Hacker News new | past | comments | ask | show | jobs | submit login
macOS unable to open any non-Apple application (twitter.com/lapcatsoftware)
2603 points by mattsolle on Nov 12, 2020 | hide | past | favorite | 1278 comments

All: there are multiple pages of comments; if you're curious to read them, click More at the bottom of the page, or like this:




Unbelievable. When I read the tweet (tried to post here as well), I suddenly realized why my Mac was unresponsive an hour ago.

Here is another tweet that describes the problem in more detail:


> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.


As others pointed out, I put this to my `/etc/hosts` file and refreshed it like so:

    sudo emacs /etc/hosts # add ` ocsp.apple.com` 
    sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder # refresh hosts

So yesterday I wrote about the blurring lines of ownership, and people came back with some fairly disparate responses. It's fair to say that I was mostly dismissed. https://news.ycombinator.com/item?id=25058952

And this is why I won't be moving to Apple silicon. Apple already has the ability to restrict whats apps I can run (they can simply toggle a switch for all users to "no unsigned binaries"), and congrats! Apple is the sole decider of what we get to use on our computers.

Of course Apple's Craig Federighi assures us that the people making such assertions are "tools" (https://youtu.be/Hg9F1Qjv3iU?t=3177 , timestamp 53:33) and they have no intention whatsoever of taking away our ability to do general compute on the machines we buy and own.


Apple can already decide what binaries you can execute. Should they choose to.

Apple is now restricting what other OSes you can boot into. As they've chosen to.

Apple can now make their machine reject a new, third-party repair part like a bad transplant. Should they choose to.

It's clear where they're going. And I'm jumping ship. It's painful to do so, given how invested I am in the ecosystem, but we're already beyond the threshold that many of us would have left earlier in the decade.


edit - It's also really hard as a designer + developer + would-be researcher in the making to find a good computer. Most non-Apple laptops don't have very good color accuracy. They also don't have good trackpads, and their keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)

I'm trying to find a laptop with good build quality, long battery life, a good display that I can design on, a good trackpad so that I don't have to carry around a mouse, good speakers would be a plus, and light enough that I don't feel like I'm lifting weights while working on my laptop. And this package should ideally come with 512GB of SSD storage and, at least, 16GB to 32GB of RAM.

Oh and it shouldn't be more expensive than a Mac as many of these laptops are!

Any suggestions?

Yeah so basically in the windows world, a lot of the good laptops are under the "business class" of the various manufacturers:

Dell Precision, HP Elite Book, MSI Prestige

In the consumer world the Dell XPS, Asus Zenbook, Asus Pro Art are the way to go for a designer.

Dell Precision is probably the overall best laptop. MSI Prestige is targetted right at you though, with color accuracy and a good display. The only brand I can personally vouch for is Dell. I and my partner use XPS's, and a good friend of mine has a super nice Precision that I am jealous of (specifically the ports! I'm so over USB-C)

Lenovo Thinkpad is another popular line, seems conspicuously absent from your list. They're known to have good resale value, and to work well with Linux. If you're getting up to the Precision line, the Lenovo P series workstations are also worth considering, though given they're actually professional-grade machines with Xeon and Quadro parts they'll be more expensive than a Macbook Pro.

There are also boutiques like System76, that white label, upgrade, and manage driver compatibility for Clevo laptops which may be worth considering, they just came out with a new Lemur Pro like yesterday.

Check Thinkpad screens carefully as a lot of the new amd ones come with terrible 'business class' screens that I don't want to use as a developer, let alone as a designer .. and a repairman told me they are glued on these days so you can no longer swap them as you used to be able to.

Can confirm. I made the mistake of buying a T14s with a Ryzen 4000 CPU in it

The screen was something like 30% color accurate

Using something like F.Lux or Redshift to shift the color space at night resulted in...this

Linux: https://www.youtube.com/watch?v=UhLBx4mmPrM

Windows: https://www.youtube.com/watch?v=QgjqeDF9c50

Lenovo refused to replace the panel with a less atrocious SKU, claiming I could instead purchase it for a "mere" $600 USD(!)

Thankfully Australia has strong consumer protection laws and I was able to get the unit returned and refunded

Lenovo P series workstations are also worth considering

I have a P72 and it is garbage. Plugged into a docking station it works OK as really expensive mid-range workstation. Trying to use it as a laptop causes the fans to spin like crazy, performance throttled to shit and the and battery life of maybe 90 minutes for even fairly modest workloads. The similarly specced Dell Precision I had before was much better in every way and was actually usable as a laptop.

The P5X series that many of my colleagues have seem much better.

>Trying to use it as a laptop causes the fans to spin like crazy, performance throttled to shit

So, just like macbook?

I was going to say - that does sound very much like my MacBook Pro.

The P4X series is also working quite well - I went with that for the smaller footprint. Since I mostly dock it, the smaller screen is acceptable for the limited amount of time I use it undocked.

Lenovo might be known that way, but they are exceptionally bad at supporting Linux. https://www.notebookcheck.net/Lenovo-admits-ThinkPad-CPU-thr...

As far as I know this issue is still not fixed so I have to use this hack: https://github.com/erpalma/throttled

I’ve also had tremendous Thunderbolt-related firmware issues that could only be fixed in Windows. If you use Linux, there are much better options than Lenovo. I still use my T480 daily but I miss my old XPS 13, which gave me no issues ever.

Exceptionally bad is a bit harsh. Windows is first tier support with Linux coming in as a second. In my experience they are pretty good about fixing remaining issues in firmware updates, which can be installed using fwupd (I don't have a Windows partition at all). I belive there's even a GNOME Software front-end if you prefer things being very easy.

I don't need to use throttled on my X1 Carbon 7th and they recently added mainline support for the fingerprint reader. All I had to do was enable it in GNOME Settings.

I have X1 Carbon 7th and need to use throttled to get full power.

Try to run performance test with s-tui if you see a difference.

On Arch the command to enable the fix is:

sudo systemctl enable --now lenovo_fix.service

I love my X1 (also 7th). This is the laptop which made me retire my actual desktop. Bought a docking station and a MOTU 8A for sound connectivity, and have no need for a classical desktop since.

I am not into gaming or graphics though. Still, with my (unusual) usage pattern I get almost 10 hours battery life time on the road, and all the CPU power I need locally. For heavy stuff, I compile remotely anyway.

I can't stand the (lack) of brightness on my X1 7th gen. Is that not a problem for you?

I can't for the life of me get it to be bright enough to use in a lit room. A bit of hyperbole here, but I basically have to hide in a closet and stuff a towel under the door to see the fucking screen. I love the keyboard, but I basically won't use the thing now because it's such a drag to use.

I am blind (no joke), I couldn't care less about brightness :-) Well, actually, no, I execute a script after boot which basically does:

for backlight in leds/tpacpi::kbd_backlight backlight/intel_backlight; do dir="/sys/class/${backlight}"; if [ -d "${dir}" ]; then echo 0 > "${dir}/brightness"; fi; done

I had similar thoughts after purchasing my X13 AMD, not sure if you're experiencing the same thing I did. I was extremely disappointed with stock brightness when I first turned it on.

Turned out windows power saving and battery settings actually capped my brightness. So my user-controlled "100%" (via keyboard) actually becomes more like 60%, depending on the power profile.

As soon as I got a new m2 ssd, I shelved Windows and installed Fedora WS, which has no such issue. That is, if I say I want 100%, it obeys.

You can quickly test with either a live USB, or tweaking your power profiles.

I don't think I've ever even set my 7th gen X1C to full brightness, it's perfectly usable. Is this a problem you tend to have with screens?

This is the only screen I've ever had to fight with to get something bright enough, and I'm nearing 40 so I've been through a metric buttload of computers and screens. It is hands down the worst screen I've ever had (and I still have a couple ~ 2006 20" acer lcds pressed into service in various comms closets and shop space in my house). The brightness on these is appalling and it doesn't help that Mint insists on resetting the brightness to 60% on every boot so I feel like I'm trying to walk through a house of horrors with only a single birthday candle for light.

Edit: the joke is that the house of horrors is my code

Thinkpad was one of the first laptop series which supported Linux explicitly.

Their competitor was Compaq NX series (HP EliteBook of today). Dell was late to the party and closed the gap by actively developing software for Linux (DKMS, Privacy Drivers, etc.).

I don't think you can conflate classic Thinkpad and current "Thinkpad".

Are they doing anything to prevent Linux from running well on them? As far as I can tell, since all big three (XPS, EliteBook and Thinkpad) are considered enterprise devices and their BIOS, IO tables and hardware layouts are crafted with Linux compatibility in mind.

They're explicitly sold with FreeDOS option to imply that you can directly install Linux on them.

Even my run on off the mill desktop shows more soft-errors about IO layout and memory mapped devices on board.

Why not?

Lenovo's ThinkPad line is still quite differentiated from their other offerings. What are your objections to it?

When IBM didn't like the panels they could source for Thinkpads, they started a new company called International Display Technology to manufacture panels they did like. Thinkpads used to be special.

While it's entirely possible there's a connection between decisions like that and IBM's PC division being unprofitable enough they sold it to Lenovo, it might be reasonable to hope that Lenovo would make the effort to offer competitive panels when it's obviously possible for their competitors to source them.

>Lenovo might be known that way, but they are exceptionally bad at supporting Linux.

Absolutely no trouble on x395. It's been running Linux (Arch) for a year, and it is my main system.

Piling on to say I cut on teeth on Linux installing Breezy Badger on a Thinkpad T20. Since then I’ve never struggled with a Debian based OS on Thinkpads.

I run Linux (Debian) on my Lenovo X1 Carbon and it works perfectly.

Linux works perfectly on mine as well, but I use Fedora.

The trackpad is bearable, and I have a 3rd generation so my 1080p screen isn't IPS, but it works well enough for $200.

Not sure about Carbons, but for T-series there are aftermarket IPS displays that you could swap for the original TN ones. Could be done in 30 min, with no previous experience, just with the service manuals from Lenovo and enough dexterity to handle a screwdriver.

The firmware issues are fixed just fine with fwupdmgr. It also integrates nicely with Gnome.

You can even buy thinkpads with ubuntu out of the box now, so hard disagree.

I don't know about Ubuntu, but Lenovo offers machines with Fedora already installed.

> Lenovo has now admitted to the problem – and announced that it will be fixed.

How is that exceptionally bad support? I'd say that's the opposite.

I get firmware updates on my X1C because Lenovo decides to work with fwupd and the open source community, something most manufacturers refuse to do.

I sent my Lenovo in for warranty service for a faulty SSD ribbon cable and... they lost it. And they haven't replaced it. They've told me four times over the course of the last five months that I'll get a call in 3-5 business days. It has never come of course.

