocation database, and updates in background?

Much faster, updates relatively quickly, and not subject to network outages.


I'd imagine that revocations don't happen often. And when they do, Apple has a perfectly capable infrastructure to push those small incremental changes on demand. It's almost as if they intentionally ignored such superior solution and chose calling home for other reasons...


That way (current) Apple also has the app usage statistic ?


Microsoft Windows 10.


You don't need an alternative. The entire concept is totally unnecessary.


The alternative is OCSP being allowed if internet isn't available, which is a security risk for reasonable defense-in-depth strategies.


Most OSCP implementations fail-open, not fail-closed. I get the benefits of having it fail-closed, but it should be opt in, because having an always-online requirement for using a mac is ridiculous.


If your Mac is unambiguously offline it fails open. What it's handling poorly is the fail-slow case.


Ugh. IMO the network should not be on the critical path to running an executable.


Most browser vendors agree because they all stopped checking CRLs (like they technically should) when verifying certs.

I don’t think the design is wrong, I just think it’s tuned a little too cautious. If you’re going to verify certs then checking the CRL is something you really should do before approval. And you can’t sync the database entirely because it’s too big.

There really aren’t any good solutions to this unless you can solve the cache invalidation problem.


The OP literally says if you disallow connection or unplug the intenret it does fail open.

I think it's probably an unintended bug that this failure mode was fail-closed.

The costs of this unintended bug are going to be huge to Apple's reputation, as demonstrated in this whole HN thread, where many assuming what's going on is even WORSE than it really is.

(Personally I think having signed certs (with opt-in ability to run unsigned apps, as MacOS has) is fine. And fail-open OSCP revocation check is also fine-ish, although it would annoy me if it's making it slower to launch apps on the regular. The problem here is a bug, not one of design. But most of this thread is assuming Apple was doing something different than this. Of course, how often a company produces fairly catastrophic bugs is also on them).


MacOS already fails-open if the OCSP server resolves to the local host (see: every suggestion to edit /etc/hosts in this discussion).


They are checking for revoked certificates.


It does go locally if you are not on wifi. I thought the issue was my slow internet so I turned off wifi and suddenly everything launched just fine.


Right around this same time, I had 1 macBook hard reboot (watchdogd timeout) and shortly thereafter, a second macBook froze, fan maxed out, with the display not coming up. Then it rebooted into recovery mode.

Yeah, these _could_ be unrelated issues to what has been going on in Apple land today, but it's uncanny...


I keep reading in the tweets how all Macs are unusable. Is this an OS bug that doesn't effect older OSes? I'm on Mojave on my 2017 MBP, and have had zero issues at all.

When was `trustd` introduced?


Checking for notarization on each launch was introduced in catalina. Older versions have trustd, but it was only used for the gatekeeper checks added in 10.8.


`/usr/libexec/trustd` exists on Mojave, too. There's a (very unhelpful) manpage.

I think you were just lucky to not open non-Apple applications during the outage.


I ran into this on trying to load a new video file on VLC, with Mojave, so I guess it's not just apps, but maybe any new file load.


My 2018 MPB on Mojave had some serious issues launching apps for a little while yesterday (3PM central) afternoon. It seemed to resolve within an hour though. Not sure how that lines up with the outage described here.


Found another reason for me to not get a Mac


You can't go wrong with a ThinkPad. I switched from Mac to a T480 with Arch for dev work and it's been great.


I'm running a bunch of ThinkPads with Fedora & all works fine (and worked fine for years).


We’re running Thinkpads at work with fedora and they really don’t.


Any specifics what does not work ?


Hibernation. External monitor support is buggy. Pulseaudio is buggy with external microphone. IR camera face login isn't supported. Fingerprint scanner isn't working properly at login after sleep. Sound from internal audio is much worse than was on Windows. No app I know of can reliably share screen on Wayland.


Very true. Run FreeBSD and OpenBSD on Thinkpads at home and work and life's a peach...


If they brought back taller displays I’d be right there with you.


Another poster mentioned the Huawei Matebook Pro has a 3:2 screen. I'm now looking into getting one for that reason alone.


They are, next crop will be 16:10


Check the article on anandtech about the new Razer laptop.

Disclaimer: not affiliated.


Why isn't apple doing OCSP stapling & caching? Reverse proxies have long since solved OCSP availability with stapling and caching.


This might be a stupid question, but is there a downside to blocking this "feature"? I can't think of any.

I've been using Big Sur beta for some time and one of the things that annoyed me a bit was the sudden lack of responsiveness, which is a tad annoying given that I upgraded to a 16inch MBP earlier this year and everything felt so snappy.


Huh apparently I win by still being on an old OS version?


Depends on how old, I guess. I'm running Mojave, and ran into the problem.


My policy is to never upgrade anything until everyone I know has upgraded to the next version and not downgraded after N weeks.


LOL, my policy is to never major-upgrade the OS the machine came with.

I have machines around the house with OS'es going back a ways...


This is the correct policy. I upgraded my mac because I couldn't install a certain application on the version I was running and now it runs crazy hot and the fans run on full blast whenever I watch a video on the internet.


My policy is to upgrade my secondary/personal/low importance computer on day one and my primary computer a few weeks later.


ocsp.apple.com also has an IPv6 address. Firefox connects to it even with 0.0.0.0 in the hosts file and a flushed cache (you need to also clear firefox's internal cache if you're testing with it), so I'd assume that trustd could connect to the ocsp site as well. I don't think this will work without ensuring there is no IPv6 traffic on your network, or otherwise dumping both IPv4 and v6 packets to ocsp.apple.com.

Disable IPv6: sudo networksetup -setv6off Wi-Fi (where Wi-Fi is the name of the network service)


Can you not just add an IPv6 entry for it in your hosts file, e.g., ::1? That would work in Linux and seems like a much less nuclear option than disabling ipv6 all together, but admittedly I've never worked with ipv6 networking on Macs.

Last time I played with a Mac they also had the BSD `ipfw` command for kernel packet filtering [1]. Could try something there if it still exists.

[1]: https://www.unix.com/man-page/FreeBSD/8/ipfw/


Just to confirm: Yes, that works fine. It's probably the better solution here.


and people was shocked at Windows 10 doing telemetry. MacOS isn't doing it better as I see


I had both my personal and work laptop become unresponsive at the same time. I was wondering what kind of problem could cause that - was thinking EM interference or possibly something on my network. This explains it.


Ha! So that's what it was. Last night (I just woke up in the UK) my macbook pro started to crawl, I started to threat that it might be the SSD starting to fail.


Welp, I won't be updating today then, not unless they fix that.


There is a mistake here. It should be “ocsp.apple.com”


Using a premium DNS with filtering features make sense: https://dnsadblock.com



A compelling way to enact change at large corporates is to vocally communicate when and why you are forced back into a buying position as a customer.

Apple VPs who are listening, especially Craig Federighi - here is an early warning for you. The HN crowd may seem fringe, but they are living in the future. I de-Googled my entire life over similar transgressions by Google and several of my friends are gradually going through the same process, albeit more slowly.

And even though I just bought an MBP16, Apple monitoring every binary I run makes me want to sell it immediately and never buy another iPhone, Watch or Macbook. No one is going to catch Apple on performance and form factor for a long time, but I'm willing to invest in a long-term ecosystem that won't allow things like this...as long as I don't need to debug audio drivers. I am done with that phase of my life.

So if I had to choose an alternate path, what would such a path look like that could eventually approach the build quality of an Apple Macbook Pro? That product doesn't have to exist yet, it just has to be on the path.

(I looked at Alienware's M2 and M3, but it cost about the same as an MBP16 but with more blue LEDs.)


> The HN crowd may seem fringe, but they are living in the future.

The other thing that really can't be discounted here is that a lot of the HN crowd are likely the default go-to people in their circle of family and friends for this sort of stuff, and in many cases they may also have major purchasing influence and technical decision making power in their respective businesses. Turning off one of them may be inconsequential on its own in the short term, but it could seriously add up to a lot more destroyed mindshare and significantly more "lost" sales over time.


Don't underestimate the power of your choice at the frontier, even if it takes a while to reverberate through time.

I used to think it didn't matter what tools I chose as a lone developer making consumer tech products and DSP audio applications. But over time, I saw that consumers rely on frontier-makers for fast-moving tech choices more than you’d think, even if they lag a few years behind.

When enough people make a choice, a tipping point forms in the future. Paul Graham wrote about this in "The Return of the Mac", and I believe a tipping point is forming: http://www.paulgraham.com/mac.html

If Apple wants to ride on privacy, then it will fall on privacy.


Yes, I can specifically say that 2 other people have chosen not to update past Mojave 10.14 because of my advice.

I'm experimenting with Linux these days. There are some minor annoyances with using an outdated version of macOS. Unfortunately those apply to not just one or two apps, but every part of the OS when using Linux. Basic things like WiFi drivers or sleep support. I'm encouraged by the trackpad driver project, but it's not there yet. So I'm still hanging on to my 2014 Retina MacBook Pro using 10.13, until some Linux distro catches up. I feel like that will happen soon though.


I should update to Mojave one of these days...


Not if you want Time Machine; stay on HFS+ if you're a dev and want easier cross-platform support.


One of my family members is using Time Machine and is on Catalina, which forces APFS -- is there something I should be worried about (outside of cross-platform support)?


Directory hard links are not available in APFS. Even though your internal drive is APFS, your Time Machine backup drive is probably still HFS+.

https://eclecticlight.co/2020/05/26/how-to-make-time-machine...


God the self importance of this community. The world can live without the 1000 people here.


It’s true, but at the same time Apple are currently trying to win over the developer community. That much was clear over the M1 announcement where they focused on compile times and tensor flow as benchmarks.


Corps like Google or Apple are so big that the amount of HN customers and their friends/relatives are a drop in the ocean. This is just a PR mess for them, that's all.

They mop it up and move on.


You and I - we are the market. How do you know how many drops there are if you don't speak up?

Relative to my community in South Africa, I have spent more money on Apple products than anyone I know. And here I am saying that if these privacy issues are not resolved, I am willing to vote with my wallet as soon as I can find an alternative.

I only mention that I've de-Googled my life so that those who doubt my intent will know it's not an idle threat. These things take time to change, but they can and do change if you make your voice as a customer heard.

When you want to enact change at a Big Co:

1.) Communicate why you are forced into a buying position and ideally how to resolve it.

2.) Be willing to walk away, or you can't negotiate.

3.) Actively seek alternatives.


Yep "Voting with your wallet" doesn't work, bad practices need regulation and/or penalties.


I don't believe that is true. Regulation prevents competitors from toppling badly-behaved incumbents.

Big Co.'s must be allowed to fail. Don't hinder new contenders from rising to replace them.


"Yet what is any ocean but a multitude of drops?"


The interesting thing about this community is that technically it could create its own OS. That is a threat to nation state level institutes that want to prevent that.


> is that technically it could create its own OS

The vast majority of people here couldn't program a linked list given an hour and full access to the Internet.


I have memorized copy-paste hotkeys thank you very much


Yes, nation states fear people working on OS projects. No one outside of the security state has ever tried to make one - and lived to tell the tale.


You know, that’s not a bad idea.


I agree with the sentiment, but I also think designers and builders of all kinds ignore the most advanced users at their peril regardless of if they're HN, some game's best players, someone who uses a library in production instead of as hobby, etcetc.

The impact is just different and sometimes causes big issues if ignored


There are more than 1,000 people and it's a sampling of a larger population. There are more developers and technical savvy people out there than just the ones who use HN.


Who is more important than the customer? You and I - we are the market.


You and them are the market if you happen to be the only two customers of a company or the only customers for specific goods. Hopefully you see now why your statement was ridiculous.


> The HN crowd may seem fringe, but they are living in the future.

I really don’t think the HN community is at all representative of what the masses think about. Just like in any online community, it is easy to think that the thoughts of that community somewhat resemble that of most people when that simply isn’t true. HN’s base consists highly of developers who are up to date with most things in the technology industry.

The rest of the world doesn’t really care enough to compromise the comfort and reliability of Google’s suite, which lets be honest, outperforms its competition by a size-able margin, and does so with a “free” price tag.

People on HN have talked about de-googling for years and I have yet to see someone outside of the computer development scene do it (or even talk about it for that manner).


I am starting to see people switch around me, but it doesn't happen overnight.

A surprisingly handful of non-tech people have asked me, "Hey, I see you use DuckDuckGo. Why not Google?" And then we have the conversation - it's a short conversation:

Well, you cannot prosper in an environment if you operate on inaccurate or censored information. Google & YouTube censor information and track everything you search for or watch. Today your views align, tomorrow they may not.

Secondly, you must insure yourself against tail risks, and having your Gmail account "cancelled" is a yuuuge tail risk. Therefore, avoid bundled Google products.

Then a few months will go buy, and I'll see they are now using Firefox and DDG.

When you have these conversations, it's important that it not be about your identity (open source! Linux!), but about risk-aversion.


I agree--I also de-googled within the last couple years. I also did it because I need my e-mail to always work, it's just unacceptable that Google could take it away with no reasonable recourse.

I was also hit by this outage today, at work, on my work laptop, while I was working. Apple literally cost me time and my employer money today, because their lack of foresight or inadequate provisioning of servers or whatever the fuck it was, fucked up my laptop. No good reason. They just fucked up, and it cost something.


I switched to Fastmail two weeks ago. So far it’s great. $5/month is reasonable insurance against “getting cancelled” by Google.


What did you move your phone to, when you degoogled your life?

Apple iphones seems even worse than Android, honestly.


I use GrapheneOS. It's rough, but as I said somewhere else, for the first time my phone isn't my enemy.

I would have bought a Linux phone, but seeing that a few months ago they had trouble making calls on a Librem 5, I chose not to take the risk.


Thanks, I will look into GrapheneOS.

I wish there was a phone ecosystem I could invest in that ran Clojure near the metal. Some kind of Lisp machine would be awesome and make it more palatable to endure missing libraries and apps.


In case you don't know, GrapheneOS is based on the open sources parts of Android (AOSP) so the apps are developed on Android's JVM (Dalvik?). Maybe it's possible to code with Clojure.

Actually it looks like it's possible : https://github.com/clojure-android

Myself I'm learning Flutter to be able to develop my own apps when I can't find what I need on FDroid.



And there are A LOT more than what is just happening here.

They have burnt a lot of good faith post Steve Jobs. But judging from current Apple management, they wont act until Sales numbers decline. As shown by the MacBook Pro Keyboard fiasco. And to make it worst, they seems to think most of these problem as PR and Marketing problem and dial up the marketing instead of actually fixing it.

( You can see that with Apple's marketing, especially with recent iPhone 12, with VPs explaining in podcast )


If there are a lot more, it's worth listing them all in a blog post. A set of evidence is more compelling than only one act that could potentially be written off as well-meaning incompetence.


I would say that the current Microsoft Surface laptop/book has the same build quality feel as the Macbook line, but unfortunately you're stuck with Windows 10, which is a downgrade if you're used to MacOS.


Interestingly this also works in reverse, namely macOS is a downgrade if you are used to Windows 10.


Windows 10 is also working against you with its telemetry and ads. We shouldn't have to work against the interest of the company that sells us the software running on our PCs. This will lead to more problems down the road.


I concur. I have a Surface. It sucks. Worst computer I’ve ever bought.