I know I'm not alone; even just in my circle there are two other stories of horrible mishaps with this company.

Lenovo makes some decent machines, sometimes, but their warranty service is not to be trusted.

I have always used their on-site service. Tech always comes out the next day and fixes the issue.

Lenovo took around 100 days, within warranty period, to replace my motherboard of my Ideapad Y500 because the parts were not available. I am never buying any Lenovo product ever again.

I've got a P51. It's essentially always on fire and the fans are really loud.

Not sure I'd recommend it. Build quality is very good however.

P51S might have been a better choice then.

The P51S is "slim" and has poorer thermals than the P51. Why would it be a better choice?

It uses low-power components (U rather than H CPUs for example) and isn't capable of generating nearly as much heat, regardless of what you're asking it to do.

Switching from a core H to core U will cut your perf in half. I like my xps 13 but in all fairness it struggles to run Firefox with youtube+gmail+slack and Office open all at the same time. As someone who primarily uses beefy desktops, it feels about as snappy as a Core 2 Duo machines with DDR-400.

Having used everything from xps to surface book 2, no laptop comes close to a ThinkPad. I am pretty much a fanboy of ThinkPad keyboards

I used to be too, until they changed them

Big bonus of the proper "business" laptops also is support. Wouldn't want a work machine I rely on without on-site support anymore (of course ideally you want a machine that never needs support, but since you can't rely on that from anybody...)

Indeed. Worth looking at the Thinkpads with this as well. A lot of the 3 year old discarded corporate units still have a couple of years of warranty left on them and Lenovo actually honour it!

Lenovo has got to be amongst the top, imho.

Interestingly, Apple covers more than sRGB, their panels are now being set to the broader DCI-P3 gamut. Whereas these laptops (at least in 2019) were slightly less than the sRGB gamut on testing. Except for the surface book,


I got these results from, https://www.notebookcheck.net/MSI-Prestige-15-A10SC-Laptop-R...

I got a 2019 Dell Precision 5540 with an UHD OLED, 3.840 x 2.160 and have 100% DCI-P3. And i think many other OLED Screens have it too.

When i configured the Laptop i could choose from these options:

FHD IGZO4, 1.920 x 1.080, 100% sRGB

UHD IGZO4, 3.840 x 2.160, 100% AdobeRGB Touch

UHD OLED, 3.840 x 2.160, 100% DCI-P3

Almost no displays get 100% when tested for gamut coverage. I'm not really sure why, I think it's some testing artefact. At this point (around 99% sRGB) what you should be looking at is coverage in larger gamuts (here 84.8% AdobeRGB).

> In the consumer world the Dell XPS [...] are the way to go for a designer

I have to use a Dell XPS 9560 and had two issues with it, most people never realize:

1. The Intel Thermal management driver is buggy so the device shuts off on very high-load tasks. You have to find the old driver on the internet and install it, and prevent windows from reverting to a new driver.

2. Only after two years of hanging connections and dropped UDP-packets I ran a speedtest and realized that this is not my home-internet being weird, but a systemic problem of the Wifi-card, which others have reported on the internet as well. Switched cards - getting windows to recognize the new one was difficult - and now I have normal Wifi.

Both of these issues are terrible for customers, and I still wish I wouldn't have ignored/overlooked the Wifi-issue for so long, as it interrupted work for a very long time.

Dell XPS 9360, good keyboard and touchpad, but my two issues, Dell software for updating drivers is just buggy. In general Dell can't write good consumer software.

Second is the same as yours, the Killer Wi-Fi is subpar. Can't keep a steady connection. Can trigger bluescreens if resuming without power cable and running Firefox (I think). Have not changed my Wi-Fi card yet.

I seriously recommend the switch. I went for an Intel ax200, costs about 50$, and my download speed went up 8 fold.

I got an XPS 15 7590 in part because I read that the "Killer" Wifi problems of old were finally fixed. Well not for me, after waking the laptop I have to manually disconnect and reconnect Wifi for it to work. Have not had time to contact support about it yet, but I'm very disappointed that they've stayed with "Killer Wifi" after the long history of problems.

I looked up the MSI Prestige and apparently there exist a limited edition of it that's completely pink, I mean really, really pink: https://www.msi.com/Business-Productivity/Prestige-14-A11X-P.... Not a big fan of the color, but it sure is interesting to see. I now wonder if the color would be a good deterrent for thieves.

I use MSI laptops almost exclusively although they're definitely wiped and reinstalled to win10 ltsc or freebsd.

In as much as I love the Mac touchpad for kanji/hanzi input the 2015 pro will probably be my last.

Wow, the way Craig is laughing at the question and so dismissive of it is really insulting. Maybe it's the more casual nature of the interview/discussion, but this really is the crappy icing on the cake of Mac users' continuously-declining control over the machines they spend their hard-earned money on. "Where do you even begin to come up with that theory"?? I mean, maybe we're seeing the gradual hampering of control over our computer with every OS X release in the past 5-10 years?

Get a Thinkpad. I replaced a 2015 MacBook Pro with a Thinkpad P1 Gen2 and love it. The trackpad isn’t as nice. The keyboard is better. Running WSL2 you have a great Unixy development environment in Windows. Or just install Linux. As thin and light as a MacBook Pro. Much better thermals, though still not awesome. Other, somewhat larger Thinkpads have better thermals. You can upgrade your RAM, add 2 SSDs and other peripherals like a 4G card etc if you like. Thinkpads come with fantastic service. Next business day on-site repair including for accidental damage and they mean it. Looks: It’s the design Apple copied for their very first laptops and is IMO better looking. They got it right the first time and haven’t changed it materially. Built like a tank. Not quite a tough book but they will take some abuse.

Lenovo was caught 3 times installing spyware on their machines. I don’t know why people forgive that

Because any self-respecting developer will reformat and reinstall Windows or ideally Linux and problem solved, no spyware.

Not when they’re doing it at bios level, formatting is useless.

Yep, here's a nice summary of that situation that someone made on Reddit: https://www.reddit.com/r/SuggestALaptop/comments/3gxoh9/psa_...

That BIOS level requires the operating system to execute certain ACPI table as a Windows executable.

I have that exact laptop (work provided) and I’m not a fan. Trackpad is OK but not nearly as good as my Mac. 4K display sometimes looks amazing but the color accuracy is terrible and there’s a weird speckle texture that I assume comes from the touch overlay. I have a thunderbolt dock that supplies 85w of power but the machine refuses to charge from it and requires connecting the huge external power supply. But the worst part is I’ve gone through several incidents where some update occurred (never could narrow it down to one in particular) and I started getting multiple blue screens a day.

Edit: forgot one more annoyance. The laptop seems to frequently power off completely overnight even though it should just be sleeping/hibernating.

I am still suprised by the number of people that want trackpad's

If lenovo would come out with a laptop with no trackpad I would be the first to order it, I normally disable the track pad completely..

Traditional mouse or even a trackball are far far better

> I am still suprised by the number of people that want trackpad's

I occasionally have need to use a laptop in conditions where a mouse is inconvenient, so i prefer to have a trackpad, but I find that even the best trackpad is far inferior to a mouse. (Trackball, at least the kind that gets integrated into a laptop, isn't an improvement, IMO over a trackpad.)

On my Macs I have always used both mouse and trackpad. When I use a PC like the thinkpad I usually ignore the trackpad.

Never had a blue screen. Haven’t had the power off problem though there is a distinction between regular sleep and deep sleep. When coming out of deep sleep it boots up like normal and restores RAM from disk. Don’t have a touch screen but have the highest end, non-touch 4K screen Lenovo offered. They also offered a very good HD screen and a not so good 4K screen. Display is not as good as on a Mac but this is more a Windows problem than a hardware problem. If color calibration is an issue, you could have had them calibrate it for you for 25 bucks when you ordered it. I believe Lenovo support can send someone to calibrate later on too for a somewhat higher fee.

If I got a Thinkpad I'd switch to Linux. I absolutely can't stand the Windows UI.

Linux UI is far worse than Windows. It's not even close. I use Linux but definitely not for its UI.

Windows can out-of-the-box do HiDPI, multiple monitors, multiple desktops, trackpad gestures, hardware accelerated UI rendering, facial recognition logins, and more. It was designed as a desktop OS.

On Linux some things are getting better if you stick to the Wayland+GNOME stack, but it's still so bad I can't recommend it to people on technical grounds. Use it if you believe in free software, not because you think it's "better" (it's not).

I am seriously wondering why Linux UI development is lagging so much considering it’s at the forefront of many developments, and probably with the worlds best devs using Linux. I can only come up with that it’s console centered approach doesn’t attract a lot of UX designers of caliber to take it to a new level.

Most of the money being thrown at Linux is to make it better on a server. The laptop/desktop market is dominated by Microsoft, with Apple a distant second.

My thinkpad works very well with linux, I recommend Zorin or Arch

Arch is only a recommendation for people with a fair bit of experience. I have some experience, and I still needed to check some webpages to find out what I was missing when I tried installing Arch as the official manual doesn't spell out every step that is needed.

For "easy" for people who don't have time or experience, I would instead recommend Pop!_OS https://pop.system76.com/ flash a liveusb stick and you can try it out on your hardware without needing to install it first.

I've been using Ubuntu for over a decade because my days of fiddling with my computer to get things to work are over. In general, Ubuntu just works without much configuration on the user's end.

I've noticed a trend where people who are new to Linux will jump on Arch because they believe it'll give them more power, or that they'll learn more by using it. Or people will install Kali because they think it is what hackers use, and completely miss the fact that Kali isn't meant to be installed at all.

It's all Linux under the hood, and you get the same amount of power no matter which distro you use. And when you use a distro with sane defaults like Ubuntu, you're able to dig into the internals whenever it suits you, and not because an update broke your computer.

The biggest problem with Linux is not enough people use it so you run into all kinds of edge cases with hardware and software. I just stick with Ubuntu because it's the most popular, so the most likely someone bumps their head on the problem before I do, and maybe I find their stack exchange question or bug report when I search.

I've been very happy with Ubuntu 20.04. Not without issues, but overall it's been quite stable and snappy (pun intended) and I prefer it to macos and windows.

Arch is neat, and their documentation and forums are amazingly great. However, I have zero desire to be my laptop's sysadmin. Pop! OS runs great on my Thinkpad.

If you have a simple setup and friendly hardware (e.g. all Intel), the sysadmin burden is super low.

In this regard, only NixOS compares. Even macOS is much much worse, as you need to go through upgrades. I have used the same Arch install for 8 years.

If the only concern is the install process, I would recommend Manjaro. It has its own installer, but you still get the powerful pacman package manager and the Arch repositories which are the most cutting-edge around.

I've had Manjaro bork itself a couple of times. I'd recommend against it.

How do you run photoshop?