Keyboard sucks. Is it a tablet trying to be a laptop? Or a laptop moonlighting as a tablet?

Stylus sucks. It doesn’t have the accuracy of the iPad. And it always had a weird parallax feeling, so I gave up on using it. And the software was just mediocre.

I gave up and bought a Lenovo T4xx series laptop. Installed a dual boot Linux Ubuntu on it. Best. Computer. Laptop. Ever.


I just got a new XPS13 after a decade of using only macbook pros. Honestly it's pretty good and like 95-99% as good as my macbook. The only thing I really miss is the incredible touchpad. The XPS touchpad is meh, although is functional which is more than I can say about many other windows notebooks.


>So if I had to choose an alternate path, what would such a path look like that could eventually approach the build quality of an Apple Macbook Pro? That product doesn't have to exist yet, it just has to be on the path.

Thinkpad X1 Extreme Gen 2 is what I use and I'm very happy with it. My requirements were a moderately high-performance laptop, hybrid/discrete graphics, not excessively bulky and good Linux support. I can't fault my choice. The only issue I had with hardware compatibility under Linux was due to me receiving it a couple days after launch and the drivers for the wifi card not yet being in the kernel used by Debian or Ubuntu (no longer an issue iirc). Happy to answer any specific questions you have.


Apple VPs who are listening, especially Craig Federighi - here is an early warning for you.

The point is, things like this should never happen in the first place.

They are probably checking how far they can go, before it affects their bottom line.


I don't think they are "checking"; they've carefully planned a path and are slowly and meticulously executing on it. They have no intention to stop at any point. Should the money stop flowing, they'll just come up with a new gadget. To make them backtrack on the walled garden would take an extinction-threatening event that (unfortunately) will never be on the cards as long as nobody can seriously threaten the iPhone.


I’m not so sure. A handful of high-profile opinions + a few hundred low-brow peeps like myself calling out bad behaviour can have a noticeable impact on sales in the mid-term.


The Dell XPS range is probably the closest available currently.


I had the pleasure of installing Ubuntu on a modern Dell XPS recently. I was happy to discover that everything seems to work flawlessly upon install without any additional fiddling: WiFi, trackpad, touchscreen, display scaling, and really everything else I've tried so far worked great. It's an absolute joy!

There was a time I remember when various things with Linux installations were often quirky or troublesome to get working well with certain laptop hardware, but I'm convinced now that this situation has improved tremendously since then...at least from my recent experience and hearing other good things about the Dell XPS and various ThinkPad models, and of course System76 (although I haven't had a chance to try one of those myself yet).


You can actually buy the XPSs with Ubuntu preloaded even. (Or, used to be able to - I went back to a Thinkpad and haven't looked lately).


You can buy the XPS13 Developer Edition. The XPS15 doesn’t come preinstalled with Linux (although it apparently works well and is well supported). If you want an officially supported Dell 15”, you need to buy the more expensive Precision: https://www.dell.com/en-us/work/shop/overview/cp/linuxsystem...


There may be some supply chain issues with the Linux one. When I ordered this in August, they never sent it and cancelled my order 1.5 months later. I reordered it that day, and it was delivered within several days. I do like it very much.


Yes , and they are also selling Ubuntu edition where you not only save quite a few $$$ (because no windows licence) but you're also sending a signal to manufacturers that there is a demand for compatibility with other OSes (unlike on Apple or MS Surfaces).

So if the dev edition fits your need consider buying this one


Thank god I switched back to windows early this year. I absolutely love it and I do not foresee me returning to Apple for a considerable amount of time.


You should know that Windows includes a similar feature (to call home and report file hashes and the user's IP for example) called SmartScreen, and with default settings it also triggers on every single application launch in the OS.

Reference: https://en.wikipedia.org/wiki/Microsoft_SmartScreen#Windows

(also I should know, I worked on a tiny part of this feature in IE9 and Windows 8)


Thanks for the reminder. I prefer that I can disable SmartScreen easily instead of making little snitch rules on macos.


I use both Windows and Mac but I would never consider Windows some patron saint. The telemetry and dark patterns in Windows are much worse than what Apple does. Windows literally advertises its own browser in different parts of your OS and will regularly change the default back to Edge after updates.

But overall I am pretty happy with Windows being my daily driver now that they have WSL.


btw, when you install any app on Android, it sends a huge hash (maybe the whole thing) to Google servers.

Try to install an apk without internet connection, and then try over a slow 3G connection to see the several(!) minutes it takes.

If your phone has the old style data arrows, you will see the upload one all the time while you stare at the "installing" screen.


I bought the business cousin of the XPS 17, the Precision 5750. The screen-to-body ratio is amazing. And the 4k screen is beautiful, the build is attractive, thermals are good and the speakers are nice as well. (From an Apple perspective these are the things that others often get wrong)

It has some design flaws („hybrid power“) but what is really messed up is the QC: I have ProSupport and already had 4 technicians over and am currently awaiting my third full replacement.

Issues are all over the place: faulty trackpad, extreme coil whine, broken display, etc. Perfect device for me if they could figure out their QC. If the next one is bot perfect, I am getting a G14 which is the best performance/watt, performance/notebook volume and one of the best performing notebooks in general.


Microsoft saw that Macs were eating their lunch regarding developers and researchers when e.g. nearly everyone doing AI was on a MacBook or Ubuntu. You had a hard time getting Tensorflow to run on Windows because no one in the community really cared.

Also everyone developing applications in the cloud was eventually targeting Linux as the production OS, which is a pain if your development OS is pretty much hostile do anything command line.

MS then put a lot of money into getting a Linux like command line and support into Windows with WSL.

They also got a bunch of influencers and devs do their thing with improving that kind of developer's experience.

Apple, however, has been sitting on their hands in this regard. They are moving exactly the opposite direction with this crowd.

I have no idea what rationale is behind that. Did they come to a different conclusion than Microsoft or are they just failing to execute on the strategy?


MS sells cloud services. They don't really care what machine you use, as long as you live on Azure as much as possible. That's why they give you more and more tools that improve the "remote development" experience.

Apple sells silicon. They don't really care about developers; as long as they can pull enough users through the iPhone->iPad->Mac funnel, they have done their job of selling as much hardware as they can. In their view, developers bitch and moan but in the end will have to go where users go - at which point, Apple can tax them for access to the walled garden.


It’s going to be hard to beat Msft on developer ergonomics when Msft has GitHub, Azure, VSC, and TS.


> And even though I just bought an MBP16, Apple monitoring every binary I run makes me want to sell it immediately and never buy another iPhone, Watch or Macbook.

You'll keep buying Apple stuff. I know it, you know it and Apple knows it. If all of their past transgressions hadn't changed your mind you'll keep doing it. Cut the shit.


From a another post on this page, someone recommended to look at Metabox. I never heard of them. I just looked over their site. Some very very cool options. Been in business a long time. https://www.metabox.com.au/ I've tried Alienware -used to be good, bit not very impressed since Dell days, I've tried Razer- always some issues, Dell g and XPS seems the best, up to now. But this Metabox looks really fun. Wonder if others have tried?


Australia's anti-encryption laws make me very wary of buying anything based there.

The Singles Day ad on the landing page made me think it was a domain squatting ad page.


Look up System76


I switched from map to sys76 last year, never looking back at MacBook. I'd also suggest s76, x1 carbon, or Dell xps


These are Clevo laptops. You can get the same hardware with other Clevo resellers.


> And even though I just bought an MBP16,

Look into what state law protections you have. High ticket mail order items can usually be returned for a full refund for a fairly long time.

Finding out that it's phoning home about every binary you run is absolutely a good justification to return it. I would sooner throw out a computer that did that rather than use it.


I'm not sure that using Google as a cautionary tale is a good idea. Given their continued growth and success...


Product -> Customers -> Revenue. Not the other way around. First product goes, then customers, then revenue. It takes time.

I am short Google and have been trying to figure out how to short their stock from ZA without losing opportunity on growth of other, better stocks.


Thinkpad X1 Carbon.


Dell Precision and XPS are quality with official Linux support


they do all this on you iphone and watch, and even more.


You've got to be kidding me. When Apple's servers are down, all Macs worldwide start freezing randomly? My XCode is hanging during builds, is this why?

This code signing enforcement stuff has gone way too far. Heads should roll for this.


That's correct. AFAIK Catalina will check online for everything, even binaries you compile yourself.


Microsoft Windows also uploads your private exe’s, and then runs them on Microsoft servers:

https://medium.com/sensorfu/how-my-application-ran-away-and-...


Holy Shit. That should be illegal. All it needs is one rogue employee to potentially steal trade secrets? And dont tell me MS employees never go rogue after the recent events...


Surely it's against copyright law


> Surely it's against copyright law

It almost certainly is, but

1. You have to know it's happening before you can do anything about it

2. If your "work" isn't registered with the copyright office, you're limited to actual damages, which are probably close to $0


A law is only dealing with the consequences, it's not prevention.


TL;DR: It's an option that can be disabled, unlike on Mac. Also doesn't lock up your PC if Apple's network is having a bad day.


Is this how we look for the next Stuxnet?


wait what, how?



The behavior documented there is on FIRST run of a new executable.

You can like that behavior or find it unacceptable, but the issue in OP is not that, it was applying to executables that had already been launched plenty of times on the machine.


[deleted]


Right. The recent problem (in top-level OP, and that you were presumably experiencing) was not just first run, but the behavior explained at the GP link (https://news.ycombinator.com/item?id=23281564 , HN thread for https://lapcatsoftware.com/articles/catalina-executables.htm...) is just about first-run, so the behavior explained at the GP link is not sufficient explanation for the recent problem, it's not talking about the same thing.


Wait what happens if you don't have an internet connection? Can Macs not be used offline any more, surely that's still a relatively common use case for a laptop even today in a lot of places?


My understanding is that if you're offline, it skips this check and everything works fine. The reason this is a big deal is that the problem's on their end, so you're not offline, so it keeps trying and waiting instead of just letting you skip the check.


I experienced this a couple of weeks ago. My wifi was up, but my internetprovider was down. My Macbook came to a halt. Nothing worked anymore. The whole machine was extremely slow. When the internetprovider came back up again, everything was fine again.


Had the same thing earlier in the week as the isp was doing maintenance two nights in a row. 5+ seconds to start sublime and other really basic apps. Apple apps had no problem of course.

Remembering the notarization problems people were having months ago I did some tests and confirmed.

Now have little snitch installed again and my laptops going to be an Apple orphan. So I never noticed this problem today by virtue of it pissing me off 2 days before.


Might as well get a chromebook then hahaha


So you can't use a computer on an airgapped network? That seems counterproductive if the objective is security.


If your computer is actually airgapped and has no networking interfaces configured, you won't have this issue.

If your computer is able to resolve DNS for ocsp.apple.com but to connection-timeout all traffic, yes, you could possibly reproduce today's issue.


Airgapped network — an IP LAN not connected to the internet. These do exist, sometimes permanently for security reasons, and sometimes just where external connectivity sucks but you still want your laptop to talk to your NAS.


The point stands: if you allow a host to resolve ocsp.apple.com to an unresponsive (timeout) address, it might break macOS the same as today — whether by air gap, by firewall, or who knows what else.


Agreed. These are really useful in various settings, but seem to be outside of most people's experience.


That still seems weird. Why does running unrecognized software become safe when you're off line?


It's a security theater


Thank you. Phrased perfectly.

It's an invasive restriction, cynically designed, poorly engineered and improperly managed, that impairs your ability to function.. masquerading as security.

macOS is my favorite OS, but I don't need to use it. I was so psyched reading about the new Macbooks, and I've had to walk all that excitement back now. I cannot invest in a computer that locks me out of my job if a cable gets cut by a maintenance crew in Cupertino.


If you point the request at localhost, the problem resolves. This means that a cable getting cut in Cupertino won’t matter. It is a revocation protocol; it fails open.

The problem today is that not that the connection to the server failed, but that it succeeded very slowly. The result was an accidental denial of service on the client.

It is a bug, and an easily fixed one at that.


This particular issue is easy to work around for technical users; the _problem_ is the philosophy that made it possible.

This is the reason I can no longer use Apple computers - the continuous battle they are waging against the users freedom on all fronts - the anxiety of what they will do next to _my_ computer is too much.


Good luck finding a suitable replacement. Microsoft does unpredictable things to Windows. Linux maintainers do unpredictable things to all sorts of things.

Your only real recourse is to compile everything from source after a thorough review every time...

...or else trust someone.

Sure Apple had a problem here, but there are so many other reasons to trust them over any other org that I can't in good conscience switch platforms, because there's so much more anxiety elsewhere.


> Linux maintainers do unpredictable things to all sorts of things.

With Linux you don't have to worry about every program you launch being reported to the mothership, or that failure of the mothership to respond would cause your computer to not function.


If you're not reading all the source of everything you're running, any or all of it it absolutely could be reporting usage/stats/your data to a "mothership".

Just because there's no single central org involved doesn't mean there aren't risks.


You don't need to read it, you just need to be able to read it.

Just because there are risks doesn't mean the risks are meaningfully comparable.


Ken Thompson won a Turing Award for showing how that isn’t the case: http://users.ece.cmu.edu/~ganger/712.fall02/papers/p761-thom...


May I direct your attention to https://reproducible-builds.org/


That what isn't the case? Pointing out additional threat vectors doesn't in any way contradict my point.


We already know that, by design, macOS will report back to the mothership. If things are working 100% correctly, Apple will collect what programs you run and when you do so.

Linux won't report to the mothership by design. If things work 100% correctly, you don't have to worry about some company knowing what programs you run and when.


I've already found a replacement, Debian stable + i3wm has been my happy place for the last 5 years. No unexpected behavior changes on update, just bug fixes, it does what I tell it, nothing crazy like Debian maintainers dictating what binaries I can run... if you want more or less control you've got plenty of Ubuntu style distros in one direction and Arch style in the other.

If you're a media person then yeah, I feel bad for you, i've been there and it sucks, you're stuck with mac and windows if you require mainstream design apps.


I agree that it’s security theater and a suspect implementation, but I was playing a game of “let’s imagine why someone might do this...”—

I’m wondering, suppose it was designed this way because part of the goal is to prevent the spread of malware, the fastest means of which is an internet connected computer. In that event, the feature only intrudes when the computer, by virtue of it’s internet connection, is a member of the threat class.

So... plausible?


Plausible a la NSA, yeah?

I presume this setup wasn't public knowledge.


Apple built the computer; I exchanged money for the computer; now I own the computer.

Apple does not own the computer.

If Apple wants to own the computer, they can pay me instead.


They own the software.

You didn't pay for that. You licensed it from them.


That's a fair point that I hadn't considered, and I appreciate it. But I still feel like "ability to use your computer as a service" is not something I signed up for.


Or defense in depth.

I hate it too, but 'theater' implies it isn't useful in any way.


And probably a ruse to amass application usage stats.


Mandatory OCSP is security theater? That’s a pretty bold claim.


Mandatory OCSP that fails open when you're offline is security theater.


OCSP fails open by definition because it is a revocation protocol. In the absence of revocation, a valid cert continues to be valid.

The problem here is simply that Apple did not build a short enough timeout into their client.


Make OCSP fail locked and it would be a software imprisonment protocol instead.