Photoshop works pretty well in Wine, and Windows runs quickly using KVM.

Linux also has native support for hardware pass-through if your machine has an IOMMU, so you can give virtual machines direct access to graphics cards and get GPU acceleration in your VM, along with USB devices, etc. VirtIO is built into the kernel and can provide you with paravirtualized network and storage access, which can speed things up considerably.

People working in Linux will use GIMP, but you can also use Photoshop in a virtual machine, or possibly even natively using WINE. Here is a link for someone who did just that: https://www.archviet.com/how-to-run-photoshop-on-linux-with-...

Or Krita, some people have a strong preference for it.

> they can simply toggle a switch for all users to "no unsigned binaries"

That switch was toggled with Big Sur and Apple silicon: https://mjtsai.com/blog/2020/08/19/apple-silicon-macs-to-req...

While true, that doesn't mean that an Apple-controlled key decides which apps will run:

> There isn’t a specific identity requirement for this signature: a simple ad-hoc signature issued locally is sufficient, which includes signatures which are now generated automatically by the linker. This new behavior doesn’t change the long-established policy that our users and developers can run arbitrary code on their Macs, and is designed to simplify the execution policies on Apple silicon Mac computers and enable the system to better detect code modifications.

(Source is the link you provided.)

NotebookCheck is a great website for laptop reviews. They even get into the nitty-gritty details of display calibration, input devices, power consumption, etc.

Here's a list of the laptops with the best displays: https://www.notebookcheck.net/The-Best-Notebooks-with-the-Be...

And here's a list of general multimedia laptops that would be roughly equivalent to a MacBook Pro: https://www.notebookcheck.net/Notebookcheck-s-Top-10-Multime...

I find that their reviews are amazing but their "top 10" lists are lacking. Their search: https://www.notebookcheck.net/Search.8222.0.html is marginally better, but in general, they're for researching specific models, not finding models, imo.

Edit to add: The other thing is that for their percentage laptop score, you should generally subtract 80 and multiply by 10. I've never seen them review a laptop below 60% or above 92%.

My partner bought a razer 13 inch to replace a MacBook Air. It wasn’t cheap, the build quality is excellent and it handles everything (she’s in an orchestra and records her parts on it, does graphic design and sometimes plays fortnite.). The screen is quite nice and the build quality is better than my system 76 (onyx pro) which I really like too.

Dave2d on YouTube gives pretty short and decent laptop reviews. I think he has a discord channel discussing the machines too

My 2017 razer stealth 13" has rather questionable build quality.

* Once a month or so, the touchscreen flips out and starts registering dozens of random finger taps per second. There are tons of complaints on the internet, but Razer never acknowledged it as a known issue.

* One of the long rubber pads on the bottom fell off after about a year and a half.

* The USB-C power cord's insulation was frayed from day one.

* When running Linux, the kernel continuously reports "correctable" pci-e errors, indicating a signal integrity issue. I had to turn down the verbosity of the messages to keep from spamming the journal.

* When running Linux, a monitor connected via HDMI has random "snow" noise. When playing any sound through the builtin speakers, the monitor blacks out every 10 seconds or so. Plugging in headphones "fixes" it.

* The bios' ACPI implementation is buggy and doesn't properly report whether the lid is open or closed. As a result, the laptop sometimes fails to go to sleep when I close it, and sometimes fails to wake up when I open it. It works most of the time but not always in windows, and linux got into a perpetual sleep-wakeup-sleep loop until I found the right workaround.

* A plugable brand thunderbolt dock "glitches" every 10-20 seconds when typing on a USB3 keyboard. Plugable claims it's due to buggy Intel firmware in the laptop. To be fair, a different brand of dock works fine, though.

Many of the signal issues can be caused by a faulty or low quality power supply. It took me a good half year until I finaly fugured why my Thinkpad touchpad and screen was acting up similar to your description. Turned out that my 65W power supply from Amazon was causing all the issues.

I never bought a Razer product because every time I'm looking at one I see negative reviews about their reliability.

It boggles my mind how they can be so successful.

Probably in people mind there is nothing better.

Manjaro GNOME on any of the Thinkpad models.

I switched away from Macbook Pro about a year ago, after using Apple hardware for about a decade.

It's working great, GNOME interface is solid and productive, Manjaro and AUR libraries just work. Highly recommend making the move, sooner the better as I'm sure you see the writing on the wall.

My Huawei Matebook Pro has been everything I wanted in a Mac, in a way I couldn't get from Apple.

Pros that Macbooks don't have: USB-A (along with USB-C), no touch bar, 3:2 screen, can enable secure boot if I choose so feel like I'll be able to run whatever I want on it, replaceable SSD, etc.

Pros that Macbooks also have: still has a great build quality, full day battery

Cons that both have: Non replaceable RAM

I can second this, I'm on the Matebook 14 2020 with the Ryzen 7 I think rather than the Pro. But after a dreadful run of luck with the XPS15, the Matebook (so far) is an amazing bit of kit for almost half the price.

It feels like if they play the next iteration right Huawei could blow most of the top end out the water, there's so little choice at the top end and they all seem riddled with build quality, hardware or software issues.

I'm glad I took the risk on the Huawei and I don't really regard the Chinese spying moral panic as an issue. If they want to spy on you I'm sure there's far easier ways online than trying to backdoor a highly scrutinised laptop.

My huawei matebook pro is the best laptop I've ever owned.

The only downside is that I have Windows 10 on it, and considering Microsoft actively destorys user data and has for 15+ years as company policy...I won't use it for serious work, only entertainment. :(

User state is also a time investment, so rebooting and destorying this is not ok even if all files by some stroke of luck were saved first

Are you not worried about your data going to China? Huawei looks indeed great, but I would never use it. Maybe if there was a way to replace components with ones from legitimate source like Mouser or digikey, to ensure there is no spying going on.

I think a firmware- or hardware-level exfiltration system that works anywhere would be valuable enough that they are not likely to burn it by putting it in systems sold widely to consumers, where it would only be a matter of time before it was detected. Unless monocasa is someone fairly important, that is!

  > 3:2 screen
I'm sold on the screen alone. Thank you!

Over the generations, I have had three Macbooks, four Vaios, a ThinkPad, a HP, multiple ASUS and Huawei. Most of the devices I have killed by travel: dust infiltration, vibrated the BGA chips off the boards by motorbike vibrations..

My requirements have all been fulfilled with the Huawei MateBook X Pro.

You could say it's heavily inspired by the MacBook. Aluminum case. Chiclet keyboard with decent travel. 2000x3000 display (2:3 ratio!). Awesome trackpad. Good battery life. Portable. Solid. 2x USB-C and 1x USB-A. Sustained multiple drops.

For context, I am able to pull solid 12-hour days on the device, without a mouse, without fatigue or frustration.

Cheaper than a MacBook. Might be worth a look.

But then you have to buy a Huawei ...

Not the best idea security and privacy wise.

I was skeptical initially. The laptop has been dissected and scrutinized by multiple people with nothing suspect discovered. On the other hand - which brand is safe ? Thinkpad has installed rootkits multiple times. Until there's proof to the otherwise, I think it's worth withholding preconceived ideas.

In any case, everyone has their own level of comfort, and that's important.

Are you talking about the Superfish vulnerability? It's never affected the business class Thinkpad lines [1], but it has affected a lot of the other laptops that Lenovo has shipped.

[1]: https://support.lenovo.com/us/en/product_security/ps500035-s...

Assuming you were going for a Macbook Pro "15 for 2399$

Recommendations for linux laptops (or checkout https://linuxpreloaded.com/ ):

* Tuxedo https://www.tuxedocomputers.com

~1000$ 1.5kg, Their "15, 1080p flagship is configurable with AMD Ryzen 7 4700U, 32GB RAM, 500GB M.2

They also have more expensive versions with 4k OLED displays if that's what you're into. Also "13.

* KDE Slimbook https://slimbook.es/en/store/slimbook-kde/kde-slimbook-15-co...

~1200$ 1.5kg, "15, 1080p, AMD Ryzen 4800 H, 32GB RAM, 500GB NVMe

* System76 https://system76.com/laptops/gaze15/configure

~1350$ 2.2kg, 15", 1080p, i7-10750H, 32GB DDR4, 500GB NVMe

* Purism http://shop.puri.sm/shop/librem-15

They're trying to become and opensource Apple --> high prices, own linux distro, trying to make their own ecosystem, etc.

~2000$ 1.8kg, "15, 4K, Core i7 7500U (Kabylake), 32GB RAM, 500GB NVMe

> keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)

Those are laptops with numeric keypads, the trackpad is still centred relative to the "main area" of the keyboard (the home row and in particular the rest keys - the two keys with a little bump, F and J on a QWERTY) but it is off-centre relative to the body of the laptop due to the presence of the keypad.

Macs don't have numpads so if you've always used Macs it's understandable that you're not familiar with this type of layout.

In any case that type of placement makes no difference while you are using the laptop, because keys and touchpad are still where they are supposed to be relative to each other.

A lot of laptops, Dell for example, offset the touch pad to the left even though there is no keypad. You might be right that these are technically centered on the q to p span of the keyboard.




Good eye! I had never noticed those before. Yes I think those are centred to j and f. on the Macbook Pro I'm using right now, if you look carefully, the touchpad is centred relative to the body but it is slightly off centre relative to the home row.

I use my laptop on my lap, and usually when I sit with my hands folded in my lap, my hands fall along the center axis of my body. We are bilaterally symmetrical beings (with some internal asymmetries).

So unless I scoot the laptop off-axis or I have to move my hands off axis to type.

I'm unsure how this isn't unergonomic. It's not something to get used to. It's bad design. Period.

If you're using a laptop on your lap you've already given away any chance of ergonomic comfort.

Yes this has always annoyed me; having it centred under the keyboard makes no sense except in some weird universe where everybody uses only their thumbs to operate the trackpad. Trackpad alignment was one of the major causes of my RSI due to the horrible bend in the wrist it causes.

I haven't used a Mac in years but the one thing they always nailed was the trackpad. It's big and actually centred on the laptop body.

I think it depends on how much you type. If you type most of the time, your hands will tend to stay centred on the keyboard. Of course this is highly variable based on so many factors...

Yes this is true, I see your point, with a laptop on your lap, in order to balance its weight optimally, you need to centre it relative to its mass, not relative to the hands rest position (F and J keys) so then when you have to type you need to move your hands sideways and it's not very ergonomic.

But you want to align the keyboard and the touchpad with the vertical axis of your body so you end up with 2/3 of the screen to your right. That's why I'm advocating no number pads on laptops.

I’d rather align myself with the screen, otherwise I’m mostly constantly looking towards a slight right, which is a terrible twist for the spine.

It’s much easier and more comfortable to adjust my hands over a slightly offset keyboard.