Because it is not yet illegal to operate a computing machine that is not centrally monitored. New Normal, get used to it. Soon, this corner case will go away.

"Why were you offline when using your computer?"


Yes, can someone clarify this? What the hell is going on here?


It doesn't become safe when you're offline, it's just that you're no worse off than you were. OCSP is s a certificate revocation protocol. It's only used for disabling certificates which were issued in good faith but now need to be revoked. Suppose Apple signs application X, and the signature is good for a year. Six months later, Apple discovers that application X contains malware, so they revoke the certificate. However, your computer doesn't know about the revocation until it checks the OCSP server, which requires you to be online. If you're offline, it just skips the check; the certificate wasn't revoked yesterday, so it's probably fine today too. The bug is that if you're connected to a network but can't contact the OCSP server (either because the OCSP server is down, or because you're not connected to the internet) then OSX keeps trying to connect and becomes sluggish and/or unresponsive. This is how we know that it's a defect rather than a deliberate choice; if they had decided to make the OS non−functional unless connected to the internet they would have done a better job of it.

It wouldn't surprise me if they one day wanted to require you to be online 100% of the time so that you can't skip the OCSP checks on applications, but I don't think that would go over very well. Apple wouldn't even be the first to produce applications that refuse to work if there's no internet connection. If you don't like the thought that they might one day spring this on you, I recommend investigating Linux.


Unfortunately there’s not a way to differentiate “we’re online but Apple’s servers are having issues — probably fine” and “we’re online and something something is preventing us from talking to them — something nefarious might be happening.”


Local copy of whatever Apple is checking? Update that daily (on sign on or something). Not going to catch zero day type stuff, but better than making the laptop unusable.


I'm going to make a bold claim but Linus made a claim to this effect. Security is important but it cannot be the only main priority when designing systems. Apple's mistake here is probably the main story but more generally this attitude (letting systems spectacularly fail for the sake of hypothetical security) is foolish and results in rather terrible bugs like this.


I think the point is that that database is too large to store on a single machine which is why it has to be ad-hoc queried and cached. I mean it will have the signature of every program run on a Mac.


Funny how DNS has that same issue, and yet, we still decentralized it to a point, even if there is some inertia going on to keep it as centralized as possible.


I don’t really want a giant hash table on my disk either.


A Bloom Filter[1] could be used as a lighter alternative. You probably have at least one of those in your disk now.

[1]: https://en.wikipedia.org/wiki/Bloom_filter


On iOS, after a period of disconnection "the phone won't let you turn it on again until it goes online": https://youtu.be/BW32yUEymvU?t=1212


That sounds like it might just be a bug. At least, I wasn't able to find any information whatsoever on this phenomenon on Google.


I'm guessing this is to help trigger the wipe of stolen phones.


If you don't have a connection, it just doesn't do the check. If you have a crappy connection like many of our students, it takes forever to check. If the server is down, life just sucks and non-Apple programs don't open.


If you are connected to a network without an Internet connection, it just becomes unusable. Internet connection is somewhat unreliable in my area, and I had an internet outage that lasted for days during the COVID lockdown. I feared it was a malware infection causing the slow down. I switched over to Linux not long after.


Often when I would see this type of error it would be when something silently drops TCP packets (rather than sending a RST). This is one way to configure a firewall, and it's indistinguishable from high latency. Hence the difference in behavior. If the address was unroutable, or immediately closed the connection, it would fail quickly (and presumably for the OCSP check, it would be skipped immediately). But when packets are silently dropped, it's up to the client to decide how long to wait for an ACK, which might cause a hang.

I've seen an identical problem where Chrome would hang for minutes when loading sites, and it was because I was in a firewalled environment that was outright dropping packets to Chrome's OCSP server.


With Android is the same. I have an App Firewall on my Android phone and since then the standard Android gallery app does not work really anymore. A lot of things break, for ex. when I_ like to send a file with Threema, I have to go offline, choose the file and then go online again. Otherwise the file dialoge does freeze. It's just standard these days. Also a lot of things break, if you are just on a network without internet connection. Welcome in 2020.


That's why notarized applications should be stapled too. The stapling "ticket" is embedded in the app bundle and allows macOS to perform an offline check.

Basically you'll get the usual GateKeeper window, but with a slightly different message, along the lines of "I can't check this binary in realtime but I trust the embedded notarization".


Almost certainly so. Apple has built chains of certificate trust very deep into the OS, along with apparently an assumption that this particular revocation service check is reliable & fast enough to call out to the network a lot.


Oh man, imagining a DDOS to fail that over.

Imagine how many people would lost their productiveness, maybe not at the big corps or govt (I assume they use a version of mac that call somewhere else/don't). But very very many people.


Today I was late to join a corporate conference call. It took like 5 mins to start conferencing software.

First time ever I'm genuinely frustrated with apple - macs are not those unicorn tools anymore that work reliable


> Oh man, imagining a DDOS to fail that over.

That might be what we just saw happen.


SelfDDOS. The first ever.


This seems to explain why my Mac was nearly unusable after a reboot last week. Turns out bind crashed on my firewall leaving me with no DNS.

After I restarted it I could actually launch apps other than terminal again.


Code signing is an okay thing as long as the signing identities don't get discriminated. Android has had code signing ever since it was released, but you always generated the certificate yourself, and the purpose was simply to stop someone else from making an apk with the same package id that would install over yours and gain access to its data.

The thing Apple does, on the other hand, with trusting themselves more than the user, is disgusting. I'm mostly libertarian, but if I ever become a president, this would be one of the first things I'd make illegal, right after shortening the copyright term to like 3 years.


Give me, the owner of the computer, over the keystore for the root certificates I trust, and code signing is great.

> I'm mostly libertarian, but if I ever become a president, this would be one of the first things I'd make illegal, right after shortening the copyright term to like 3 years.

As a libertarian I can see the argument for getting rid of presumptive copyright (and tanking the US economy), but the government preventing people from entering into contracts that you don't like? That's just hypocritical.


> but the government preventing people from entering into contracts that you don't like?

It's not that. Plain and simple: in an ideal world, more money shouldn't grant more power and immunity. Governments should disincentivize this growth into the sky by, for example, progressive taxation for companies. The world would be a better place if tech companies actually competed with each other by making better products, not trying their damnest to lock everyone into their walled gardens to earn even more money they have no clue what to do with. Currently, when choosing something like a computer or a phone, you just pick one that sucks the least. There's no healthy competition.


That does not sound like a libertarian view at all.


Libertarian is not a well defined word. I have a friend who identifies as a Socialist and a Libertarian. He believes that true libertarianism (anarchy) would result in a collapse of capitalism since there would be no state to enforce private property rights.

So yeah, always gotta find out what a person means when they say "Libertarian"


You need to set up your own DNS caching resolver and start selectively filtering out Apple domains. Pihole does that wonderfully. Ask your Apple geniuses whether they would help you setting it to make your Macs work.


[flagged]


There's a non-zero chance that this bug has caused at least one death.


Scary, but most likely true.


Are you referring to Steve Bannon who said Dr. Fauci should be beheaded? Or something else?


Again, it turns out that Stallman[1] and others[2] were prescient.

[1] https://www.gnu.org/philosophy/can-you-trust.en.html

[2] https://www.cl.cam.ac.uk/~rja14/tcpa-faq.html


Every year Stallman seems less crazy.


If you just read his writings on the importance of free software, he never was that "crazy" to begin with. He simply saw examples of companies locking down their hardware so that they could control it at the consumer's expense.

Exactly this is happening with Apple now. Although Apple computers were fairly hackable in the past, with users being able to install Linux or Windows, that is changing. Apple is changing the hardware _and_ software to make it more difficult to do things that Apple does not approve of.