Is this what you're actually doing?

I gave it a try for one minute when I unpacked my new laptop in 2014 and I immediately shifted it to the right: typing as you suggest was terrible for wrists, shoulders and probably the spine.

My workaround: I move the windows I work more often (eg: the editor) to the left part of the screen.

To be fair: there is no way to fix an ergonomically broken design. There are only mitigations and those a probably subjective: everybody is a little different and muscles/skeletons/etc can accommodate different twists.

Get a Thinkpad, P-series, lots of options. Run Fedora on it. Great machines, great keyboard, 4k screens, good color, goot battery life, lightweight. Everything works. Mac-level price, and worth it.

I would like to get a thinkpad, but I'm not sure Lenovo can be trusted any more than Apple can, especially since Apple atleast pretends to care about customer security.


Lenovo is junk for anything but business class laptops. That the thinkpads X P W and T. The rest is the disposable, unrepairable, bloated junk you’d expect from consumer level products.

"Disposable, unrepairable, bloated junk" describes pretty much all non-business laptops these days. I don't think Lenovo is special (and the Yoga often reviews as "good for the price")

Seems like I am working since four years now on my junk Lenovo Yoga 13 under Manjaro and didn't realize that.

Don’t feel bad, Lenovo intentionally blurs the line by calling everything a thinkpad. But they’re not all the same.

I work with thousands of their business class Thinkpads and they are also junk. They seem made for corporations to just churn through. I see harware/bios bugs that carry through generations.

Could be. I stopped at the 2011 and 2013 variants. Still powerful enough for me, cheap to repair, and the intel me can be entirely erased/corebooted. I don’t know about the more recent business class TP.

Well, if you immediately overwrite the hard drive of the machine with some Linux variant (as I think the GP implie), I think it will solve a lot of problems like this from any manufacturer.

No it doesn’t. If memory serves, Lenovo rootkits have been in the UEFI firmware which auto-install hooks into the OS after boot.

Linux is not magically immune to this attack. One could argue it is more susceptible than other OS due to lack of binary signature checks on executables at runtime (at least by default).

That would be a worry. At least the people using Apple cares and tell you. And observe them very closely.

How is 4K support and fractional scaling? Does it work well?

In my experience, fractional scaling and 4k support is finally fine on at least whatever GNOME and Wayland Ubuntu 20.04 ships with, with two major caveats:

* Chromium-based applications (the browser and Electron apps like VS Code) still don't know how to render themselves with fractional scaling and end up ever so slightly blurry (but correct sized) on fractionally scaled displays. Think like very old applications (like Control Panel) on Windows 10. I use Firefox so it doesn't bother me that much. There's a issue in Chromium bug tracker following this, but I can't find it right now.

* Screen sharing full screen or other windows than browser tabs doesn't work on Google Meet / MS Teams. This is and has been an issue in Wayland since forever.

> Chromium-based applications (the browser and Electron apps like VS Code)

This is most likely because they don't support Wayland. The scaling with XWayland doesn't really work great a lot of the time.

I don't use scaling for my 4K monitor, and just set text sizes larger. It feels a bit weird for a while but eventually it's actually quite a nice balance where the content is relatively larger vs. the chrome.

> * Screen sharing full screen or other windows than browser tabs doesn't work on Google Meet / MS Teams. This is and has been an issue in Wayland since forever.

Chrome has experimental Pipewire support; enable it in here: chrome://flags/#enable-webrtc-pipewire-capturer

Firefox (at least on Fedora) has enabled it out of the box.

Cool, I don’t use chrome or VSCode or chromium apps. And no ms teams or google meet either. Sounds like limitations I could live with.

Not op here. Using Gnome on Manjaro with Wayland. Fractional scaling works very well on a external 4K monitor and with internal HiDPI display.

Electron apps are blurry, tracking https://github.com/electron/electron/issues/10915

Good battery life? You must be joking? Less then 4 hours of light usage on x1 carbon gen 8. No hibernation.

Aren’t those all huge?

P1 Gen 3 is 0.72" x 14.24" x 9.67", compared to the 2019 15" MBP which is 0.61" x 13.75" x 9.48". Slightly larger? Sure, but I wouldn't call it "huge" if the 15" MBP is what you're used to. It's only 0.11" thicker than the MBP and half an inch longer. (And it weighs less.)

If you think so, then I recommend you get an X-series instead.

I have a 15" MacBook Pro and I like it just fine.

> edit - It's also really hard as a designer + developer + would-be researcher in the making to find a good computer.

I woukld agree on desginer.

Absolutely not on developer or researcher.

Actually MacOS is for the reasons you mentioned incredibly developer-unfriendly (unless you target is of course the iOS ecosystem).

And for research there is no better platform but Linux. Unless you are in clicky-colorful frontend applications where I would doubt you are doing serious research.

>Apple can now make their machine reject a new, third-party repair part like a bad transplant. Should they choose to.

It seems the iPhone 12 is already rejecting non-original parts, even if the part comes from another iPhone 12: https://news.ycombinator.com/item?id=24924761

Try metabox. (https://www.metabox.com.au/). They have a wide range of laptops at various specs and prices and form factors and whatever else. A lot of the guys at work have started to switch to them and they feel nice to hold and fondle.

I'm currently in the same boat as you and my next machine will be from these guys when my (admittedly very new) Macbook Pro gives up or gets taken over by Apple.

It's hard to say who is now Apple's target audience. It seems like their products are ideal for people who don't know much about IT and just want to watch a video or edit their holiday photos and maybe create a CV and will probably never go beyond that. Other people still enjoy Macs from 2012, but things are moving on when you look at desktop PC and what you can do. Apple looks more and more dumbed down.

It's like being trapped in a beautiful plastic cage. I used a MacBook Air (2012) for years as my primary development machine and really loved a lot about it, and it had some fantastic apps in the environment like QuickSilver, especially since it just worked compared to some of the Linux distros I had before that. But I'm glad I jumped ship when mine went obsolete.

>> It's like being trapped in a beautiful plastic cage.

To be fair, it's like being trapped in a silver gray aluminum cage with uniform body and irreplaceable bars. I wish more companies would make a PC laptop that doesn't suck aesthetically. Even when they use aluminum, most PC manufacturers don't spend much time on designing a good keyboard (arrow keys not having the same shape comes to mind.)

The feel of the keyboard is far, far more important to me than the look. Lenovo Thinkpads (business class, not the consumer ones chasing after the foolish "thin" trend) are the only ones that have are the only ones that have a reasonable shape and response. This includes Apple, which tends to be one of the worst offenders in the feel of a keyboard. I want to have some amount of vertical movement to the keys, not to jam my fingers into a hard surface repeatedly.

I understand people doing live music with it. Think about what would happen if Windows forces you to update during your performance^^

Graphic designers because the nice display...

Otherwise i don't get it. I think for most other people it's a status symbol ;)

I especially don't understand why IT affine people buy it. Just buy DELL, HP, Lenovo, Alienware and install linux. Gives you more bang for the buck...

Very small audiance, but people with bad vision do enjoy the good displays on their machines and the GREAT built in zoom in OSX. Zoom in Windows is a joke.

Unfortunatly Linux isn't really an option just yet for a lot of us.

I really like my surface book. They are priced like MacBook pros (and spec'd like them too). The track pad is great, the pen input and detachable screen come in handy more than I'd have guessed when I first switched.

Apple has a pretty broad utility patent around their trackpads, which requires other manufacturers to work around what would seem like pretty obvious things.

PDF: http://assets.sbnation.com/assets/2017767/USD674382S1.pdf

Are there no other suggestions beyond the 2012 MBP?

I use arch linux on a Lenova Thinkpad T580, and I'm really happy with it, but I'm not sure about the colour accuracy of the screen. I doubt it's as good as you find on an Apple.

I, for one, am really interested in good, high quality alternative to apple laptop hardware, that meet the parent's criteria.

I just got an eluktronics. Basically barebones powered up systems. I got one running windows but that's only because I need the ableton software.

I agree with you that Apple is doing way too much to restrict users. But I also agree with Craig in that I don't see how Apple silicon is useful for them in helping to restrict users.

It is useful as a justification. Not from a technical point of view, but just to support the pathway they have planned and the story around it.

How is it useful as a justification? I don't see how forced signature verification can be more easily justified on a M1 Mac than on an Intel Mac.

Yet mandatory signing of binaries is enabled on the ARM build.

It is basically a milestone; since new binaries are needed, they might be as well as signed.

Dell XPS have an option for a fantastic 4K screen. After calibration it's better than the Retina screen on my 2013 MBP.

I don't know why they don't use a 2560x1440 for the 13" model

I have the 4K version. You can’t use it, you have to downscale to 1440p because you get lag at 4K. They released a 4K laptop that isn’t powerful enough to run at 4K.

I don't have any problems with the video. Are you trying to game on it?

Laptops and gaming is a terrible combination because of the thermals.

X1 Yoga 4 is what I went with recently when my 2016 macbook pro died for the 4th time since owning it.

Its very similar to the x1 carbon but converts to a tablet and it has an aluminum body.

I can't say I'm out of the apple ecosystem entirely, but I decided to spend my money elsewhere given the abysmal quality of the macbook pro line these days.

Thinkpads. Lenovo is far from perfect, but they have been good stewards of the brand.

I like Lenovo ThinkPads and even IdeaPads (I own one for personal use) but I do hesitate dealing with potential Chinese spyware from the factory for work uses.

I’d suggest using a Mac until it doesn’t actually work. Then you can find a new computer to compromise with.

Owning a Lenovo X1 Carbon 7th gen, 2019, 4K screen, 16GB RAM. extremely impressed with the hardware, running Linux Mint and going to move to Manjaro. Initially i tried PopOS! but they removed from Gnome the intermediate scaling (1.5X) of the UI, just like in MacOS you have Display - Scaled options. I really like the per monitor setting which you don't have in Linux. (or i didn't research enough); e.g. More space on main display (external 4k monitor) and Larger Text on the macbook screen. I'm also jumping ship due to the worst experience i had in 25 years dealing with technology, 1 month to replace a swollen battery with a 3rd party repair service. Apple throws now all this "complex" hardware issues to 3rd parties since their employees are pressuring them not to execute hazardous repairs in their own "centers"

Their SSL certificate revocation server (the default for macOS) goes down an you try to tie it to Apple Silicon being created to lock-in users? I understand the feelings people have about this but today's failure seems orthogonal.

It's just one of many recent actions that they've taken that have made people wary. The changes to app signing in recent OS X versions was another example of this

Huawei Matebook X Pro. A friend has one, 2019 model. Runs Ubuntu on it.

Trackpad is as good as it gets outside Apple, I'd say.

The display looks gorgeous. Can't say about color accuracy/fidelity though.