Stallman was keenly aware of this type of behaviour, and he was also aware that companies that have the potential to use this behaviour to this advantage, will often do so.

Apple wants to be in a position where they sell computers as appliances, and Apple Silicon is their step towards doing so.

By the way, I'm typing this on a Macbook pro that is no longer supported by Apple, but running Linux. I am not sure this would be possible in the world of Apple Silicon.


I don't think Stallman's crazy, he's just passionate about his beliefs, and people whose careers depend on not acknowledging the truth in what he has to say like to dismiss him.


He was short sighted in many parts. Eg: the definition of free software as something that can be freely redistributed.

For infrastructure parts, it makes sense to be even permissive open source. For something in applications level, it would be nice to make money from it by charging corporations using it, while still being freely available for students and hobbyists. This could have combined best of open source and commercial software.

Stallman's belief is that everything is either good or bad, and there is nothing in between. He is write about consumerization of computing devices though.


Only in relation to the wider world which is getting progressively more crazy.


I think the intent of the statement was more:

> Every year Stallman seems more correct.

In the sense that the exact risks he was trying to mitigate are in fact materializing in mainstream computing platforms.


Yes, but framing it like that that won't rise to the top and get people to pay attention to all the other important things he has to say.


Don't forget the World Economic Forum, but they're happy about all this:

https://www.weforum.org/agenda/2016/11/shopping-i-can-t-real...


Hardly "happy about all this". From the end of the linked article:

Author's note: Some people have read this blog as my utopia or dream of the future. It is not. It is a scenario showing where we could be heading - for better and for worse. I wrote this piece to start a discussion about some of the pros and cons of the current technological development. When we are dealing with the future, it is not enough to work with reports. We should start discussions in many new ways. This is the intention with this piece.


The author, Ida Augen is without a doubt one of Denmark's most respectable and intelligent politicians.

The article sohuld not be read as an endorsement of that future. It's her prediction of what the world is going to look like, for better or for worse.


So many comments in here, but I haven't seen a single one mentioning a simple solution: Vote with your feet.

For years now, I've seen a large portion of the HN crowd praising Apple for its (alleged) respect of privacy and cursing at Microsoft for Windows "calling home" all the time. Now that this has happened, the only comments I see are "heads should roll", and "we must complain and be heard by high-level execs", but never "let's move away". This just reinforces my impression of the Apple ecosystem as something akin to a cult: Once you get in, you never get out again.

There are good alternatives - many people, including software engineers, use non-apple solutions on a daily basis and they are still productive. Why not give Linux a shot, or gasp even Windows? The age-old argument of "MS is evil, Apple good" is moot. Companies are generally not good or evil, they are profit-oriented. If the market demands privacy, they care about it, otherwise probably not so much.


It's isn't so easy. There is often a large cost of moving. Eg - I use `sketch` for designing. I can move to Figma, but it'll be a learning curve and the performance just isn't the same.

Additionally, in order to move to Linux I need to find a good alternative to many other software that I'm using. Most commercial software only target Windows or OSX.

For the record, I've written large parts of KDE, so I'm acutely familiar with running Linux as a Desktop Environment.


> This just reinforces my impression of the Apple ecosystem as something akin to a cult

That's very uncharitable. Suggesting Windows as a potential alternative also sounds slightly comical given their history with Windows 10 and many people's required workflows, required because of work or other outside influence, make Linux less tenable.

A lot of people seem to suggest that if you have something to complain about then you should be moving on to something else, a vibe of 'appeal to perfection'. I think this is the same mentality that drives the distro hopping phenomenon. I'm not brainwashed because I live with the flaws of my OS choice and complain when things are changed that I don't like.


I'm not sure which comments you are reading: one of the top threads that almost fills the whole first page is a long discussion about alternatives to macbooks...


I can't vote with my feet (nor do I really want to), because there's no alternative I enjoy using as a desktop OS.

Windows is no better for telemetry, and the user experience doesn't at all fit well with how I work.

Linux I prefer to Windows but generally find the desktop experience lacking.


I've been using Windows 10 with WSL2 and found it a surprisingly effective development environment with all of the Linux goodies accessible. And games are available without a reboot or VM!


Many complain, few will act. Virtue signalling about Windows is zero cost, unless one is a Windows user. Most people just don't care about privacy enough to do anything (ANY thing) inconvenient.


No there are not good alternatives.

Linux only makes sense as a desktop operating system if your top priority is telling people online that you use Linux as your desktop operating system.


I mean, it's easier to do most kinds of programming on linux than windows. Stuff works more "out-of-the-box" than on windows.

For other things? Maybe. Some nice GUI applicatipns are, while in theory be run on Windows through cygwin, work well on Linux as well.

And some people just like performance / look-and-feel. Windows is often sluggish, while most Non-GNOME IDEs are pretty fast on usual hardware.

Then there is updates problem. I have had Windows downloading updates even if network was marked as metered in past.Some LTS distro is often better. Unless you use Fedora or Arch, updates should be minimum.

I don't want to imply Linux desktop is mature enough for all people. Just reminded there are valid reasons tech savvy people prefer it.

As they say, nothing is black and white.


This isn't true. I know this because I've been using Linux as my desktop operating system for years.


I’m assuming your intent was to prove my point.


Don't you love it the ability to compile and run software on your hardware is controlled by a third party over the internet?

I sure love the SAAS future we are heading forwards.


I will be a full on linux junkie when that happens.


It IS, though. SmartScreen on Windows doesn't check binaries created on the same machine, but you'll get flagged if you move the untrusted binary to another machine you own.


Note that SmartScreen has an UI that lets you bypass it without having to disable it system wide, and has a sane timeout (I believe 30 seconds) after which it just pops up a dialogue box telling you that it can't check the binary, allowing you to continue.


>has a sane timeout (I believe 30 seconds)

What the hell? You have to wait 30 seconds before you can run unsigned code on Windows without calling home to Microsoft about it? How is that considered sane? (I mean, forking on windows is slow but it's not that slow.)

How do people (and corporations! Especially ones sensitive to sharing IP!) put up with this stuff?!


Smart screen and other measures on windows are so useless that they just encourage consumers to engage in bad security practices.

I downloaded steam from the steam page, windows blocked it. I downloaded Chrome, windows blocked it. What's even the fucking point?


> What's even the fucking point?

To make you use Microsoft Store.


Only if the server doesn't respond in time, that is - if you'd wanna prevent it from happening, you could just turn it off in the first place via GPO: https://docs.microsoft.com/en-us/windows/security/threat-pro...

I'd assume that's what most corporations do, since that's what it's there for.

I wouldn't 100% forsake the benefits of this stuff, since it does protect normal users - defender on modern Windows installs is good software and really does its job well, while staying out of your way most of the time. I'd leave it on for my parents.


iirc no, there is a "More Info" button in the smart screen pop up that you can click instantly, and from there a button to run the app is available instantly.


well it is more insane because if you have an elevated exe that can span other exe which would trigger smartscreen the elevated exe can actually put a smartscreen filter in it. I mean what is the point in smartscreening an exe that gets spawned from an elevated exe?!


To prevent virus spread by confused deputies: even if you somehow get CreateProcess permission by, ex, getting a service registered, the actual malicious executable will still be blocked.


well as said its an elevated process that can completly disable smartscreen, so an attacker would only need to run an exe that downloads another malicious exe after it disabled smartscreen that would not be blocked.


Imagine a program, WinSudo.exe. This program runs elevated, by magic. It passes its arguments to CreateProcess(). You call WinSudo.exe Virus.exe. Virus.exe execution is blocked by SmartScreen.

(This scenario is itself a security flaw that existed for some combinations of Windows system utilities, so this is a real concern.)

Now, you could change WinSudo.exe to disable SmartScreen, sure -- but this requires you to be able to modify WinSudo.exe (which should require Administrator), and the mismatched binary would ALSO flag SmartScreen.


well WinSudo.exe DisableSmartScreenAndCallVirus.exe Virus.exe might work if the first two are not smart screen detected yet. a simple program might not be detected by smartscreen yet.


Which is why the default action for unknown programs is to prompt.


Unless this is a 2004 feature, it does block binaries compiled on the same machine. Not very fun if you are compiling stuff repeatedly with a couple of second wait-times when running the binary.


I'm not sure what they call it, but Windows does get in the way for things you compile on your own machine. I compiled the JuicyPotato exploit and tried to copy it to another local folder and got error 0x800700E1 and the EXE went missing.


That's Defender behavior -- you'll want to disable antivirus before building viruses :)

Defender is a traditional hueristic-based AV with on-disk and live load scanning and an offline database. SmartScreen is a reputation-based (certs + "how many people ran this") checker, and is much more visible. Win10 runs both.


Ah right, that makes sense. Yes I did disable it before moving it to Kali :)


Unsure if this is new, but as recently as September 2020, Windows definitely SmartScreen'ed an executable created on the same machine.


This is a big conceit everyone holds - that Linux will be an acceptable substitute for MacOS. To be perfectly honest, if Apple shut down their Macbook factories and got out of the computer game entirely, and everyone flocked to Linux, it would be several painful years before Linux would be as usable as MacOS is today.

This is why I try out Linux every few years, and file lots of bug reports when I run into issues (mostly in applications - the core Linux kernel is solid). I've even contributed code to Linux apps that I don't intend to use right now.


I guess this is where the disagreements about usability on Linux come from. I've been using Linux based OSes since I was a child and IME when you run into brokenness it's almost always the user space (often something flashy from gnome or kde or occasionally freedesktop.org.)

Most things are more than doable on Linux but often you're choosing between stuff that works and stuff that looks pretty.


By then it will be too late


I highly doubt corporate interests could eliminate linux. It just will be very difficult to use though no doubt.


I've gotten quite good at recognizing crosswalks, fire hydrants, chimneys and the like. Though I refuse to identify that one mailbox as a "parking meter" even if it means another trial to prove my humanity. Users of the platform get treated as spammers already.


I really don't understand your analogy whatsoever.


It's a reference to Google's recaptcha, which in my experience always asks you to try to identify features in tiny blurry low-resolution photos (and I always wonder how users with poor vision can deal with it). And it's not unusual for it to be wrong and insist that a street decoration is a bicycle, or something like that, and not let you proceed unless you agree with its misidentification.


Oh I intentionally select the wrong things on that mixed with the right things. Just to screw with google for trying to automate some BS by making us do it.


You don't like that?! I love teaching self-driving cars how to drive!


Doing charity work for corporations capped as low as trillions of dollars in your not-free time.


I don't doubt it. At least on non-server machines. They might not even do it intentionally. When every new machine manufactured in the last 20 years has some kind of secure boot system that prevents "unauthorised" operating systems from being installed, what then? Are you just going to keep your laptop from 20 years ago?


Can you elaborate?


I’m slowly transitioning as competently as I can.


Mentally I'm there. But in terms of convenience I'm not. Thankfully my entire workflow has been done with OSS compatible with linux in mind so switching over is little more than an inconvenience for me. It all started because I couldn't use specific software in my workflow with linux...even if I paid for it. So then I started looking for good OSS alternatives and now I've basically become OS agnostic.


Are you sure? It's happening piece by piece so that its preferable for most people to bear one more bad thing than bear the cost of switching.


I will begin programming in C when the day comes to my switch as well.


Sincerely and without any intention to troll or be sarcastic: I'm puzzled that people are willing buy a computer/OS where (apparently) software can/will fail to launch if some central company server goes down. Maybe I'm just getting this wrong, because I can honestly not quite wrap my head around this. This is such a big no-go, from a systems design point of view.

Even beyond unintentional glitches at Apple, just imagine what this could mean when traffic to this infra is disrupted intentionally (e.g. to any "unfavorable" country). That sounds like a really serious cyber attack vector to me. Equally dangerous if infra inside the USA gets compromised, if that is going to make Apple computers effectively inoperable. Not sure how Apple will shield itself from legal liability in such an event, if things are intentionally designed this way. I seriously doubt that a cleverly crafted TOS/EULA will do it, for the damage might easily go way beyond to just users in this case.

Again, maybe (and in fact: hopefully) I'm just getting this all wrong. If not, I might know a country or two where this could even warrant a full ban on the sale of Apple computers, if there is no local/national instance of this (apparently crucial) infrastructure operating in that country itself, merely on the argument of national security (and in this case a very valid one, for a change).

All in all, this appears to be a design fuck-up of monumental proportions. One that might very well deserve to have serious legal ramifications for Apple.


> I'm puzzled that people are willing buy a computer/OS where (apparently) software can/will fail to launch if some central company server goes down. Maybe I'm just getting this wrong, because I can honestly not quite wrap my head around this. This is such a big no-go, from a systems design point of view.

The answer is pretty simple: these problems are extremely rare, they don't last very long, and they tend to have fairly simple workarounds. You seem to have a principle that any non-zero chance of being affected by a problem of a certain type is a complete deal-breaker, but most people when buying a computer probably just subconsciously estimate the likelihood and impact of this type (and all other types) of problems and weigh that against other unrelated factors like price.


It's even simpler than people not caring, people don't know.


Furthermore, if you’re one of the few who do know and it bothers you, you can turn it off.


Furthermore, if you're one of the majority who don't know, you cannot turn it off when it affects you.


But that’s beside the point. If you don’t know, you won’t avoid Apple products because of it.


Exactly. Today was the first day when I knew this was possible. If I had been buying a computer a month ago, this would not have been a factor in my calculations whatsoever, because I didn't know it was even a possibility to consider.

A month from now? Different story.


FYI, both Windows and Chrome (to an extent) can do this too. Windows will phone home to smartscreen scan downloaded executables, and Chrome checks every download against virustotal (owned by Google since 2013) for viruses to warn that software is malicious, and I've been burned by this a few times when a download wouldn't complete for multiple minutes due to this scan.


You still can run the same program checked by windows though, by opting in to use the program. And definitely you still run other programs as the check only occurs on installation, and not every time after running it.


And they don't know because the hidden source of the binaries their overpriced hardware is running. So users can't inspect the source and look for hidden "gems" like this one, let alone fix those intentional bugs themselves - not just due to not having the source, but the hardware refusing to boot anything not signed by the blessed key of Apple.


Are Macbooks really overpriced? A Microsoft Surface or a Razer laptop cost roughly the same price.


Razer laptops come with the latest and greatest in terms of GPU/CPUs, plus they usually feature things like high-refresh displays, full RGB keyboards etc. They're still overpriced, mind you - since you can find comparable laptops for literally half the price - but at least they have the powerful hardware in them to somewhat justify their steep pricing. Similarly to Apple though, their pricetags are heavily inflated by the Razer branding.

Can't comment on the Surface, never looked into them much.


"I'll do YOU one better." /Drax

I know, and I _want_ this. In general, it effectively eliminates the possibility that I'm going to install malware.


As an Apple user of 10 years: I had no idea macos phones home like this.


That's one potential issue, if you have privacy concerns. But the real problem here is that there's a blatant bug in the phone-home code that causes apps to crash if Apple's servers have a problem.


No, I don’t think you should just dismiss the privacy issue. It seems every time I launch an app, MacOS tells Apple. That’s also a REAL problem — and I guess I won’t be buying a Mac again unless the feature can be turned off.


Not every time, just the first time an untrusted app wants to run. And there is no information in it but a hash.


Not in this case. This particular thread is about any app that was not an Apple app having problems launching, regardless of how many times have been launched before. It has revealed that actually every opening of any application phones home.