Re colour accuracy, checkout thinkpads, they even come with a colour calibration sensor so you can have them autocalibrate daily/weekly or whatever suits you.

> Oh and it shouldn't be more expensive than a Mac as many of these laptops are!

Clearly there's no need to jump ship if it's more expensive on the other side.

Do you _really_ need a laptop? That's my solution to the problem of no good Linux laptops. I've got a desktop at home now, and when I go back to the office, I'll pick up a mini desktop. I'll keep an old MacBook in a drawer if I need to take it into a meeting. When I used laptops only, they were just plugged into a monitor/keyboard/mouse at all times anyway.

What would make a good linux laptop for you?

One that reliably goes to sleep when i close the lid and then wakes up again when i open the lid.

Wifi that works... Audio that works... Plugging in and out external monitors that work... Netflix/Youtube in HD without burning the cpu and draining all battery

Basic hygiene essentially.

I use linux on a laptop every day for the past years and have tried Dell, HP, Lenovo, Asus, Ubuntu, Arch, Mint. Lately things are working, but only most of the time, never really really 100% as a Windows/OSX machine does. You always have to live with those 1/20 times sleep did not wake up or oh time to reinstall pulseaudio again for microphone to work.

We need new touchpad drivers (which are in the works) and screen resolutions that work at either 1x or 2x, not something in between.

> their keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)

Buy something without a number pad. Unfortunately most 15" laptops do have one.

If anybody from HP is reading this, I'll pay an extra for a keyboard without number pad on your 15" ZBooks with 3 buttons on the touchpad. Space bar and touchpad aligned with the center of the screen please.

>it's off-center in a lot of cases! How weird is that

It is off center if they have a number pad to the right of the normal keyboard layout. At first glance it looks weird, but it is 100% what you would want if you were using the laptop. Otherwise the trackpad would end up being right over where your right wrist is.

> I'm trying to find a laptop with good build quality, long battery life, a good display that I can design on, a good trackpad

Sounds like you might want a Microsoft surface (or surface book).

Not sure about the TouchPad - but at least there's a pen for drawing on the screen.

I came across this sometimes ago, I don't have any personal experience with their laptops but they seems promising.


I just gotta say that I don’t think it’s clear where they are going. You are of course free to do however you like. And if you are leaving because of what they already have done, that’s reasonable, but if you are leaving because of what you are guessing that they might do tomorrow, is that really wise? I mean even with the ARM switch won’t it be as easy to switch to win/linux intel after a year if you are not satisfied?

I don’t like the boot thing either, and it’s a bit scary not being on intel as everyone else is right now, but I also think ARM feels really interesting and it might turn out to be a great new platform!

Edit: i mean it is not like they never listen, they did take bake the mac pro, they did fix the keyboards, you have cli tools to make a lot of changes in how macos works, etc. Of course I would like hundreds of things to be different, but I believe that is true of all platforms.

2012 Macbook Pro. Get the highest-spec Magsafe laptop you can find.

I second this. Catalina runs great on my 15" mid-2015 16GB/1TB, and it even runs shockingly well (bootstrapped) on my (unsupported) 13" mid-2009 8GB/512GB.

The 2009-2015 era of Macbooks are, not were, truly phenomenal machines.

Ugh i actually considered buying a 2015 mbp to replace my 2016 when it died for the last time THIS YEAR

What does bootstrapped mean? I’m surprised with Catalina running well on a 2009 MacBook. I felt it was slow on a Mac Mini 2014 where it is supported and went down one version.

The Dell XPS line is my recommendation. But it’s not that much cheaper than the Mac equivalents

You can disable this behaviour by listing terminal under Dev tools, and launching from there.

My ASUS Zenbook has been solid ! But the macs are definitely prettier.

System76 may be good

I have one. It’s not the finest quality hardware (rebranded Clevo I’m told)but it’s lasted and the os has been trouble free. I’d get another.

The onyx pro model, it’s not great on battery when using the nvidia graphics but it can play 3D games via steam.

I do kinda like the pop! Os Linux distro.

Buy an Intel Macbook Pro and boot Linux.

Then you don't get to use what is probably the biggest selling point of MBPs, their patented touchpad and gestures.

The only tool in that video you linked to is that dishonest cheerleader Gruber.

I don't think there's a one-sized-fits-all solution without something custom and extremely expensive ($15k+). Maybe a Lenovo T480 for most purposes and a dedicated second screen for color correctness? I had a Dell Studio XPS 1645 with an RGBLED screen with an insane gamut. It begs the question: Why aren't such screens widely available?

What about getting a T480 and replacing the screen itself? You can find a decent one for ~$400 USD, and a 1080p or WQHD screen for another $100.

As for screen availability, I think it's more to do with the fact that these are business computers. Lenovo only recently started blurring the line between their premium and business class devices.

I think every post-Haswell ThinkPad comes with a 720p screen in it's default configuration. At least up until Tx90/5 series.

Wow so many words to just say “this product isn’t for me”

I think you should stick to Apple, frankly. Every time Apple comes up with something new (or just a new software release), people come out of their sheds to warn about all the bad things that will happen.

And then almost none of those bad things happen. I've witnessed this dozens of times now, so a safe interpretation would be to assume that this time none of those things happen.

Except bad things did happen. Like their capricious application of Appstore “guidelines”; the increasing difficulty of running software on Mac where the developer won’t pay Apple a tithe; the drop in Linux support for the platform, as they locked it down more and more at hardware level; the imposition of their authentication and payment portals (and hence 30% taxes all around) on web apps... etc etc etc.

We have been effectively boiled like obedient frogs.

I love macOS but my next laptop won’t be a mac and my next phone won’t be an iPhone. Divesting from the ecosystem will be painful but we’re well past any grace period at this point.

"I love macOS but my next laptop won’t be a mac and my next phone won’t be an iPhone. Divesting from the ecosystem will be painful but we’re well past any grace period at this point. "

same here. I hope this will lead to a leap in quality in alternative mobile & desktop OSes, because at the moment the situation looks pretty bad.

I have not experienced any difficulties in installing or running apps from outside the Mac app store (if that’s what you mean by paying Apple a tithe).

First they restricted execution of unsigned binaries unless you run in a substantially-unprotected mode: https://github.molgen.mpg.de/pages/bs/macOSnotes/mac/mac_pro...

Then they disabled execution of all unsigned binaries. To run on a default Mac, you either pay Apple or compile on the user's own machine which is obviously unsustainable. https://eclecticlight.co/2020/08/22/apple-silicon-macs-will-...

They've also removed any 32bit support, in case you could make do with old programs that don't make Apple some money.

I'm still on Mojave and will not upgrade. Personally, my last MBP was bought in 2016 and I have no intention of getting another one as long as they continue exploiting developers and the public in this way.

> To run on a default Mac, you either pay Apple or compile on the user's own machine

This is not true. Apple silicon runs code with any signature, even an ad-hoc one.

What exactly do you mean ad-hoc? Can my friend without an apple account compile an executable with GCC send it to me and I can run it on my new Apple Macbook?

Not running 32bit code anymore die definitely happen

It was rumored for like a decade. The last 32-bit computers were sold in something like 2007-2008? High Sierra started throwing warnings when you launched 32-bit apps. In 2018, they announced Mojave would be the last version to support them. Mojave just got an update yesterday and will likely get updates for at least another year. So nobody has been forced out yet.

I'm aware end users with discontinued software were forced into some no-win choices. But as an ecosystem, it's one example where this happened and was given a ~15 year possible window and an explicit 4 year window to transition.

And it couldn't have happened sooner.

Do you want to be burdened with layers of backwards compatibility and end up like POSIX or Autoconf with provisions for things that once run on some long forgotten UNIX OS version?

32 bit support certainly isn't going to Bury you in backwards compatibility. It just runs

Just runs with 2 versions of the same library (32/64), and with older programs that can't take advantage of 64bit ABI / arch changes...

I started panicking mildly thinking my drive was failing or something.

And just before this, I finally managed to fix Spotlight pegging one core at 100% constantly. Next thing, I reboot into a laggy system. macOS is my favorite OS, but the shit I put up with... it's basically an abusive relationship at this point.

Same. Panic attack. Thought the SSD was dying. I ran Disk Utility diagnostics and started coming up with plans to reformat and restore as a last resort.

Apple folks in this thread, this was terrible

I genuinely thought the same thing. I opened my MBP and it was sluggish, felt like it was dead. Browser wouldn't load, Zoom wouldn't load, I rebooted and the same problems persisted. I honestly thought the hardware was giving out.

I almost cannot believe the actual cause. Absolutely awful experience.

Incredible I had the exact same thing. 2019 MB pro I bought for music production and ableton started to lag incredibly badly and the whole desktop was unresponsive. I started to search my email to see what warranty I had.

My condolences friend. Next time, be more lazy :)

> macOS is my favorite OS, but the shit I put up with...

Idk, the several Linux distros I’ve used recently, and Windows, have a much longer list of “shit _I_ put up with”

The thing you get with Linux is "more _predictable_ shit to deal with", not "less shit to deal with", no large capable desktop OS is perfect and never will be.

Anxiety from what Apple's agenda will do to your computer next update? anxiety from if a 1hr windows update is awaiting you when you turn your pc on? ... Linux awaits.

Linux awaits and then when it comes it borks WLAN driver, because canonical decided to replace a perfectly working one with WIP FOSS alternative, forcing users to switch to cable LAN until it reached feature parity.

Linux awaits and then when it comes it borks AMD driver, because AMD decided not to support older cards on the new FOSS driver, and the old perfectly working driver is not compatible with modern kernels, driver ABI be dammed.

Linux awaits and then when it comes it breaks hard disk encryption forcing a full install, and feeling lucky that I actually backup /home regurlarly.

Linux awaits and then when it comes half of the stuff doesn't work in Wayland.

Eventually I rather just deal with macOS, Windows, Android and leave Linux just for the kernel itself.

I haven't had to deal with any of that, but I've had Windows straight up refuse to boot multiple times and the only fix I found was to reinstall. I've now had to advise multiple people who couldn't turn on their WiFi in Windows (the switch just did nothing). I also couldn't fix that without a reinstall (not for a lack of trying). My family iMac refuses to import photos from an iPhone into Photos, failing the transfer silently. I have no idea how I'd even go about fixing that besides calling Apple and forcing them to fix it.

No man gets to deal with all of the possible computer problems, thankfully. But in my experience, most Linux problems have been fixable and I managed to fix them, while more closed OSs have left me stumped many times. I no longer believe that a computer can work without problems, so my priority is making sure that when problems appear, I can diagnose them and fix them easily.