Apple has the db of apps matching the hash.

What you said is like saying nothing except a social security number is used to identify you, as if that wasn't linked to the rest of the info about you.


I’m not dismissing it, just pointing out that it’s completely ancillary to a bug that causes programs to crash.


I like this piece to summarize situation:

https://sneak.berlin/20201112/your-computer-isnt-yours/


“Bug” is an unverified assumption. For all we know this could be a designed outcome.


Then it's a bug in the design.


I would accept "flaw", "incorrect choice", or "mistake". But if they considered it, and chose this path, knowing full well this would happen, that's not a bug.


simply doing “if server does not respond, don’t check anything” would be bigger flaw in design because that would mean just modify hosts file to localhost or something and the security check would be worked around.


But Macs already work fine with no internet connection, and apparently modifying the hosts file does resolve this problem.


Doesn't this bigger design flaw you describe apparently exist? I (and many others) did exactly that to get our machines responsive again, ocsp.apple.com 127.0.0.1 in the hosts file.

I don't understand what you mean.


This is how you could make Photoshop free back in the day. Add their stuff to /etc/hosts and voila


Modern Adobe cracks are note that different in nature


It's a certificate check.

I knew and didn't care. If you care, you're going to be real upset when you look at your other alternatives.

That said, I don't think many people here actually care. I firmly believe that most of the people on this site just like to shit on Apple, because they prefer that to trust their privacy to an Advertising company.


I agree with your point about it being a principle, although I would add that the decision to build a product in this manner is also a principle.

Furthermore, I would sort of disagree with the answer to why people would buy this. In terms of "most people buying a computer", the overwhelming majority of Apple customers are likely ignorant to this issue, and will continue to be.


> rare, very long, simple

in this context those are simply weasel words in my opinion


It's true that I don't have data on how often this type of problem happens, how long they last, and what the workarounds are, but I'm using those words not to be intentionally vague, but to reflect my own impression from my own experience, and I strongly suspect my impression matches most people's.


It's like saying car crashes are rare, insured against, and you personally never experienced one.

This does not mean car crashes can be ignored, or cannot happen to be dangerous.

There is a balance between the possible damage because of not checking signatures remotely, and the possible damage from not being able to run a program when the remote checking service is unavailable. But there is no situation where the average damage is exactly zero :-/


What? In your analogy, the parent commenter would be saying "I'm puzzled that people are willing to buy an operate an automobile given that they can be involved in dangerous accidents."

And in this analogy, I'm not saying "we should ignore car crashes." I'm saying "the reason people still buy and operate automobiles despite the possibility of accidents is pretty simple."


Your metaphor suffers an imbalance in spectrum. We are hardly talking about life and death here. You clearly can’t make the same comparison to car crashes. People’s motivations will certainly not be the same in these two cases.


The problem is that this is not an issue that should be viewed only in the current context. Just because things are rare now, don't last very long doesn't mean that they will continue to be that way, or that it will work at all in the future if Apple decides that only EOL OSs could be using this system at some future point where it's mostly changed.

Not caring about this now is like not caring about government or corporate privacy invasions because "I have nothing to hide". It completely ignores all the variables that have to align to make this benign that happen to at this point, but are in now was assured for the future.


He's not commenting how the problem should be viewed. He's communicating how he thinks most people view it. IOW, you're arguing what should be while he was talking about what is.


> Just because things are rare now, don't last very long doesn't mean that they will continue to be that way, or that it will work at all in the future if Apple decides that only EOL OSs could be using this system at some future point where it's mostly changed.

Okay, sure, you could attempt to estimate future damage from what appears to be a simple (albeit bad) bug in MacOS. Maybe it means all Macs will completely stop working in 2 years. But again, I think consumers will subconsciously estimate the likelihood of this to be extremely low.

> Not caring about this now is like not caring about government or corporate privacy invasions because "I have nothing to hide".

What? I thought we were talking about the immediate user-visible bug here, where some third-party apps could not be opened on some Macs for some period of time today. Sure, there are separate potential privacy concerns any time an OS phones home for any reason. But the problem here is just a blatant bug that manifests when the OS phones home and the servers are having problems. Macs continue to work fine when they're not connected to the internet, so it's pretty clear this is just a bug that's not actually related to the privacy concerns with phoning home.


> What? I thought we were talking about the immediate user-visible bug here, where some third-party apps could not be opened on some Macs for some period of time today.

>>>>> these problems are extremely rare, they don't last very long, and they tend to have fairly simple workarounds.

This is about Apple controlling what software you can run on your computer, for all third parties, and in a way that if the system/service is malfunctioning or shut down there's a chance it blocks all non Apple software.

You can either choose to accept that Apple is a good steward of this because they haven't screwed up too much yet, and that you're okay with it because you have no or little need for third party software it might affect (or are willing to deal with it), or you can view this as an erosion of your rights to control the hardware you bought, which while only slightly inconveniencing now are still fundamentally the same as what could be used egregiously in the future.

You either vigorously defend the rights (or what you want to be a right) now, or you watch it erode slowly. That's how the system works. You want privacy or believe it's important? Protect it now and even if you don't have anything to hide. You want the ability to control your own computer and run your own software, and not be beholden to some companies deprecation schedule affecting things they didn't write, or at least believe it's important for a possible future? Then defend it now.

Given how iOS functions, and how Apple is moving to their own silicon for their other products, do people seriously doubt that a future where you actually can't run anything on MacOS except what you get through their store isn't at least a possible future? If that's something we care about, it's something we should be vocal about now.


The bug has now illustrated a huge privacy issue for people in macOS, that was not obvious before. So we are now talking about THAT too.


If you use your laptop as mostly a youtube machine or a social media station then yes, the described problems are not a big deal, in fact they are probably beneficial to your well-being. But if you use your laptop to earn a living, that can be a major problem, day traders for a top of the head example. This also sounds like a nightmare for the corporate world. I suspect that these custom silicon iOS devices will be fully cemented as 'Fisher Price' computers.


> If you use your laptop as mostly a youtube machine or a social media station then yes, the described problems are not a big deal, in fact they are probably beneficial to your well-being

I've set up a few Linux installations for people who only use their computers as Facebook and YouTube machines, and I haven't had a complaint. They also wouldn't be able to break their systems if they tried.

I'm of the opinion that if ChromeOS would fit a user's use case, then so would Ubuntu with Firefox or Chrome, most of the time.

Those same Linux systems would fit my needs as a developer with only a few small changes.

Security, simplicity, power and ownership don't have to be mutually exclusive. You can have a simple and secure computer, and also have power over your system and own your hardware.


Yeah, a modern Linux distro can satisfy the needs of a "regular" user just fine - an up to date web browser and maybe an email client and all is fine.

Yet at the same time it makes it possible for the user to "grow" and make use of more advanced features of the system for creative endeavors.

On the other hand on a locked down mobile device or chromebook, there is not really any room to grow and be creative, it's only good for consuming content.


Even a youtube machine can become a big deal if the walled garden prevents you from installing an ad blocker or third party client & forces you to watch mandatory adds to see any videos - that might very well happens (and happens) in walled gardens.


There's no question that software bugs are bad. But that doesn't mean we should expect consumers to ditch an entire manufacturer forever because it's physically possible for that manufacturer to have a software bug. Obviously, bugs are inevitable. I'm not making excuses. I'm just explaining why people wouldn't instantly abandon a manufacturer after experiencing a single serious software bug.


Without principles, your freedom will be (is being!) slowly chiseled away, pragmatically accepting each small step. By the time even pragmatism tells you to refuse, it'll be too late.

That's exactly what happened in Hong Kong: https://www.nytimes.com/2019/10/09/technology/apple-hong-kon...

But it could never happe