Windows sometimes has these artificial problems, purely for market share play. Hell, I'm still a bit angry at them because of what they did to RE-DOS with Win 3.1 Beta. I was working in a small computer shop and we were blindly recommending MS-DOS as we were sure RE-DOS had compatibility problems. The tracking, and the constant nagging, silly software signing shenanigans...

So I agree, Linux problems are usually much more fixable.

You can see debug logging about photo import in Console.app. When I do it, it takes forever but eventually works.

Thanks, I already tried that. It does give an (easily missed) error from the underlying library there, but it's just some number that some other people are also complaining about on support forums.

If you have any other insights, I'd be happy to hear them. We have a workaround, but It'd be nice to get imports working again.

To each their own I guess, but in 20+ years of using Linux I've never had any of those issues. Maybe it's because I'm cheap an I run it on older laptops.

As for Windows... really no issues there other than forced errors of whatever absurd company policies are in place that cause software I don't want or need being forced on my machine.

Well, that's why I use nixos where I can just easily rollback select programs or even my entire system if some upgrade goes wrong.

Hell no. I work with RHEL every day, and while I'm by no means an expert, I would say I'm reasonably proficient with Linux.

Every time I've tried using Linux on the desktop, it's worked just fine until I tried to update something. Sooner or later, there's some broken patch or some incompatible thing here or there that breaks my window manager and throws me to the command line, ruins my network settings, overwrites my boot config or some other maddening mess. Linux works brilliantly, AS LONG AS YOU NEVER TOUCH ANYTHING

That's true in most Linux distros, I've been there, even with the most robust ones (like Debian). But then I found Manjaro, with a semi-rolling update system, that is a perfect balance between recent version updates and rock-solid stability.

I've been using Linux as my primary OS since 2008

Today my mouse and keyboard were acting as if they weren't plugged in. Just no power, no reason, no change. Reboot fixed it for now

The thing that's changed recently is that I had to update the kernel to support my audio interface.. which was also a pain in the tits

The only relevant search results are StackOverflow spam talking about a version 10 years old

Linux awaits

Well, you're using the wrong distributions then. Use something stodgy but solid like stable Debian or a recent but not bleeding edge version of Mint and you should not have all too many things on your shit list. It won't be empty - printing will still trip you up every now and then, just like it does everywhere else to give an example - but it will mostly ' just work' unless you're trying to install it on truly exotic (as in "released this week") hardware. The overall facepalm experience will be comparable to that on Mac OS, better than that on Windows. Add to that the fact that it is free in every sense of the word as well as the glaring and welcome absence of draconic "features" like the one discussed in this thread and those Linux distributions will start to look very tempting.

Debian has abysmal hardware support( well gpus mostly). They need to do something about their kernels, my RX5700XT is miles ahead with the current kernel compared to whatever debian 10 ships.

Debian's default position is to only ship "free software" (OSS, libre, etc).

It is my understanding that a lot of modern GPUs that are cutting edge ship with non-oss binary blobs, which goes against Debian's core principals.

Unfortunately, it means that Debian has poor support for hardware vendors that mandate these binary blobs.

Neither AMD graphics nor Intel integrated graphics require a blob. nVidia is the only one of the big three that requires a blob for full performance.

AMD graphics require a firmware blob for all modern cards [0]. It used to be that the firmware was only needed for 3D acceleration and you could run X/text mode without the blob just fine, but that hasn't been true for years (I think since HD6000 series in 2010).

[0] https://packages.debian.org/buster/firmware-amd-graphics

My gpu works fine on newer kernels. It's not about blobs, debian is just slow.

Debian stable is meant for servers, use unstable (it's quite stable!) or stable-backports if you want a recent kernel.

Can you really think of a single thing worse than this?

My Lenovo Windows laptop came installed with malware that MITMed all my https connections and also allowed anyone else to MITM all my https connections.


That's terrible, but it's not the fault of the OS vendor; presumably such a malware could be distributed with any OS.

Ironically, it couldn't be with macOS, which this whole thread is about avoiding.

It certainly could if Apple wanted to do the same thing that Lenovo did.

Would MacOS actually have prevented it? Would Superfish just have simply signed the binary? Sure it wouldn't have started up when the Apple servers are down, but that's a very small percent of the time.

Computer failing to turn on as a buggy, mandatory update has replaced broken or replaced a driver with a non-functional one.

Fair enough, but that's not a typical experience on either Windows or Linux in this decade - if that's happened to you, then I think you've just been incredibly unlucky.

On the other hand I was gifted a 2015 MacBook Pro 15 and I can't run away screaming fast enough from it. I know people rave about the touch pad, but when I use it I find apps get minimized, or don't launch or some other weird gesture causing behavior. I guarantee that this is classic PEBKAC. The other day a family member with a MacBook Pro asked me to assist them with Safari which on launch wouldn't appear. I was able to get it to appear by using the Finder or something which allowed me to pin/size Safari to one side of the screen, but on appearing the window simply displayed a single pixel frame with a black interior. I liked the process, launched it again but it did the same thing. I told them they would have more success with Google than me. I have never had those experiences with Windows. Yes I've had other lame experiences, but I can always solve them, it at least find a solution online. Again probably PEBCAK so no fan boy retorts please. In the end all programs and operating systems suck.

I have to say I also don't understand all the fanfare for the MBP trackpad. I have a 13" 2016 MBP, and I actively dislike the trackpad. You need to use far too much pressure to "click" (even when the resistance at the lowest setting), and there is something "off" about the mouse pointer tracking - I can't figure out what it is, like if it feels too smooth, too jerky, I don't know, but it feels wrong somehow.

Oh, I do like the gesture support, though even Windows 10 supports gestures nowadays.

I think you can enable tap to click

I’m personally quite a big fan of the trackpad and gestures but I understand that they take some getting used to. If they are causing you frustration then you can turn them off under system preferences > trackpad in the “scroll and zoom” and “more gestures” sections. I’d recommend keeping most of the scroll ones and disabling most of the others, then one by one turning on any of the ones you think would be most useful as you get more used to them.

As for the Safari issue, I have no idea off the top of my head.

Disagree with Linux. I make an LVM snapshot before making any attempts to upgrade the graphics driver. It's a disaster. And don't say proprietary code, that's beside the point. Windows runs drivers in a way that one that crashes can be restarted without bringing down the kernel or the whole system.

FYI I've had the issue you describe half a dozen times with CentOS but literally never with Arch Linux (on both machines with similar nVidia cards, using the proprietary driver). In general I'm pretty impressed with Arch's package quality, I seldom encounter any issue and when I do it's patched very quickly.

I tried Arch Linux in a dual boot scenario on this System76 laptop and I don't recall why I switched back... I think it's because I tried to upgrade the graphics driver and got into state where I couldn't get X to run at all.

A co-worker keeps telling me to try Manjaro. I'm just not sure if I want to spend a weekend reinstalling all the stuff I use.

Very true. I have used Ubuntu and Fedora for a while, but when I switched to Arch, I never go back. Arch is described as bleeding edge, but another way to put it is it always has latest software, which is what a dev machine should be. My experience with installing Nvidia driver in ubuntu is nightmare. Tried official repo then failed, and tried different ppa and then failed again and again. At last, I found that I have an older kernel version and I need to compiled a latest kernel which is not in official ubuntu repo. I gave up at this point because I don't want to compile kernel every time I need to upgrade. With Arch, you always get the latest kernel and you won't usually missing feature from using an old LTS kernel.

My windows box has crashed over a dozen times in the past few years because of GPU driver issues with nvidia and amd

Nope, there have been a few issues with BSOD that have impacted quite a lot of people. The latest one was with nvidia drivers being old that caused BSOD after update.

In a previous company the IT dept had to revert a forced by MS update manually on each machine by “hacking” and deleting and replacing files as it was causing BSOD.

It happens with forced win10 updates.

It happened to me pretty much every other forced windows update, from broken graphics drivers to non functional start menu.

I just replaced that pos with a mac mini....

I use centos 7 for my daily driver, it'll get 8 on it next hardware upgrade. Touch wood not a single problem with that for years now, and amd5000/nv3000 are looking very tasty.

Albeit rarely, and with the diversity of commodity hardware out there, I would say that Microsoft has done pretty well with updates.

(P.S. I despise Windows from a technical standpoint though)

> with the diversity of commodity hardware out there, I would say that Microsoft has done pretty well with updates

This is a good point actually - with their walled garden approach, Apple has a much easier job with drivers than Windows or Linux have.

Of course, the end user may not care a jot, but it's an interesting point from a technical perspective.

It shouldn't be their business.

Happened to me with a stock install of ubuntu after an update about 9 months ago.

If by this decade you mean 2010 - 2020, I have enough Linux examples.

I presume you mean desktop Linux - I admit haven't tried a desktop edition Linux in this decade, so I might me off there.

Desktop Linux on an Asus laptop officially sold with Ubuntu on it.

I believe you must have been using Windows 7 without updates for the decade, because with windows 10 every[1] update[2] borks the system so much that Microsoft had to pull updates. And last but not the least, a big guide to fix problems caused by a forced, mandatory windows update[3]

[1] https://www.techradar.com/in/news/microsoft-kills-off-window...

[2] https://www.techradar.com/news/dont-install-this-windows-10-...

[3] https://www.techradar.com/in/how-to/windows-10-may-2020-upda...

Meanwhile on Linux, I cannot upgrade to the new kernel that contains a lot of support and fixes for my new shiny AMD Ryzen chip because it completely breaks the Nvidia driver, refusing even to boot.

Apple may suck, but it still sucks less than the alternatives

> Meanwhile on Linux, I cannot upgrade to the new kernel that contains a lot of support and fixes for my new shiny AMD Ryzen chip because it completely breaks the Nvidia driver, refusing even to boot.

Well that's the problem with Linux distros for the desktop in general. A user upgrading a newer version of a single system component risks breaking the whole desktop: systemd, libdrm, x11, whatever and something else doesn't work. I'm even excluding drivers here but again it's clear what happens when a user finds that out for themselves on Linux. If they even have the time and energy to do all that digging and googling of cryptic errors.

To save yourself the time and frustration, Just keep using Windows 10 with WSL2. I don't have any reason to dual boot to a Linux desktop any more due to this.

And I believe you must not have been using Windows, and are relying too much of news of incidents affecting small numbers of people.

It is - quite clearly - a gross exaggeration that "every update borks the system".

Aside from MacOS, I use Windows 10, and have done for several years. I have the Microsoft Action Pack, which means I get multiple Windows 10 Enterprise licenses - and no forced updates.

Why wouldn't Windows update deleting the user's files be worse?

That might have happened for a small number of users, but it was an isolated incident, not a "feature" pushed to every Windows user.

That has happened for the last three years in a row.

When there's filesystem corruption on boot, Ubuntu throws you into an (initramfs) shell and tells you to fsck manually.

Is it better than a message to take it to service center?

Depends on what technical level you have, how much time you have, and what's on your storage device.

- Eternal maze of control panel that's now split into two.

- Lack of little useful apps in the $10 range. Windows seems either freeware or costly bloatware.

macOS' problem is fixable but OS being worse isn't something you can wait to get fixed quickly.

Perhaps the issue is, it didn't used to be like this.

Linux doesn't force you to sign your binaries or lock you out of devices you own.

> Windows, have a much longer list of “shit _I_ put up with”

Yikes. This is painfully true. Maybe Apple knows they have a ton of breathing room here.

I’ll jump through a few more hoops to continue using the machines they make. Then again all I do is edit text.

> macOS is my favorite OS, but

Ain't that the truth with every OS. I use Windows for gaming, PopOS for work on my desktop and MacOS for work on my laptop. The amount of weird issues is about constant.

> The amount of weird issues is about constant.

But linux is free both as in free beer and in free speech, windows required you to pay the Microsoft tax to use, and lastly macOS required you to pay a premium on hardware.

That freedom of Linux comes at a cost that people aren't paid to take care of the level of details other OS have.

Paying $100 for Windows seems like a better solution if you just want a working OS without a hassle.

And what premium do Mac hardwares have? It seems I paid what they deserved as I can't find anything better in the market. Even moreso now that M1 is out, it seems all Windows machines have premium.

> That freedom of Linux comes at a cost that people aren't paid to take care of the level of details other OS have.

What do you mean "take care of the level of detail"?

I can download Debian right now, install it on hardware in about 10min, and get everything to work rock solid without any hitch.

I can't say the same about either Windows 10 or macOS.

In fact, I had mojave crash and reboot more times in the last month than Ubuntu 18.04 since it was released, and mojave is preinstalled in its own target hardware, which is supposed to be high-end, while Ubuntu is installed on a cheap laptop that cost between a third and a fourth of my apple laptop.

What exactly do you mean by level of detail?

Maybe the desktop environment itself is fine but for third party apps I don't see $10 range nifty apps that boost productivity on Linux.

Half of the apps I use are on Linux as well but that won't get me to the productivity on macOS.

macOS I understand, but what machine do you have that Debian will work but Windows won’t?

>> That freedom of Linux comes at a cost that people aren't paid to take care of the level of details other OS have.

>> Paying $100 for Windows seems like a better solution if you just want a working OS without a hassle.

I've been running Fedora for 15 years and haven't had any of those pesky Linux issues for at least 8 of those years. Meanwhile, I was issued a new Windows laptop at work just last week and it Sucks pretty bad. It's smooth and polished, but with all the advertising and "first ones free" preinstalled shit it feels a lot like Facebook rather than a computer. I'm glad its me-at-work being monetized and not me at home...

> working OS without a hassle

I can't help but think you meant, "I've accepted there's no real way to salvage and diagnose my computer when it breaks so reformatting it has become second nature. I always keep an up to date Win10 install USB ready, and I even have a second hard drive that I keep all my files on."

With Macs, you have to put up with MacOS and Apple (one big premium is lack of choice). It's also not that easy to self-administrate without MDM, and software options are relatively limited if you come from either Linux or Windows.

Oh come on stop spreading the Windows 98 old stories. Windows 10 is a piece of crap spyware but it is stable.

We have >8K active Win10 workstations on our domain.

I wish you weren't wrong.

I'm a software dev but since we're only 2 techies at work I also maintain about 40 Windows PC, 3 Hyper-V hypervisors (with something like half a dozen Windows server, the rest are Linuxes) and the printers.

If Windows 10 was unstable I should be swamped. But I spend more than 90% of my time on software dev.

And the machines are not new with fresh installs, I all migrated them manually from Windows 7.

They completely broke Alt-Tab in 20H2 so no, it's not.

The unspoken rule didn't change because it's Windows 10: never install a fresh release of an OS right away (I'm still on 20H1). And judging by the comments I read here it's true for MacOS too.

FWIW I switched from XP to Vista 1 or 1.5 year after its release date. It has been a great OS for me, I never had a problem with it (except that it's then they started with the bullshit telemetry).

Of course YMMV, but since late Vista stability isn't a major issue anymore.

Never reinstalled Windows unintentionally at least for the past 10 years.

> software options are relatively limited

When was the last time you used macOS? I see the options limited on Windows rather and even moreso on Linux.

If Windows is working for you "without a hassle", you must be using some version that us mortals can only dream of.

What hassle do you have these days?

Yeah, I don't use peripherals as it's only a gaming machine (I don't see other reason to use Windows) but it's working as intended for years.

I also don't get about this complaint about Windows. I had as much problems with as my Macbook...which is almost always never.

Activation, for example. An activated and running Windows system can turn into a nagging SOB by something as simple as enabling a motherboard's Ethernet adapter in BIOS.

A level of detail I value is that none of that BS is baked into systems I use. Doesn't matter whether those who did not do so were paid for it or not.

Had this happen to me after installing a secondary SSD. Windows was deactivated, and wouldn't reactivate. I ended up having to use the Windows Restore tool before I could activate again. Having to reinstall all of your programs is never fun.

I didn’t even have to reactivate after changing my MB. I never had to reactivate an activated Windows 10 in general.

I had a new mobo broken in 1 week and replaced it with the same model and it ended up license being invalid despite the mobo being the exact same model.

I had to make a phone call since none of the methods Windows or the internet suggested worked and that phone literally took 30 min to reactivate my license again. That wasn't fun.

If only there was a way to get LTSC as a non-institutional customer and a way to activate it.

(wink wink)

True. Linux is the best value and the best developer experience IMHO - unless you need commercial software that is Win/Mac only. Even then you can virtualize which is safer too. I can also easily get a Darcula theme OS-wide for Gnome so..

> macOS required you to pay a premium on hardware

Or just run macOS in a virtual machine

Just wait until you can only run signed binaries.

As developers and engineers, we ought to be jumping off this platform like a sinking ship. It's clear that they want to lock it down like the iPhone. Why else would they be measuring which apps are in use if they didn't want to control it?

If your argument is "compatibility research", you're missing the other warning signs.

If I do any simple math calculation in Spotlight it pegs all cores at 100%. Its easily reproducible and really annoying because I've used spotlight as a calculator for years.

I finally think I found a fix for this, toggle off and back on the Calculator service in System Prefs > Spotlight.

My music software became completely useless on catalina, and I was also running into issues with spotlight so I disabled it. I downgraded(painfully) to Mojave and my system is so much speedier. wish I could completely switch to linux.

yeah, but in the end, choice of OS is secondary to choice of application. I'm staying on Mojave for the foreseeable future, but I'll stay with Mac because Logic Pro is not available on any other platform. Sometimes applications are fungible, or you're lucky and your critical application is available on multiple platforms, but sometimes there are only certain applications that can do what you want. I run a MacOS System 7 for software to edit my Yamaha VL-1. I run MacOS 9.2.8 due to hardware drivers for a Korg OasysPCI. I run MacOS 10.6.8 Snow Leopard because is is the last OS that runs rosetta and keeps numerous PowerPC apps that never made the jump to Intel. I'll keep Mojave running when eventually I have to jump to Arm because I'm sure a lot of the software I run won't make the jump to Arm. I'd LOVE to drop any of those systems, but each exists because there are applications that do not have replacement on modern OS'es.

And that, my friend, is exactly why they bought Logic. Don't know if you were in the music game back then, but they way it played out was:

- Logic had the pole position for non-pro-tools music at the time, and sold (IIRC) for about $600

- Apple bought Logic and stated publicly "we will not discontinue it on windows"

- I think a year later, might have been two, they cancelled it on windows

- Some time later, they dropped the price, and also put out garage band, using Logic's engine.

- Logic's product roadmap (from what I've heard) became more general user friendly (can't attest to this personally though)

Basically, anything Apple owns becomes part of the plan to get you on a mac and iEverything, secondary to whatever it's originally purpose is. I won't touch any music software now that doesn't run on at least 2 operating systems. Fortunately most of them now realize the importance of this.

I'd recommend looking at other options like Reaper, Cubase, or Digital Performer, all of which have been improving steadily and can on windows or OSX.

Personally I'm sticking on High Sierra, and doubt my next machine will be a mac. Man I'm going to miss Bash everywhere though. Sigh

> macOS is my favorite OS, but the shit I put up with...

Right there with ya.

I never have problems with the new MacOS or iOS. The trick is to just wait for the X.1 update.

This is happening to Macs running Catalina and Mojave, not just those that upgraded to BigSur.

High Sierra it is then. ;-)

This happened to me too! What the hell.

yeah, I had spotlight thrashing my disk too. Odd.

How interesting...Apple, couldn't, be doing a pied piper, right?

/s obviously.

> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.

That's another case of a product not doing its primary function - OS running apps - because company placed their own (data gathering) objective above it. See thermostats not turning on heat when the internet connection is down and other equally stupid examples...

See also: all electric vehicles (except a few very old designs).

Tesla is not all electric vehicles.

My Twizy and Ioniq haven't got a single touch of data gathering neither a SIM card/wifi connectivity.

Yeah those are golf carts.

Pretty sure Apple is doing this for security reasons, not data gathering reasons.

Well, security starts with Availability.

Otherwise, my car is very secure when I never use it. Like, totally. Flying also has become very very much safer.

Edit: is/use/

Correct, I believe the main intent is to stop worms and ransomware.

Like most times in life intent is not relevant. Actions are.

Nobody cares what you intended, they care how you actually affect them.

Fair enough.

What actions on Apple's part have tangibly compromised their user's privacy?


Please. It's just data gathering. Security doesn't means giving away privacy.

I discovered this by running unbound – a DNS server – locally (block some unwanted hosts and do dns over TLS). I guess the rest of the story is pretty obvious; having your default dns server not being able to resolve because you're trying to verify it – since you cannot resolve your verify hostname – is obviously Not Great. As you can imagine, there is no waiting in the world that fixes this. I couldn't kill (-9) the process either; had to reboot into safe mode, rename the binary and switch the default dns on the network.

Currently the workaround seems to be /etc/hosts override or firewall-level blocking.

Just a small reminder that this can soon stop working: Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur - https://news.ycombinator.com/item?id=24838816

Will they prevent changing hosts file as well?

It's more likely that their will be an Apple-only private API that uses /private/etc/hosts which already exists, but is editable (for now) instead of /etc/hosts.

Note that it's ocsp.apple.com, not oSCp.apple.com.

I'm sure if the SCP Foundation gets involved in filtering our applications, they have a very good reason, like keeping Zalgo out of our reality.

I would want to see what applications foundation is hiding from us. Like a FOSS version of Windows 10

Ahh, thanks for the hint. It was a bad typo, but I can't edit my post anymore.


Just reached out to Dang with a request to correct my typo.

Blocked both.

dns is case insensitive

OP was commenting on the order of the S and C

parent is using case to highlight a typo in the domain name, not to imply that the problem is with the case.

it's transposed, not case difference

"oSCp".ToLower() != "oCSp".ToLower()

The server is called OSCP which suggests to me that if we look at Apple in the most positive light - they sign and certify binaries as safe. If an app gets later reported as malicious, they need to revoke the certificate that has been used to sign said binary.

So when you open an app, how else are they going to check whether the certificate is still valid or whether it has been revoked?

Can anyone confirm whether this lookup applies to unsigned as well as signed binaries? As far as I know if I build a brand new binary with cargo, and run it, it doesn't do any checks.

Here's a wild idea: don't block executables from running.

Or if you do, only do it for a set of known bad ones, as antivirus products do.

Do not put a cloud service (or anything for that matter) between the users and their ability to run what they want.

Sure but how does that work? If a cert-revoked app is allowed to run, the damage is already done.

I think perhaps a better tradeoff would be if a revocation list could be synced hourly or so and the app could be checked sync locally and then asyncronously on open. And of course, always give the power user an option to ignore things.

Here's an idea: log all opened binaries somewhere and then every hour or so check them against the list.

Never block me from opening something, but warn me about bad stuff on a regular basis.

They could also keep the current solution and just use a CRL as a backup to OCSP to check the revoked certificates and update it every other hour...

Yes but with your solution if an app is malicious, and did malicious things, it now has a whole hour to fuck your shit up before being disabled.


You can also run these commands to disable ocsp (and crl) since it can no longer be accomplished in Keychain Access → Preferences:

  defaults write /Library/Preferences/com.apple.security.revocation.plist CRLStyle None
  defaults write /Library/Preferences/com.apple.security.revocation.plist OCSPStyle None
  defaults write com.apple.security.revocation.plist CRLStyle None
  defaults write com.apple.security.revocation.plist OCSPStyle None

That oscp server must be compiling a huge set of stats on application usage. That doesn't sound right, privacy-wise.

It probably just gets a fingerprint, or the cert’ information.

But when the endpoint is dying and it gets called every time you try to run any binary…

I thought this was an old issue that was known or resolved months ago. Is this still an ongoing security practice that kills devs on MacOS?

This is about when I remember seeing it: https://medium.com/@acecilia/apple-is-sending-a-request-to-t...

Can apple not use security certificates to verify publishers ? why does it need to go to their servers ?

The URL mentioned in sibling comments suggests this has to do with certificate revocation (OCSP): https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...

I agree that breaking system availability when an OCSP server isn't available is user-hostile and unnecessary.

> I agree that breaking system availability when an OCSP server isn't available is user-hostile and unnecessary.

Based on the OP tweet... depending on the way it is unavailable, the failure is indeed ignored in some cases. "Denying that connection fixes it, because OCSP is a soft failure (Disconnect internet also fixes.)"

So it may be an actual unintended bug that a particular failure path results in a DoS instead?

Normally if there's no internet Gatekeeper instead checks the "stapled" notarization ticket from the notarization process. But since there is internet, and the ocsp server is technically "up" gatekeeper isn't checking the tickets.

actually I think the problem is not that it is not available, heck /etc/hosts fixes wouldn't work than. it's that it is unresponsive as hell, and they have no system wide circuit breaker, if it is slow.

If it were unreachable then the daemon would fail fast. A slowdown on the other hand just makes requests to the daemon queue up.

I am calling an unresponsive service unavailable. I think we agree about everything else.

What’s the alternative tho?

A limited change would be to fail-open more of the time, e.g., if the OCSP server does not respond within a few milliseconds. (MacOS already fails-open in some internet scenarios.)

A better option is to asynchronously update a Certificate Revocation List ("CRL") and perform any check local to the machine. This avoids disclosing to Apple every single time you run a program, which program it is, and what network you're on. It could also emergency-revoke certificates just as quickly as the OCSP design by polling at the same frequency (every app startup).

This is exactly right, and given Apple’s privacy commitment should have been implemented already.

Publish revocations as security updates to the OS?

Security updates take too long. How bout each copy of MacOS keeps local copy of revocation database, and updates in background?

Much faster, updates relatively quickly, and not subject to network outages.

I'd imagine that revocations don't happen often. And when they do, Apple has a perfectly capable infrastructure to push those small incremental changes on demand. It's almost as if they intentionally ignored such superior solution and chose calling home for other reasons...

That way (current) Apple also has the app usage statistic ?

Microsoft Windows 10.

You don't need an alternative. The entire concept is totally unnecessary.

The alternative is OCSP being allowed if internet isn't available, which is a security risk for reasonable defense-in-depth strategies.

Most OSCP implementations fail-open, not fail-closed. I get the benefits of having it fail-closed, but it should be opt in, because having an always-online requirement for using a mac is ridiculous.

If your Mac is unambiguously offline it fails open. What it's handling poorly is the fail-slow case.

Ugh. IMO the network should not be on the critical path to running an executable.

Most browser vendors agree because they all stopped checking CRLs (like they technically should) when verifying certs.

I don’t think the design is wrong, I just think it’s tuned a little too cautious. If you’re going to verify certs then checking the CRL is something you really should do before approval. And you can’t sync the database entirely because it’s too big.

There really aren’t any good solutions to this unless you can solve the cache invalidation problem.

The OP literally says if you disallow connection or unplug the intenret it does fail open.

I think it's probably an unintended bug that this failure mode was fail-closed.

The costs of this unintended bug are going to be huge to Apple's reputation, as demonstrated in this whole HN thread, where many assuming what's going on is even WORSE than it really is.

(Personally I think having signed certs (with opt-in ability to run unsigned apps, as MacOS has) is fine. And fail-open OSCP revocation check is also fine-ish, although it would annoy me if it's making it slower to launch apps on the regular. The problem here is a bug, not one of design. But most of this thread is assuming Apple was doing something different than this. Of course, how often a company produces fairly catastrophic bugs is also on them).

MacOS already fails-open if the OCSP server resolves to the local host (see: every suggestion to edit /etc/hosts in this discussion).

They are checking for revoked certificates.

It does go locally if you are not on wifi. I thought the issue was my slow internet so I turned off wifi and suddenly everything launched just fine.

Right around this same time, I had 1 macBook hard reboot (watchdogd timeout) and shortly thereafter, a second macBook froze, fan maxed out, with the display not coming up. Then it rebooted into recovery mode.

Yeah, these _could_ be unrelated issues to what has been going on in Apple land today, but it's uncanny...

I keep reading in the tweets how all Macs are unusable. Is this an OS bug that doesn't effect older OSes? I'm on Mojave on my 2017 MBP, and have had zero issues at all.

When was `trustd` introduced?

Checking for notarization on each launch was introduced in catalina. Older versions have trustd, but it was only used for the gatekeeper checks added in 10.8.

`/usr/libexec/trustd` exists on Mojave, too. There's a (very unhelpful) manpage.

I think you were just lucky to not open non-Apple applications during the outage.

I ran into this on trying to load a new video file on VLC, with Mojave, so I guess it's not just apps, but maybe any new file load.

My 2018 MPB on Mojave had some serious issues launching apps for a little while yesterday (3PM central) afternoon. It seemed to resolve within an hour though. Not sure how that lines up with the outage described here.

Found another reason for me to not get a Mac

You can't go wrong with a ThinkPad. I switched from Mac to a T480 with Arch for dev work and it's been great.

I'm running a bunch of ThinkPads with Fedora & all works fine (and worked fine for years).

We’re running Thinkpads at work with fedora and they really don’t.

Any specifics what does not work ?

Hibernation. External monitor support is buggy. Pulseaudio is buggy with external microphone. IR camera face login isn't supported. Fingerprint scanner isn't working properly at login after sleep. Sound from internal audio is much worse than was on Windows. No app I know of can reliably share screen on Wayland.

Very true. Run FreeBSD and OpenBSD on Thinkpads at home and work and life's a peach...

If they brought back taller displays I’d be right there with you.

Another poster mentioned the Huawei Matebook Pro has a 3:2 screen. I'm now looking into getting one for that reason alone.

They are, next crop will be 16:10

Check the article on anandtech about the new Razer laptop.

Disclaimer: not affiliated.

Why isn't apple doing OCSP stapling & caching? Reverse proxies have long since solved OCSP availability with stapling and caching.

This might be a stupid question, but is there a downside to blocking this "feature"? I can't think of any.

I've been using Big Sur beta for some time and one of the things that annoyed me a bit was the sudden lack of responsiveness, which is a tad annoying given that I upgraded to a 16inch MBP earlier this year and everything felt so snappy.

Huh apparently I win by still being on an old OS version?

Depends on how old, I guess. I'm running Mojave, and ran into the problem.

My policy is to never upgrade anything until everyone I know has upgraded to the next version and not downgraded after N weeks.

LOL, my policy is to never major-upgrade the OS the machine came with.

I have machines around the house with OS'es going back a ways...

This is the correct policy. I upgraded my mac because I couldn't install a certain application on the version I was running and now it runs crazy hot and the fans run on full blast whenever I watch a video on the internet.

My policy is to upgrade my secondary/personal/low importance computer on day one and my primary computer a few weeks later.

ocsp.apple.com also has an IPv6 address. Firefox connects to it even with in the hosts file and a flushed cache (you need to also clear firefox's internal cache if you're testing with it), so I'd assume that trustd could connect to the ocsp site as well. I don't think this will work without ensuring there is no IPv6 traffic on your network, or otherwise dumping both IPv4 and v6 packets to ocsp.apple.com.

Disable IPv6: sudo networksetup -setv6off Wi-Fi (where Wi-Fi is the name of the network service)

Can you not just add an IPv6 entry for it in your hosts file, e.g., ::1? That would work in Linux and seems like a much less nuclear option than disabling ipv6 all together, but admittedly I've never worked with ipv6 networking on Macs.

Last time I played with a Mac they also had the BSD `ipfw` command for kernel packet filtering [1]. Could try something there if it still exists.

[1]: https://www.unix.com/man-page/FreeBSD/8/ipfw/

Just to confirm: Yes, that works fine. It's probably the better solution here.

and people was shocked at Windows 10 doing telemetry. MacOS isn't doing it better as I see

I had both my personal and work laptop become unresponsive at the same time. I was wondering what kind of problem could cause that - was thinking EM interference or possibly something on my network. This explains it.

Ha! So that's what it was. Last night (I just woke up in the UK) my macbook pro started to crawl, I started to threat that it might be the SSD starting to fail.

Welp, I won't be updating today then, not unless they fix that.

There is a mistake here. It should be “ocsp.apple.com”

Using a premium DNS with filtering features make sense: https://dnsadblock.com

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact