This makes me wonder how open source is supposed to work on macOS. People seem to become more and more aware of it and even enterprises that insisted on support contracts can see that they can't get around open source completely anymore. Meanwhile Apple is removing the ability for me to have a pet project without paying an Apple tax.
If the message were completely transparent, something like "The developer didn't pay $99 for us to do a cursory check on them (or whatever it is that Apple does with that money), are you sure you want to run their software? [Move to trash] [No] [?]", then that would give the user the relevant information to make this decision, but as it is, virtually no mac user will understand what is really going on.
I also can't imagine $100 is easy to come up with in countries below level 4[1]. The OpenStreetMap Foundation recently introduced a way to waive the yearly £15 fee for OSMF membership if you have a certain number of map edits or otherwise contributed to the project. The OSM community seems to be quite diverse, but I can't imagine that Apple computers are less widespread than OpenStreetMap.
I remember RMS saying that the GPL was updated because one "obvious" freedom was not so obvious -- you could meet all the requirements of the GPL, without giving the right to RUN the software.
GPL3 allows that. And looking backwards, apple shipped software that was GPL2, but would not ship software that was GPL3. As one example, bash and make all quietly stopped getting updates from apple when the GPL3 versions came out. (although apple sort of broke GPL with bash as it never shipped all the source for it -- missing the header file rootless.h)
One other point about these dialogs + the help message. You are required to contact apple to even see this online help. Apple deals itself into the equation no matter what.
as an ex-apple employee and long time developer, glad people start to see apple is an open source foo creating prisons of software to lure the obsessive brand fanatics and get a fee selling them as users to the other parties.
- in apple tech, the users are volunteer products where servicing them gets a myriad of monetization, notarization etc.
- hope open source starts to ignore apple platforms as a target at some point. Being "*nixy" and presence of "brew" etc gave the false impression apple is in the open source camp.
I would never develop against an OS like that. Far too many security risks. MacOS still has < 10% market share and I believe that number won't go up too much in the near future at least.
The level of rationalization of these lock in practices is just sad to be honest, fully neglecting how software becomes more accessible.
Even signed apps have been victims of malware attacks and I do think the check is primarily to ensure the developer has paid their Apple tax. It isn't that high, but I don't think I want to spend it. If it normalized, Apple will surely increase it and developers would have absolutely no handle to protest.
> I do think the check is primarily to ensure the developer has paid their Apple tax
I think the true reason for the check is not money, but control. They want to control what software runs on "their" platform. For historical reasons, they don't have that control on desktops/laptops yet (but they already have it on phones).
If you're developing in the right sector, MacOS has a market that's selected to be lucrative.
I don't think that's a particularly good thing, but it does explain how <10% market share can make such a big splash. Especially for more casual projects, IMO.
> glad people start to see apple is an open source foo creating prisons of software
People have been saying it since day 1 of the Apple App Store. It's called a walled garden and it should be attacked as the abuse of a dominant position it is.
Near monopoly power. We are talking about Macs still, right?
Oh I'm against this latest erosion of the ability to run whatever code you want on a Mac. This is one of the reasons I just got one of the new Intel iMacs, because I can see this coming on the ARM side. It's their product though, they legitimately get a monopoly on what features it has, and I don't have any right to tell them how to design it. That's histrionics.
There is a legitimate case to be made though as customers as to how we would like to see the product develop. I'm behind that effort 100%.
> Near monopoly power. We are talking about Macs still, right?
The problem is that there's only one Apple Developer Program for both iOS and macOS.
If you get kicked out of the developer program for reasons related to the iOS App Store, you're also kicked out of independent Mac distribution outside the App Store. You no longer have true independence on the Mac either.
Well, you're using someone else's products (dev tools, compilers, OS libraries) you buy and license from them under certain commercial terms. If you don't like the terms, don't buy them.
And to be crystal clear, that's the approach I am personally going to take. I carved off a TB partition and installed Windows 10 and WSL 2 on my new iMac and it runs like a dream. I still need MacOS, and I'll be installing Virtualbox for some stuff. If the Mac gets to the point where I can't run all the applications and tools I need, I'll miss the hardware and the OS and some apps, but I'll jump ship. I hope they listen to us, but I intend to ask and argue, not tell or coerce through legal action.
> Well, you're using someone else's products (dev tools, compilers, OS libraries) you buy and license from them under certain commercial terms. If you don't like the terms, don't buy them.
This doesn't tell the whole story, because terms change. Even open source licenses change. Apple added Gatekeeper to Mac OS X in 2012. Before then, it was a pretty open platform. And other companies such as Microsoft and Google have been known to follow Apple in some respects, so just because one platform has better terms than another at the moment doesn't mean the platform owners can't change their terms on a whim. Apple/Google/Microsoft have close to all of the OS market share on both mobile and desktop, so it's not like there are a lot of choices, especially in the consumer space.
They can't change the terms on a product they have already sold to you, but new versions of the OS and dev tools are new products with new features. If you want the new features, you can choose to accept the terms, but you don't have to.
On the user side, there are security updates. Yes, you can refuse to install OS updates that patch vulnerabilities, but obviously that's a big problem for the user. And eventually the vendor stops providing security updates altogether for the hardware.
On the developer side, you can't really refuse to use the new versions, because they are required to support your software for the latest OS versions, which is where your customers will be. So if you don't, you lose your customers and go out of business, which is not much of a choice.
It's untrue that updates consist of nothing but new features.
Do that. I do so as well. But as a rule for society it seldomly works. Too few people are willing or knowledgeable enough to withstand the lure of their individual short term benefit as opposed to the collective cost of their action. I mean, this very feature we are talking about is itself a protection of users against their short term desire: "Let me run this application, I want to see the dancing bunnies" [1] And people fail to do so, even though the downsides are personally and sometimes very immediate. They could research who distributes the file, calculate the trade-off between the remaining uncertainty and the expected reward and come to a rational decision. Or they could just click! Just accept those terms and conditions. Just enter their credit card number on the apple developer product page to get to what they want. And that's what most people do most of the time.
It's for this coordination and collective bargaining problem that we need to regulate the shit out of anything that reaches a certain size.
Well the other hypercapitalists sell a product that sucks and sure, it lets you run other stuff, but it absolutely tramples on your privacy and is still, for the most part, worse in all aspects. (and yes the keyboard issues were very close to tipping the scales)
If only we had an operating system that we could install on our computers freely, right?
It is a shame that people are forced to buy a computer and not reformat the disk to install their OS of choice. It is a shame that we can not take the money that we could be saving and investing in open alternatives...
But it is not a panacea and it is not for everybody. And it has two main issues:
- developers don't care about stability and/or polish (just see the discussions on the trackpad ITT) "Oh but if you change library X to Y and reroute libinput and etc it might maybe work and maybe it will not break anything else"
- because of the former reason, not all (important) applications are available to the platform. I'm really glad that a lot of things are online now, but that doesn't solve all problems
I've lost count of how many times wifi was supposed to work "out of the box" in Linux and it didn't. (And no, it wasn't an issue with drivers or wpa, it was the stupid Gnome NM widget - if I configured it manually it works). Or some other stuff. And sure, a there are stuff that works better even than MacOS.
- windows 10 - no privacy, hello telemetry, cortana, etc.
- mac os - no freedom to do anything not allowed by apple
- Linux - polish / ui issues?
At least with Linux once I configure it right it works without issue and does everything I want.
Currently that means kubuntu 20.04, AMD GPU (or intel integrated) and laptops that say they support it (Dell/Lenovo) or self built desktop. (I used gnome until I hit your NM issue too and it did not allow me to move top bar to the right... switched to KDE)
I no longer have a fear of upgrading distributions/packages causing problems, nvidia drivers causing black screen after upgrade...
I know it is important, that and exterior looks of the hardware.
Still, I do not have UI issues and the polish is fine on Linux, was explaining how to get there.
Problem is people expect a 300$ Linux laptop to work like a mac usually... when you would need a similar priced dell xps or lenovo carbon x1 plus manufacturer to support Linux, like dell developer edition.
I agree. There are several distros (especially something like Elementary OS) that are pretty darn easy to pick up as a Windows user. I set up my very non-technical grandma up with Elementary OS and she loved it.
I don't think the obstacles to adoption are based on the merits of Linux (or lack thereof). The obstacles are institutional. Businesses don't want to adopt Linux because that's a risk, and most people know Windows/Microsoft Office. Average people don't want to take a risk (installing Linux/buying a Linux box) with a device that is a decent-sized investment for most people.
I have made multiple attempts to switch to Linux, spending days each time trying to customize it and get it how I wanted. And never did it ever approach the productivity and polish of macOS.
Certainly I have issues with Apple, but it's a simple cost/benefit calculation. Right now the benefits of macOS vastly outweigh the downsides for me.
Unless Apple's problems increase to the point of being unbearable (very likely to happen at some point) or the quality of desktop Linux increases significantly (unlikely to ever happen), I just can't justify switching. And I expect many, many other people are in the same boat.
My computer is a tool. Idealistic notions about free software are nice, but they don't mean anything if that software is worse than a nonfree alternative. Free software needs to be _better_ to win, and I just don't see that ever happening in the consumer OS space.
But you’ve only got that choice on an ‘old fashioned’ PC. We could reach a point where PC hardware is unavailable, because the majority of people have switched to shiny but terribly-locked-down devices that have far surpassed anything that a ‘legacy open platform’ can do in terms of performance
Major version upgrades (ubuntu 18 to 20) - here I just re-install and it's expected, I wouldn't upgrade windows 7 to 10 either...
Why not? I've upgraded a few Windows machines from 7 to 10, and the upgrade has gone just fine, assuming there's enough disk space for the OS to store the upgrade files before it starts the upgrade. Similarly, I've upgraded Linux boxes (both Ubuntu and Fedora) across major versions. MacOS as well.
I don't know where you're getting this notion that an OS upgrade is a scary thing to do. In my experience, it's been a routine, if somewhat long process.
parents messed that up (clicked accept by mistake to a microsoft upgrade pop up when that was a thing), system no longer booted and had to reinstall...
Also, I'm old, maybe things have improved but I've had upgrades wipe my hard drive due to centos anaconda bug once (centos 5 to 6) other times it just did not boot (yay using encrypted boot partition but thats on me and updating grub fixes it)
Added benefit is it also forces me to check/update backups
> NVIDIA driver updates (or kernel updates while using nvidia) - caused black screen... I dumped nvidia... these are due to crappy nvidia.
This is a legitimate dispute and I'm not really counting it because as much as I think Linux should have a stable driver ABI, NVidia are being needlessly obtuse.
> Ubuntu deciding to remove old libraries/apps that are not maintained. That's fixed via docker or just keeping an old version.
Which is not a simple task. Why can't keeping old software be simple? It is in sane operating systems. Hell, even Linux can do it right, as AppImage proves, but the Linux Desktop community is so hell bent on making everything as complicated as possible that they pretty much ignore AppImage.
> Major version upgrades (ubuntu 18 to 20) - here I just re-install and it's expected, I wouldn't upgrade windows 7 to 10 either...
Ubuntu LTS receives 5 years of support, but most new software will not be backported to the repository for anywhere close to that long in my experience and instead you're getting about 2 years. Windows 7 was supported for nearly 11 years and it was rare new software didn't support it for that entire time.
> you only get annoyed by those if you are a power user anyway
Precisely. Linux Desktop people seem to think that targeting people who only need a web kiosk is somehow going to make them popular, but if people who actually know about and need the features of an actual desktop computer don't like it why would they ever recommend it to anyone?
> Which is not a simple task. Why can't keeping old software be simple? It is in sane operating systems. Hell, even Linux can do it right, as AppImage proves, but the Linux Desktop community is so hell bent on making everything as complicated as possible that they pretty much ignore AppImage.
Resources make it complicated (time/money/...). I wouldn't maintain another person's library that he doesn't bother with.
> Windows 7 was supported for nearly 11 years and it was rare new software didn't support it for that entire time.
You are comparing a paid product with something free. For better or worse new software works on ubuntu older versions as well, but you need to compile it or work to get it there. Or just upgrade.
I assume you can also switch to Red Hat which have paid support.
> Precisely. Linux Desktop people seem to think that targeting people who only need a web kiosk is somehow going to make them popular, but if people who actually know about and need the features of an actual desktop computer don't like it why would they ever recommend it to anyone?
My point there was if you are a power user you should be able to get it working, it's a skill that's very good to have. Other less skilled people don't hit it by virtue of not playing around.
The 'Linux Desktop' people that you say are targeting things for better or worse put in time to build free products, if you don't like some switch to others or contribute.
> The 'Linux Desktop' people that you say are targeting things for better or worse put in time to build free products, if you don't like some switch to others or contribute.
I did. I used to run Linux on 4/5 of my desktops and now that is down to 1/5, and only because I haven't turned that one on in 6 months. My complaints are made no less invalid by that.
Contributing to Linux Desktop is, in my considered opinion, a waste of time. The community is so dead set on doing things in the most convoluted and complicated ways possible that there is no hope for reasonable ideas.
what do you use now then and how happy are you with that?
I for one am the reverse, tried recently using windows and it just got in the way, plus felt like I was being spied on like old times under communism...
Tried last year MacOS/macbook but I can't even move the titlebar to the right... Plus Apple restricting everything I can do... Plus Macbook couldn't install Linux on it, crappy keyboard, overheating, easiest return I ever did.
I used Lubuntu. I tried many other distros, probably several you never heard of, but Lubuntu was consistently the most tolerable.
I'm pretty much Windows-only at this point. It definitely has its flaws, and it is definitely getting worse as the new "lets make everything suck as bad as the web" culture takes hold, but I still find that it works with me much more often than against me which is more than I can say for the way Linux desktops work.
It is not a matter of recommending Linux or *BSD or anything else. It is just a matter of refusing to give in to closed software on the grounds of "convenience".
I don't go around telling people what type of software they should use, but I do expect technical people and the common developer to understand what a terrible trade-off they are making when they choose proprietary desktop. I feel hard to sympathize with those that complain about the abuse and developer hostility from Apple. They sold their souls to the devil for cheap and are now trying to bargain their way out of it?
Maybe you could give them the benefit of the doubt that they know exactly the trade-off they were making, and perhaps even wish they didn't have to go the route they did, but the alternative just isn't there yet?
If the alternative is not there yet and you are not helping build it, it is even worse!
I don't mind people that tell me they need, e.g, Photoshop to do their work. I do mind the fact that they don't contribute to any alternative. Just paying the subscription to Adobe and shrugging it off, instead of hedging and contributing to the alternatives? Shame on them.
Imagine 10% of every Adobe customer donating 10% annually of what they pay to Adobe to contribute to the development of an open alternative, we'd have hundreds of millions of dollars. How long would it take until Adobe would be no longer needed or at least playing against a more leveled field?
Even more in the case of the stereotypical web developer that uses a Macbook when every other tool they used is FOSS. Puts $2k on a laptop that you will only cripple you and work against you and still think this is somehow good "User Experience"? To me this is like failing an IQ test.
> If the alternative is not there yet and you are not helping build it, it is even worse!
I have seen what happens when people try to help. At best they are ignored. As I've said before, it is my considered opinion that the community is simply not interested in making things better. I would be totally ok with that if they weren't also evengelical.
And also, there's only so much time in the day, some of us have higher priorities than building replacement software for stuff that already exists.
"interested in making things better" != "interested in making things the way I'd like them to be"
> there's only so much time in the day
Then contribute some other way instead of just expecting the "community" to accommodate you and your opinions. I'm pretty sure that you won't be ignored if you find the developers responsible for the projects you care about and spare 10-20 bucks their way alongside a list of the issues and proposed improvements.
> "interested in making things better" != "interested in making things the way I'd like them to be"
Same difference really if our opinions of what constitutes "better" are so drastically opposed.
> Then contribute some other way instead of just expecting the "community" to accommodate you and your opinions.
I have contributed both code and money to projects I think are doing good work. Sadly there are very few of them.
> I'm pretty sure that you won't be ignored if you find the developers responsible for the projects you care about and spare 10-20 bucks their way alongside a list of the issues and proposed improvements.
I can say with confidence that most the projects I've donated to have given me absolutely no special treatment just because I contribute money. I wouldn't have it any other way really, issues are issues regardless and they should be fixed with regard to severity, not who has deep pockets.
Hell, that's probably one of the reasons things in Linux land are so ungodly complicated right now: FAANGs are calling the shots because they have the deep pockets.
> our opinions of what constitutes "better" are so drastically opposed.
I am not sure I follow. You mentioned somewhere else that Lubuntu was the one that gave you the least problems and that you are now using windows. Coincidentally, Lubuntu is the flavor that looks like the most with older versions of Windows.
To me it looks like your assumption is that anything that does not look like Windows 2000/XP is "worse". If you are starting from this point, don't be surprised if others disagree and ignore you.
(Myself, I've been using Xubuntu for the past 8+ years, but I am really not liking the direction Canonical is taking with snap. Perhaps I will switch to Debian + XFCE when I get a slow weekend but this has nothing to do with desktop issues. It's not perfect but the worst problem I can remember was related to get a blank screen after resuming from sleep, which I solved by changing the screen lock program)
> FAANGs are calling the shots
What the big companies are doing are related to the infrastructure side of things and have nothing to do with the desktop - perhaps except Google and their ChromeOS, but Google's ChromeOS approach is looking each day more and more like turn of the century MS and their "embrace, extend, extinguish".
Anyway, perhaps the issue is that you are conflating "Linux" with "Open Source Desktop" and expecting a central place to solve all solutions?
> I am not sure I follow. You mentioned somewhere else that Lubuntu was the one that gave you the least problems and that you are now using windows. Coincidentally, Lubuntu is the flavor that looks like the most with older versions of Windows.
> To me it looks like your assumption is that anything that does not look like Windows 2000/XP is "worse"
That's a very condescending conclusion to draw. I found LXDE less complicated and significantly snappier than alternatives that had their own Ubuntu derivative. I chose an Ubuntu derivative because Ubuntu has the widest range of supported software.
But hey, it all has to do with how it looks right? Thinking like that by the Linux Desktop community is why you guys still aren't taken seriously.
> What the big companies are doing are related to the infrastructure side of things and have nothing to do with the desktop
The desktop experience is not wholly separated from the infrastructure beneath it. The init system, the event subsystem, hardware management, network management, sound system, display server etc. are only abstracted in the leakiest of ways.
> Anyway, perhaps the issue is that you are conflating "Linux" with "Open Source Desktop" and expecting a central place to solve all solutions?
Unfortunately it pretty much is the only option that is even remotely viable. But mostly I focus on problems with Linux because it has by far the most evangelical community.
I am not going to be debating what exact problems you had, but I must be extremely lucky if all those years I never had any kind of showstopper critical issue that made me think "Ok, I can't deal with this and I have to go back to a proprietary desktop".
It's been at least since 2012 that I had installed Linux and couldn't connect a printer or scanner. Meanwhile my wife's laptop on windows asked to reinstall drivers every time she wanted to print something. Webcams? No problem. Wi-fi? No problem as long as I didn't try to use a chipset that was either too obscure or too new and unsupported.
The one thing that I gave up on having on my laptop is low-latency audio to connect a guitar and use software audio effect processors. But the way I solved this was by using a separate old laptop with a custom kernel dedicated to be my "guitar effect box". I still didn't have to give up my freedoms and I did not have to give up any functionality/comfort.
> But hey, it all has to do with how it looks right?
I believe you when you say that LXDE was snappier than the other Ubuntu alternatives, but were the alternatives slower than whatever version of Windows you have now? That will be very hard to believe.
So forgive me for sounding condescending, but you went with probably the most obscure and least popular Ubuntu flavor - the one that has probably almost to no funding from Canonical and maybe a handful of developers interested on it. What were you expecting, exactly?
If Ubuntu was bad for you, maybe try Fedora? If you wanted a more knowledgeable community, maybe try Arch? Why instead of sticking with your preconceptions of how things should work, you ask what are the others doing that let them be productive on a FOSS Desktop? Why is it that upon hitting difficulties your reaction is to go back to the comfort zone of a proprietary and familiar system?
"Is FreeBSD ready for the desktop? Yes and no. Yes, in that I have a very nice FreeBSD laptop where everything works the way I want. But no, in that it took me two months worth of fiddling with this in my spare time to fix some of the "glitches" which arose; while there wasn't anything particularly challenging, I expect that most people would give up long before they fixed all of the issues I ran into.
On the other hand, can FreeBSD be ready for the desktop? Absolutely. I've fixed the issues I ran into — and once we have FreeBSD 12.2-RELEASE with packages built for that release the process of bringing up a GUI will be much easier, as well. The biggest thing FreeBSD needs is to have developers acquiring laptops and carefully working their way through the issues which arise; the FreeBSD Foundation has already started doing this, and I hope in the months to come they — and other FreeBSD users — will publish reports telling us which laptops work and what configuration they need."
> I am not going to be debating what exact problems you had, but I must be extremely lucky if all those years I never had any kind of showstopper critical issue that made me think "Ok, I can't deal with this and I have to go back to a proprietary desktop".
Ugh. Thing is, it isn't about luck. It's about use cases and yours must just match how Linux works better. I'm going to take a wild guess that most of what you use a computer for is browsing the internet and either web or unix development.
> So forgive me for sounding condescending, but you went with probably the most obscure and least popular Ubuntu flavor - the one that has probably almost to no funding from Canonical and maybe a handful of developers interested on it. What were you expecting, exactly? If Ubuntu was bad for you, maybe try Fedora? If you wanted a more knowledgeable community, maybe try Arch?
If you had been paying attention instead of being a typically dismissive Linux evangelist, you'd have noted that the vast majority of my problems had to do with the Ubuntu part of Lubuntu. You know, the part that's common to all Ubuntu derivatives? Not to mention, as I said, I've tried many distros, popular distros, unpopular distros, wildly divergent distros, etc, they all have pretty much the same problems because the problems are inherent to how Linux userspace is constructed!
But whatever, you are just like the rest of the Linux Destkop community. You have made using Linux a part of your identity and cannot stand criticism, so you just become insulting, condescending, and generally dismissive of any issues anyone is experiencing.
> Why instead of sticking with your preconceptions of how things should work, you ask what are the others doing that let them be productive on a FOSS Desktop?
Because they are doing different things than I do! And when you want to do something different than what the Linux Desktop community does, their only advice is to not want to do that.
> We must have very different thresholds for defining "remotely viable".
Clearly. Which is pretty much exactly my point: Linux works for you because it fits your needs well, and it doesn't work for a lot of others, like myself, because it doesn't fit those needs well. If you're going to run around telling everyone how great your desktop is and that they should all use it, but refuse to recognize where it falls short, then you shouldn't be surprised when people don't want anything to do with your community.
Frankly, you are some of the most frustrating assholes I've ever had to deal with in computing.
There are projects and projects, some I got ignored as well with patch and bug info provided, others reviewed/integrated in a few days (mozilla/rust) or told I was wrong and bugs I reported were fixed another way
> > Ubuntu deciding to remove old libraries/apps that are not maintained. That's fixed via docker or just keeping an old version.
> Which is not a simple task. Why can't keeping old software be simple? It is in sane operating systems. Hell, even Linux can do it right,
I've wondered about these things, and I think the true reason is that Linux is a source-compatible operating system.
Other OS's solve this by the boring and painstaking task of assuring binary interfaces are stable and remain working. They usually do this by hiring and paying people to do it.
Linux does all compatibility at the source level, and binary compatibility is a little hit or miss. The common way to fix it is to recompile a lot of stuff.
As one example, I installed ubuntu 18.04 and it should be Long Term Stability.... but I did an
apt-get update && apt-get upgrade
and upgraded from a 4.x kernel to a 5.x kernel. I recall all the kernel dump stuff broke
Linux has really come a long way in terms of polish, support and stability. Give it a try again!
I use Linux Mint and love it.
MS Teams, Skype and a surprisingly good list of software runs on it natively.
A Hackintosh inside VirtualBox IS a pain to setup, but pretty cool when it works. Windoz inside VirtualBox works better than ever, thanks to MS new attitude on embracing Linux.. which is still hard to wrap my head around.
You are comparing circunstancial issues with fundamental freedoms being denied.
My point is that if you are willing to sacrifice your freedom for the convenience provided by the hypercapitalistic (sic, and lol at how pathetic this term is) companies, then don't complain about the lack of choices available.
> developers don't care about stability and/or polish
Try paying them just a fraction of whatever premium you paid for your iDevice. That might help.
In my experience, people who fight against things like NM do not know what they are doing, think it's still 1990, network configuration is still static /etc/network/interfaces and then wonder why their wifi/lte modem/dns/whatever isn't working and wonder why.
Does the fact that you think alternatives suck make apple have a monopoly? Sure they have a monopoly on your desires, but that isn't a big enough scale for laws to get involved.
There are alternatives out there. So it becomes really hard to claim anti-trust.
I think it’s really easy to claim anti-trust violations actually.
Apple already owns the customer because they’ve invested in the platform, but they’re not providing equitable access to software that other platforms are. This isn’t revealed to the customer though, so it’s not clear as a user that choice is being restricted in this way.
A lot of Apple’s practices have been legal up until now due to their minority market share in all markets they operate in - but what we see those markets as is changing. The App Store is a massive multi-billion dollar industry in itself that Apple holds and exploits 100% control over.
Whether or not a violation has or is occurring is for lawmakers to decide based on whether or not the App Store (or Google Play for that matter) constitute markets within the definitions provided by local laws.
Thankfully hyper capitalism's provided an alternative, Windows, Android, or linux, and pine.
I suppose if you're a socialist you probably don't understand how it all works without a government edict giving you instructions and making sure you and your neighbor have the same marginal product.
However, even without this edict, rest assured that you can make the change without the government allowing you to... Fell free to switch.
I get that you're just venting and that's fine. But were you to run any kind of open software movement and expressing public opinions, calling people "obsessive brand fanatics" would just antagonize them and not get you taken seriously.
to be fair there are people out there that do indeed fit that description, though they are in a minority but tend to be pretty vocal, so it's easy to overestimate their numbers
I don’t think anyone really had that impression, especially since most of the macOS Forge projects got spun off. But you can’t deny they made (and in many ways, still do) good UNIX machines.
> But you can’t deny they made (and in many ways, still do) good UNIX machines.
If you mean the hardware, it's OK I guess. It still lacks basic computer features like PXE booting (unless you count the proprietary "netboot"). You can't really install much on it or use it for anything but MacOS, which really isn't that great, IMHO. For the same cost as a MacBook, I got a really nice PC laptop with double the specs that runs linux flawlessly. I can also update the CPU, GPU, and RAM, which I can't do with a macbook.
Which model is that? It used to be that way up until 5 years ago or so in my experience, but it changed to be “comparable specs with comparable price” - except that the options from Apple are very limited.
> For the same cost as a MacBook, I got a really nice PC laptop with double the specs that runs linux flawlessly. I can also update the CPU, GPU, and RAM, which I can't do with a macbook.
My go to Laptop these days is the Lenovo ThinkPad X1 (either carbon or Yoga) very nicely built with a great keyboard, I hardly (if ever) heard the fan noise and except on a couple of models where the fingerprint driver isn't present, it works flawlessly ootb with Linux.
I'm still wondering what Lenovo were thinking when they came with Gen8 X1.
They used Comet Lake instead of Ice Lake - that results in things like HDMI port supporting only 1.4 (i.e. no 4k@60 there). It makes their current non competitive with 2020 XPS13 or 2020 MBP13, that do come with Ice Lake.
No commercial UNIX was ever on open source camp, in fact they are the very reason while GCC was ignored for several years, it got a bunch of helping hands as Sun started the trend of user and development UNIX versions.
Also given NeXTSTEP heritage, UNIX on NeXTSTEP was always a means to have a foot on the DoD UNIX requirements, there was nothing open source about Renderman, Lotus Improv and many other NeXTSTEP based tooling.
Nitpick: Not really. What you have to do is provide an offer for source code; accompanying the program, not after the fact. If anyone has not provided such an offer, they have already broken the GPL.
Also, the offer is open to any person. This is so that other people with copies of the program can fulfil their obligation by passing on the offer too. So maybe you make one GPL program specifically for Bill, you give it to Bill, and you write Bill the offer, never expecting him to care about the source code.
Six months later a teenager from a country you didn't know existed sends you an email - and the teenager would like source code please. They are legally entitled to that source code because of Bill's offer.
The written offer rule is deliberately the worst case. You should never choose GPL "written offer" with the expectation that this is reducing your work load or whatever, if you want least work just ship the source code with your program and fulfil the purpose of the GPL up front.
I believe the offer is for anyone you’ve distributed the program to. So if it was Bill who shared a copy of the program with the random teenager it would fall upon Bill to provide him with the source and not you.
“[…] a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.”
— GPL 3, Section 6, alternative (b).
Yes, in GPL 3, a link would be enough, but the link must be already provided with the distributed program, you don’t get to only give the link only to those people who ask for it.
In GPL 2, a link is not OK, you must be prepared to send people the source code as “machine-readable copy”, “on a medium customarily used for software interchange”.
rootless.h is a missing system header, not a missing part of the Bash sources (the function it declares is part of libSystem.dylib; it is not part of bash). So leaving it out falls under the system library exception and does not violate the GPL.
Apple does have a handful of engineers working with/on open source projects; whether is a part of their official job duties I don’t know. But it is much appreciated. However, to the person doing open source tarballs: please respond to emails and be quicker about uploading thankyouverymuch
> whether is a part of their official job duties I don’t know
Certainly. From what I've read here on HN you basically can't publish a line of code (or even star things on Github) ob your own, presumably for secrecy reasons.
By official job duties I mean "my manager has told me to spend half my time contributing to MacPorts" versus "my manager (and my manager's manager, and their superior, all the way up the chain to the top, plus legal) has allowed me to send commits to to MacPorts even though I work on embedded platforms".
So ... rootless.h does nothing? I can compile a bash without it that does exactly the same thing? That seems like it would contradict previous comments. What am I not getting?
It contains the declaration of a single function from macOS's libc. You cannot compile Apple's provided bash sources at all without it, but it's trivial to work around the missing header.
OpenStreetMap treasurer here to jump on the tangent. Hi!
Apple's focus is on maximising profit, and ours is on maximising mapping and the width of our membership, especially after the entryism attempt last year ( https://news.ycombinator.com/item?id=19008792 ).-
I'm happy for OSM, that's great for you and in turn the community. But what about small open source projects? One-person projects where the idea of having several people working on securing legal non-profit status and then acquiring non-profit signing certificates from Apple is for all intents and purposes impossible? And certainly not worth just coughing up the annual $99 fee (+tax) to Apple?
$99+ every year is a lot of money to an independent open source developer who's in most cases losing money for their work. The fact that a company worth $2 trillion is demanding it - it's really beyond outrageous.
Outrageous is the entitlement of the current generations for not paying for their tools.
Many of us used to pay for every single piece of software that we had to run on top of our already expensive computer around 2000 euros on today's money.
This is a nice example of what a logician calls a false cause: your conclusion (definition of outrageous) isn't supported by your premise (how much you used to pay for kit).
It's also a straw man, since I was talking about an OS developer wanting to publish their software, and you're attempting to sink it by portraying it as referring to a consumer wanting free stuff.
The subject of your conclusion, 'current generations', is also so vague as to be redundant. Current generations who are alive? Generations of 21st century? Of modernity? Of the West?
Like 1000 euros per year for a MSDN Professional license, or the required certification from several vendors that have to be renewed every couple years.
You don't need to spend €1000 to develop for Windows. Visual Studio Community Edition [1] is free to use for individuals, even for developing paid applications. Even if you're running a multi-developer business, Visual Studio Professional can be had for far less than €1000.
What you're referring to is the top-tier MSDN subscription, which is something that very few organizations will require.
Yeah, but lets not forget that community also is relatively recent, having replaced the Express editions, which were worthless beyond learning purposes, as per license.
Recently tried to compile scintilla in visual studio, but gave up figuring out how to tune all settings in the IDE and compiled with nmake instead, the make file was very transparent and hackable with everything in plain sight.
Or having to pay Red Hat for support to get access to their KB, get updates, and pay separate licenses if you want any of their premium software offerings. Or having to shell out for console dev kits and game engines. And the embedded software world is even worse.
The exception is being able realistically develop for a platform without little/no expense. People really are spoiled by FOSS tooling.
That the exact purpose of all the FOSS tooling -- to make tools free, so more things can get created? Make all FOSS paid and enforce the licensing and you will bankrupt a lot of small commercial companies that rely on them too. Then really a few giants will remain.
This is not about paying for a tool. This USD 99 is a tax paid to Apple to be allowed to distribute the software you wrote, regardless of which tool you used to write it. It could be written with a free tool, it could be written with an expensive tool, it doesn't matter; everyone who wants to distribute software to run on macOS has to pay that tax.
You sound like the people against student loan reform because “I had to pay mine back, why shouldn’t they”. That’s peak entitlement, demanding others suffer because you did.
your perspective is limited IMO, for example you have small tools like a save cleaner utility for The Sims3 , some person made this tool in Java in his free time and shared it for free with the community, why should this dev pay Apple.
There are people that make Visual novels,text based games and other indie stuff(without using Apple tools most are Python,Java or Web tech) for free or a few bucks, I think they would not pay the Apple tax and either not support Mac at all or link to some instructions to workaround this limits while it is possible.
Before Java was a thing, that utility would have been written in Turbo Pascal, Quick Basic, Visual Basic, C, C++ compiler, none of them available for free.
At minimum one would need the Shareware or PD disks tax to get hold of some similar compiler.
Hobbiest either used open source or some freeware compilers. The reason I mentioned Java and C# is that is easy to use for simple tools and you can support all OS, around 15 years ago I bought a book about games and c++ it had a CD with a free/gratis version of a c++ compiler (probably from Microsoft) I made some small games and shared them with my friends (I did not had to pay Microsoft a tax or ask approval)
or use a free (libre or gratis) compiler. GNU Compiler Collection was released over three decades ago, or the BSD licensed Portable C Compiler that was initially released over forty years ago, as for Basic many operating systems had a basic interpreter or compiler built in.
I learned programming on MS-DOS with DJGPP, which is basically the GNU Compiler Collection (and lots of other GNU software) for MS-DOS. It certainly was usable (and included two free IDEs: RHIDE and Emacs), it was as good as GCC on Unix except for the lack of multitasking (which is what led me to Linux). This was long before Windows 98; the earliest DJGPP I can find is from 1994, and I had already migrated from DJGPP to GCC on Linux before 1998.
> Outrageous is the entitlement of the current generations for not paying for their tools.
Sure, but in the case of an open-source developer working on macOS, he has already paid for his operating system; if he is using GCC, he has already paid everything the GCC developers require; why then must he pay extra money to Apple in order for other people to run his software in a straightforward manner on their machines (or, in the future, at all)? How is Apple even a party when two people wish to transact, when one writes and compiles free software on his hardware (paid for) and software (paid for) and the other runs it on his hardware (paid for) and software (paid for)?
Historically free software follows proprietary software because proprietary vendors can't contain their greed and mandate free software, it happened to GNU, git, nextcloud, many times over and over.
This isn’t about not wanting to pay. It’s about being forced to use a tool in spite of much better possible alternatives. If apple allowed SSL-style certification, I’m sure cheaper and better alternatives (similar to LetsEncrypt) would prop up.
Interjecting a side note - while you're here.... a building nr me, was a pub 15 years ago, then it was empty for 5 years, until it became a convenience store. It's still listed as a pub, 2 years after I, and others, have sent corrections. I'd love to love OSM but....
OSM works like Wikipedia. There's no company looking at notes, it's just volunteers. You can also do the modification yourself, it's quite easy, you just need an account.
For that particular case, if you post the URL or location I can take a look if you want.
Actually doing mapping ideally requires a bit more understanding than a map user might want to acquire. So it may make sense to provide a correction and then let people with more expertise apply their knowledge to the problem, rather than stumble about and maybe make more work for somebody else.
Perhaps you notice that (as a gross example too large to be likely) the big field a few kilometres away from you that's used to fly aeroplanes isn't labelled on OSM. You don't know much about maps or aeroplanes, but it's not on there.
If you go into an OSM editor and tell it that's an airport you're probably unintentionally adding false information. Because it probably isn't an airport, there's a good chance OSM cares exactly what it is, like maybe it distinguishes controlled and uncontrolled airfields, maybe it would prefer you label the area one way, and then also label any marked runway (perhaps there isn't one) separately. There's a Wiki full of instructions about the best way to label things. Sometimes there are also local conventions, maybe the Wiki says not to distinguish uncontrolled airfields, but in your area a convention has arisen to add a specific marker for them. All this is stuff that an editor ideally should know, but a random person who thinks "Hey why isn't this on the map" doesn't know.
This is all correct but I think the default map editor does a good job of guiding newcomers for simple edits, and also lets you tag your commit for review if you're in doubt.
For small corrections (such as changing a business from a pub to a store, adding a road, naming a street…) it's perfectly accessible to anyone interested.
For sure for complex edits (like touching important objects such as airports) it's better to make a note if you're not familiar with it.
In some regions you have active mappers looking more at notes, in other areas less. Also many mappers would want to verify before applying the note ... in the end you mostly have many volunteers with their individual intrinsic motivation.
It is useful to report problems as map notes on the website. Less useful than fixing it yourself obviously, but many regions have regular mappers that look through the notes from time to time. So it helps if there are regular contributors caring about the area.
OSM Notes are still useful. But the goal of OSM is a common owned geodatabase, ie a map. I hope eventually every person feels empowered and able to make simple map changes like this.
Many (often cross-platform) apps are no longer signed, so they throw up this warning–I assume that users of these have long since learned that the warning is just something they need to bypass. macOS-native apps have largely adopted notarization and the fee that comes with it. Open source command line tools do not need to be notarized.
Interestingly enough, it seems to be possible to notarize someone else's app, so perhaps it might be a worthwhile use of my developer ID to provide this service to people I trust but don't want to shell out money…
It's important to distinguish between Developer ID and notarization. Signing an app is done by the developer. Notarizing the app is done by Apple.
If you check the code signature of a Developer ID signed app, you'll see the developer's name and Team ID from the signing certificate. This guarantees the app was signed by that developer, as long as the developer has kept their private key secure.
First you sign the app, then you upload it to App Store Connect for notarization. It's an "open secret" that Apple has allowed any Apple Developer Program member to submit any app for notarization, even if the app wasn't signed by them. Apple really wanted all apps notarized. Whether Apple will crack down on this practice in the future, who knows.
The notarization "ticket" is signed by Apple, not by the developer. I've heard of developers who discovered that someone else notarized their app. But nobody else can put their "name" on the app except the owner of the Developer ID certificate. If you Developer ID sign someone else's unsigned binary, you're presenting it to the world as your own. But that's not the case with notarization. Nobody except Apple knows who submitted an app for notarization.
> learned that the warning is just something they need to bypass
Note that I'm not necessarily arguing that training people to click "yes, yes, continue..." is a good idea. Digital security is my day job and I totally see why Apple wants digital signatures for software. However, the message is opaque about what is really going on and just tries to scare people into buying "trusted" software rather than using free software: that developer fee doesn't pay itself.
> perhaps it might be a worthwhile use of my developer ID to provide this service to people I trust
I was thinking the same, we could pool the money, but figured Apple almost certainly prohibits that "for security".
Not only is the message opaque, but it is intentionally misleading. I know the security team at Apple occasionally has trouble coming up with good explanations of what is going on, but this message really can't be looked at in any way other than being misleading, sorry. And you are absolutely right that misleading messages like these train users to click through warnings.
"application cannot be opened" is a false statement. It can be opened, and the user can open it, but they won't tell you how because they didn't get their bribe.
If the signed software is notarized, and the signature checks out, then you can be sure that Apple did some malware-scan-like process to the app on their server at some point(1) and that the app you’re seeing is the same one they saw.
(1) and probably a manual review if the App under analysis was found to call into any but a whitelist of “safe” system APIs.
Without the code signing, you can’t be sure that the app you’re seeing is the same one Apple‘s servers saw. It might be a copy of the app that has had a virus injected into it (which has happened quite a few times recently in pirated macOS software.)
I think we all agree on what the security benefits are, because we know what’s going on. But Apple is telling users that they can’t verify it’s free from malware, implying that all notarized code is free from malware, which is a ridiculous claim to make, and discourages people from using excellent software that Apple, for whatever arbitrary reason they like, have decided not to notarize.
> implying that all notarized code is free from malware, which is a ridiculous claim to make
How so? Even if they don’t catch malware during notarization, Apple also reacts pretty quickly to invalidate a developer’s code-signing certificate if they use it to sign apps that contain malware (as soon as Apple is made aware of that malware-app, for which they maintain relationships with both major antivirus vendors and independent security researchers.) Your computer then receives the new Apple code-signing CRL in a silent update, and won’t run the app (or any app by that developer) any more. Even if you’re offline at the moment, and so can’t contact the notarization servers to find out the app has been denotarized, as long as you’ve been online at any point since the CRL was updated, you’ll be protected. (And where does malware come from? These days, 99% of the time, the network. So if you stay offline, you’re extremely unlikely to run into novel malware anyway. And if you’re online to receive the malware, you’re almost certainly going to have received the CRL update first.)
And sure, there’s a small period of vulnerability before Apple is made aware of new malware; but most malware infections are not from zero-day malware, but rather from malware that’s been going around for a long time already. (And I believe they also push ‘disinfectant’ logic in those same silent updates that update the code-signing CRLs, same as Microsoft does with Windows Defender. So the usual “join a botnet, hijack your browser” kind of malware can simply be reverted.)
Plus, there’s the whole System Integrity Protection thing, meaning that macOS malware can’t really do anything to permanently subvert the Gatekeeper infrastructure, since it lives in the “untouchable” root partition. (It could do something clever with a system extension, but as of Catalina you have to explicitly activate those in the Security preference pane; and probably, as of Big Sur, you won’t be able to activate them at all.) So it’s only people with SIP off (i.e. system extension developers; Hackintosh owners) who would even feel any sort of “deep impact” from any of this malware. Meaning that macOS malware authors basically don’t bother to try to “deeply embed” their malware into the OS, given that the process will only actually work on a tiny fraction of systems.
Anyway, all that being said: it’s not like Apple said they can’t “guarantee” that the app is free from malware, implying that signed+notarized apps would be guaranteed free from malware. They just say they can’t “validate” that the app is free from malware, implying that the apps that don’t show this warning have been “validated” by Apple—i.e. audited, to the best of their own abilities and current knowledge. Signed off on, like a home inspector signs off on a house. And that’s exactly the case. Apple has “validated” those apps. That doesn’t translate to some technical guarantee of safety, like running the app in a VM would give. It only translates to “you can trust this app to the degree that you trust Apple’s validation process.”
It’s exactly the same claim that Chrome and Edge are implicitly making when you download software through them on Windows: the software gets “validated” by Google/Microsoft as not containing malware to the best of their knowledge. It’s an antivirus signature scan, combined with a trustworthiness heuristic based on whether the developer was willing to sign their software. The only difference is that, in Apple’s case, the “antivirus scan” part happens on a server somewhere, asynchronously, rather than on the client. But it’s the same level of effective security.
I think an important corollary is that if a binary is signed and does turn out the be malicious, there's a path to comeback on whoever submitted it. The signing/notarisation process creates a chain of responsibility.
It doesn't say that. It says that it can't verify the developer, and can't verify that the software is free of malware. It's just some arbitrary piece of software, could be written by anyone, and/or could be software that purports to be Word or Photoshop or whatever, but has been modified.
Granted, you could quibble with the details (does pointing out that you can't verify that it's free from malware imply that you could verify that it's free from malware if there were a certificate?). But calling the message "intentionally" (!) misleading?
I... don't think misleading means what you think it means. Misleading statements (pretty much by definition) don't imply falsehoods. They "merely" "suggest" falsehoods to those who don't already know better. If they intentionally "implied" falsehoods then they would be called "lies", not "misleading".
One of the possible warnings you can get literally has "[App name] will damage your computer. You should move it to the trash" in the dialog that shows up. There's a bunch of these, all of them pop up for various GateKeeper/Notarization shortcomings, and none of them actually seem to ever really tell you what the problem was.
1) I searched the article for "damage" and "should move" and didn't find it, so either it was in a screen cap (but I didn't find it there, either) or you meant "literally" in the new sense of "not literally".
2) Apple documentation [1] says (my highlight) "The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly."
Is the claim that Apple is not actually scanning notarised software for malicious content?
3) Random unsigned apps presumably have not been scanned, and might contain malware. I still fail to see the problem, or what's misleading (and "intentionally" so!).
I put quotes around it because that is the exact wording it uses: https://www.google.com/search?q=will+damage+your+computer.+y.... You may note that among the apps shown there is LibreOffice and somebody’s issue on GitHub saying they were getting it when creating their Electron app.
> Is the claim that Apple is not actually scanning notarised software for malicious content?
No, the claim is that just because Apple _hasn't_ scanned some particular piece of software for malicious content, that doesn't necessarily mean it _does_ contain such.
> 3) Random unsigned apps presumably have not been scanned, and might contain malware.
Exactly: they _might._ But popping up big hysterical warnings about it strongly implies, particularly to less technically well-versed users, that they_ do._
> what's misleading (and "intentionally" so!).
Strongly implying something that is obviously not true, that's what's misleading. In fact, AFAICT, that is the very definition thereof. And unless they're putting stuff they didn't intend to say into the dialogs they pop up, then yes, it is obviously intentional. Is the claim that their dialog text is un-intentional?
> I still fail to see the problem
Two hoary old quotes (or is the first a proverb? Maybe literally, from Proverbs) come to mind:
1: Nobody is as blind as he who does not want to see.
2: It's hard to make a man see something he doesn't want to see, particularly if his salary depends on him not seeing it.
(Personally, I do data warehousing / ETL programming for a living; currently at the Finnish Social Security Agency.)
It doesn't seem like they verify every app to ensure it is free from malware. Since they respond in the affirmative if they app is signed (by not warning), it seems reasonable for a lay person to believe that an app that doesn't throw this warning is free of malware.
"The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly."
They couldn’t verify it’s free of malware no matter how much scanning they do. That’s not quibbling with details, it is the fundamental claim that Apple is making.
In my day job, I work on a relatively large open-source non-GUI application
macOS is becoming an increasingly difficult platform on which to release software. We're going down the notarization rabbit hole (which is a nightmare), but given that we don't fit on the App Store, it's very obvious that Apple doesn't want us on the platform.
My suspicion is that they will eventually charge $$$ for a "developer unlock" on Apple Silicon, a move that I think will make both Windows and Linux look increasingly attractive to developers.
Yes, I've found code signing on Window is a lot more hassle than on macos. You still need to pay for the certs as well. The only distinction is the scary warnings on Windows come slightly earlier.
Unfortunately, it hasn't fixed the problem with running VirtualBox using the hypervisor platform/virtual machine platform (I forget which) while hyper-v is enabled: sha sums (and other hashes like whirlpool, md5, etc) don't work properly. Meaning I can't use wsl2 and VirtualBox. Or use the Android emulator and VirtualBox. And yes, this seems to be a obscure issue that's hard to research (`Intel SHA extension` and `/etc/gcrypt/hwf.deny` may help); I've had to look this up three times now because I keep doing it in private browsing mode or on another device/browser.
Don't mind me, I'm just annoyed that Microsoft won't add support for ssh-copy-id.
Please note that Apple's linker will automatically ad-hoc sign binaries if you aren't using a signing certificate so there is no impact to package managers or any other forms of building software to run locally. Xcode already automatically opts such software out of GateKeeper checks when built from the UI. Similarly adding Terminal to the Developer Tool category in System Preferences will do the same for anything you run or build there.
I should also note directly launching the binary inside the App bundle from Terminal bypasses the UI dialog. The assumption is you know what you are doing in that case.
The comment you're replying to is confusing because it's been copied out of context from where it was originally posted, which as a discussion of a mandatory signing requirement on Apple silicon.
There's a segment of open source users who understand these messages and aren't necessarily dissuaded by them. I make an open source app for merging audio files in iTunes/the Music app. The userbase are people who are technical enough to install Homebrew, (generally) use iTunes scripts, and manage Gatekeeper warnings, but not so determined as to replicate the app's functionality with their own set of shell scripts. https://www.davidschlachter.com/misc/trackconcat
In addition to paying the Apple Developer Program fee, you as an open source or hobbyist developer are required to sign a legal contract with Apple in order to be able to code sign your software. This can be even more problematic than the fee.
>This makes me wonder how open source is supposed to work on macOS.
It isn't. Apple's view of the world is that computer users are non-technical consumers who need to be protected from others and themselves, and that Apple are the ones to offer that protection. Open source is antithetical to this view because it puts the responsibility on the user, which is the last thing Apple wants.
I can sympathize to some extent with this view. There's obviously a large (perhaps majority) share of computer users who it describes - just not small/independent developers/hackers. Those users are better served elsewhere.
I've got to say, I think your proposed message is considerably less clear than the actual one.
E.g., a reader would have to understand the perspective of the developer to even start to guess what that might mean. (Why would a developer pay or not pay $99 to Apple for verification? How do the implications of that affect my decision to run this program?) It would be pretty much meaningless to the average non-developer user.
I agree the price of notarization should be a nominal incremental cost. I don't know if there are many level 3 people doing MacOS development, but if so, there needs to be a cheaper price for them. (The numbers of level 1 and 2 MacOS developers must be practically nothing.)
>>I also can't imagine $100 is easy to come up with in countries below level 4[1]
Someone who is developing for Apple platform in specific, has already spent ~$1000 in devices. Say they couldn't afford to build explicitly for Apple[1], they instead develop for web using a Raspberry Pi and try to leverage smartphone capabilities using PWAs; Alas Apple throws in hurdles there as well so that your PWA doesn't function properly on Apple devices[2].
I get it, perhaps this is part of Apple's aspiration i.e. 'You should deserve to be part of the Apple ecosystem' which is enticing to its customers.
But what's overwhelming to me is, Apple's blatant hypocrisy.
Exihibit -1: Data
Apple calls Google by name, questioning its business model around data and proudly calims 'they chose not to do business with data'.
Then why does Apple advertise its products using Google Ads?
So, it's like 'I will call out dirty work, but I will use the results of that dirty work for my own advantage'.
Exihibit -2 : Values
Apple claims itself to be the beacon of human rights.
a. We know Apple was included among list of other companies supplying user data for snooping in the documents highly regarded to be genuine.
b. We know Apple actively cooperates with an autocratic regime and its highly publicised 'Privacy features' isn't applicable there. But, Apple never includes 'USA only' when it advertises it's 'Privacy'. More over when confronted with proof of Apple's platform being actively used for exploitation of minorities, it outright downplayed/dismissed the impact of it.
Someone who is developing for Apple platform in specific, has already spent ~$1000 in devices.
Ignoring the fact someone might have been given a Mac by someone else, or bought one second-hand for less, or that they might be working on a computer they don't own themselves, why is it that someone who can afford $1000 for a Mac can automatically afford another $100? Surely there has to be an amount that you assume they can't afford, right? If they can afford 10% more then why not 15%? Or 20% or 100%?
You're applying a sort of reverse of Zeno's Arrow[1] to affordability, and I think shows a distinct lack of understanding of how money works when you don't have all that much of it.
I have two macs. Main is a 2013 macbook air which cost £999 (work bought it), so £140 a year. Second is my own mac mini from 2012 which cost £500, so £60 a year.
My main machine is a linux one. Costs nothing to write software on that of course.
I get the feeling that developers who 'came of age' in the last 10-15 years will slowly discover RMS was right all along.
>why is it that someone who can afford $1000 for a Mac can automatically afford another $100
Someone who has invested in ~$1000 specifically to develop applications for Apple ecosystem has to invest $100 to release the application, that is the overall context of my statement in that sentence.
>You're applying a sort of reverse of Zeno's Arrow[1] to affordability, and I think shows a distinct lack of understanding of how money works when you don't have all that much of it.
Cherry picking part of my sentence to make a statement, then claiming to throw insight about my understanding of how money works based on how much of it I have seems like using your own logical fallacy intentionally to make an ad hominem argument.
Interesting to see PWAs being proposed as the ultimate alternative on HN all the time. Questions of quality etc. aside it's essentially Google's platform that they're pushing for via standards that benefit them and their goal of the web as a platform they control. While Apple wants dominance over their walled garden, Google wants total dominance over the web.
You know, I grew up in USSR.
There were no western made cars, only soviet ones: Ladas (based on 40 years old FIAT), Volgas, the dreaded Moskvich or Zaporozhets. Volgas were for the elite and not really accessible for the ordinary citizens, so Lada was it. And it seemed to be a fine car—because you did not know any better. Yes you had to reassemble it yourself after you bought one to make sure it does not fall apart on the road, but otherwise the seemed fine.
That's till the USSR collapsed and western old cars markets got accessible. Almost all soviet cars were replaced by the old, mostly German, ones. Why? Because poeple saw the differenece. And the saw that even 15-20 years old Audi, BMW or Opel were still waaay better than brand new soviet crap.
So yeah, there are thing that may seem fine till you hava a chance to compare them to the truly fine.
Google has a functional monopoly on online advertising, so you’re options for online advertising are google and Facebook, or ad companies that primarily have scams. Seriously it’s just google, Facebook, and then things like taboola, and the most popular sites on the web are 100% google ads only.
Apple’s alternative to google ads is essentially no online advertising.
It mostly doesn't. That is 20% because of bullshit like this and 80% because Apple deprecates, removes, changes and otherwise encumbers their operating system so much that keeping track of it all is a full-time job.
I've seen a couple projects do this by publishing a Mac App Store version. Completely identical to the open source release, but it pays the Apple tax to run without warnings, and it gets App Store-powered auto updates.
The developer who signs the software is thereby taking legal responsibility for the software, and taking the blame if anything is wrong with it. That's not a good risk unless you're signing for someone you trust completely.
It also might be tough to run as a business because it's quite possible the first time you sign someone else's malware, Apple's going to revoke the notarization of all the apps you've signed (which would be for other paying customers).
Not to mention it undermines the purpose of notarization, so if it became popular enough they'd probably just squash it.
That would be true for rubberstamping-as-a-service, a weaker version of running a rogue CA. But project maintainers getting themselves an Apple ID and recouping that cost + x (hopefully) via non-gratis signed binaries wouldn't have that problem at all. Or of they did (malware sneaking into their artifacts), a lost Apple ID should be the least of their concerns.
There'd even be a conceivable but unlikely scenario where some automated scan deep inside the Apple publishing pipeline would detect an otherwise undetected malware intrusion in some upstream dependency or badly vetted commit and thereby indirectly protecting the users of the unsigned copy, by acting as a canary.
How much does that actually change liability vs building and distributing unsigned? Signing has no legal implication other than lowering deniability. What's added is the contract with Apple. Is that such a minefield?
I publish a CLI app for many platforms, including osx, on GitHub. Using the cross-compile feature of Go it just spits out a binary that Macs can run from a Linux build host. I don't own a Mac so don't see what my users do.
Does this change affect running unsigned binaries from the terminal?
> I also can't imagine $100 is easy to come up with in countries below level 4[1].
Apple has as low as 0% penetration in those countries. The market has solved this problem. They still use technology; there are alternative platforms. Android, Windows, ChromeOS, KaiOS, and desktop Linux (which has as high as 5% market share in India) are cheap to use and develop for. It was always going to end up this way. There's the brand for the haves and the brand for the have-nots. Although even people on welfare in the United States have iPhones, consider that they're still the elite in global terms.
Aren't the new ARM macs going to support Docker in a nice way? Wouldn't that solve it? You can have what you want in your Docker, Apple can do whatever it wants (short of blocking the Dockers essential capabilities of course) to isolate said Docker.
But then you have to use Docker. It’s be nice to have something like that on iOS where it’d be an improvement, but on macOS, it’s a step down in a sense.
Many POSIX-y applications will mostly work on macOS, to the point where you might ship in a package manager or something and can probably help with a segfault or two but have never touched a Mac.
Yes but details can get in the way. While every compiler is a cross compiler to any platform, that doesn’t mean that the platform libraries are available or that there’s a linker. For example, the MSVC target uses link.exe, and that only runs on Windows, so cross compiling to the MSCV target doesn’t work in practice even if it could in theory. You can cross compile to the GNU target for Windows though.
Windows 10 also does it's best to try and stop users from running unsigned code, by making the UI complicated.
When Windows 10 finds an unsigned installer it shows a dialog with a Don't Run button and as the name suggest clicking that button does not run the installer.
To run the installer the user needs to first click on the More Info link which will then present the user with an option to Run the installer.
Certificate Authorities trusted by Microsoft for the purpose of Code Signing would need to issue you a certificate with the appropriate EKU (Extended Key Usage, saying this is for Code Signing). Technically a user could add some CA you span up for this purpose to their Windows install, but if you're going to all this bother you could just get them to click past the warning of course...
The CCADB can tell you which CA roots are trusted by Microsoft for this purpose:
You're looking for a CA which has Microsoft Trust Bits including Code Signing, and Microsoft Status of "Included"
Price: A couple of hundred bucks per year. Vendors with very well known brands like DigiCert's "Symantec" brand (famous despite the fact Symantec actually ran their CA so terribly they ended up selling the brand to DigiCert... the CA they'd operated was distrusted) maybe $500 and year and higher. But your users don't care about the brand, so pick a cheaper product like Sectigo's they work just the same.
It's a little more expensive if you want "Extended Validation" aka "EV Code Signing". If you write Windows kernel drivers you need this, otherwise it might only make the UI shown to inquisitive users nicer so don't bother unless you hate money.
NB. Yes ISRG (the people behind Let's Encrypt) are trusted by Microsoft but no they aren't trusted to provide Code Signing certificates, even if they wanted to, which they do not.
My boss doesn't want to pay for a certificate so now all my Windows 10 users (we still have some Win 7 installs out there and even a couple XP) never update my ClickOnce apps.
And this is why out of spite I developed "ClickTwice". It's certainly not as good as ClickOnce but least I ensure they use the latest version of the apps I dev.
Like all other legitimate software on MacOS; they get a developer account and distribute it via the app store.
For years, Windows got laughed at by EVERYONE because there was so much malware on it - in part because of its laissez-faire approach to letting the user install anything from anywhere.
Mac went for the closed garden approach and there's hardly any malware, adware, scareware or whatever -ware you can think of on the platform, which is one of the reasons why Mac is safer and considered to have a better user experience.
Curation is not a bad thing. And if an open source application wants to become popular for the masses - not the HN power user crowd, which represents only a small percentage of potential customers - they have to conform to its rules.
Likewise, they will want to be available through the Windows store as well.
Using the tools and platforms offered by the OS developers is the lowest friction option for installing software.
As for poorer people and countries, isn't this where the open source charities come in? Isn't this where the big FAANGs - including Apple - and the investors and everyone that earned billions off of software should come in? I mean come on, it's only $99.
The substantial lack of malware in the Mac world pre-dates the Mac AppStore, and numbers have not changed significantly since the introduction of that and/or Gatekeeper.
Gatekeeper is a commercial boiling-frog lock-in strategy sold as a security feature nobody asked for.
> open-source charities
Open-source, as a term, was invented in order to sell what was then called Free Software. It has nothing to do with charity.
> Curation is not a bad thing
Apple does little or no curation on the Mac AppStore, because the amount of developers using it is still relatively low.
> ... in part because of its laissez-faire approach to letting the user install anything from anywhere.
This comment makes it seem like installing software outside of a curated store is responsible for security issues, but this is exactly what Linux and other like OSes do. You can install apps from anywhere and I'll wager you'll find less malware, adware etc. for them in the wild, than the Mac. Granted usage of these platforms as a Desktop is way lower making it a less attractive target for bad actors, but much of it owes to inherent OS design.
> And if an open source application wants to become popular for the masses - not the HN power user crowd, which represents only a small percentage of potential customers - they have to conform to its rules.
Open source applications have been popular with the masses way before the curated store app store model came into place. Publishing on an app store has a good chance for increasing outreach, but it should not make distribution and installation of applications in the classical way more cumbersome, should the user so desire.
> As for poorer people and countries, isn't this where the open source charities come in? Isn't this where the big FAANGs - including Apple - and the investors and everyone that earned billions off of software should come in?
It would be hilarious if Facebook, Apple, Google, Microsoft, Amazon, Netflix, etc. decide to start a charitable foundation which just deposits $99 checks into Apple's bank account. They should do it. I wouldn't be able to stop laughing.
Curation, in the sense that Apple uses the term, is a bad thing because it creates a false sense of security. It blurs the line between protecting users from security threats and protecting Apple's business interests.
If Apple was truly interested in protecting users, they would keep these things separate as much as possible.
But they're doing the exact opposite. They keep mixing these things up as much as they can in order to shield their questionable business practices from scrutiny.
On top of that, the iOS side-loading ban is clearly aiding and abetting human rights violations.
> Like all other legitimate software on MacOS; they get a developer account and distribute it via the app store (...) I mean come on, it's only $99.
So small utils and stuff, smaller open source projects etc. are not legitimate? Or should they shell out $99 extortion fee to have the pleasure of giving stuff away for free? This is just one of thousands cuts that will kill traction for Mac software.
It seems like the right balance. As the author says:
> As a Mac developer, it's nearly impossible to run a viable software business when this is the first-run experience of new customers. You'll never get any new customers! This is why every Mac developer I know signs up for Developer ID and ships only signed, notarized apps. It would be financial suicide to do otherwise.
If you have hung your shingle out to make a profit, then the developer account, signing, notarizing, etc. is a cost of doing business, and you can easily justify it. The more customers you get, the more money you get, so you are motivated to reduce the first-run friction.
If you are not in it for profit, you probably have a lot more tolerance for a little first-run friction, and having users drop out of the funnel. Fewer users does not affect you financially. As a hobbyist programmer, I wouldn't care. I'm just releasing a program--not looking to dominate a market.
I appreciate this view except for the last point. As a hobbyist programmer, I am not "just releasing a program". I am usually "helping solve user's problems". And if my solution requires users to go through even more problems before they can use my tools, that's problematic.
I don't need to many money on my side projects. I do, however, want to help people. If I can't help people on a Mac because of the install friction, then it isn't worth my effort to create a MacOS port of my software at all.
> the developer account, signing, notarizing, etc. is a cost of doing business, and you can easily justify it.
But what if I'm not doing this for profit? Can Nirsoft or Mozilla apply for a waiver? Can I? We may not be looking to dominate the market, but it would be a shame if our work just went to waste because people would rather pay for something crappier that is closed source rather than our free (as in freedom & beer) software.
(Yes, Mozilla is a huge project where it isn't worth employee's time to apply for a waiver, I just needed at least one name that people know is a non-profit software developer as an example.)
> Is there any automatic way to tell your software apart from malware?
There is no universally agreed-upon definition of malware. One man's operating system is another man's malware. For me, an operating system that "calls home" for each new executable you compile is a crystal clear case of malware. In the case of this article, then, the only malware in question is macOS.
If an Apple engineer were to compile a variant of Apple’s notarization algorithm where ok means no and no means ok, would the resulting binary notarize its own source fed into it?
Well, if the mechanism is e.g. a blacklist of APIs that shouldn't be used, and a blacklist of known malware hashes (as is the case), then Apple's "is this malware" routine could trivially print "no" for itself.
Sorry to the grandparent, but this is nothing like the halting problem...
This already exists and it is called XProtect. My question through these threads has been "why does notarization exist" and I am still trying to understand why it does, because every answer I have been given simplifies down to "here is a reason that it should exist…wait, that's just what code signing or Apple's built-in MRT does already".
Nothing is calling home when you run a new executable. You're not understanding how gatekeeper works. It works entirely offline without network access.
Close your browser and monitor your network traffic. Compile a hello world with a unique text string. Run it. It calls home the first time you run it. Then it doesn't.
If you are not connected to the internet, it does not call home indeed.
>There is no universally agreed-upon definition of malware.
Doesn't have to be. Just the common user's definition is OK.
>For me, an operating system that "calls home" for each new executable you compile is a crystal clear case of malware. In the case of this article, then, the only malware in question is macOS.
I'd rather also have a party in whose interest it is to not get malware on their operating system confirm your claim that your software doesn't contain malware.
It would be nice if the OS automatically verified these checksums. That would have been a nice OS X feature, but instead Apple ignores the verification process that already exists and invents their own, with themselves in control.
The thing is, your friendly scammer could also publish checksums on their website.
It is clear to you that you're writing fine open source software, not malware. But how is the consumer supposed to tell?
If people trust you, why bother with the checksums? (Over HTTPS, the downloaded content cannot be tampered with. If someone tampered with the content on your website, or performs a MITM, they can also replace the checksums.)
The checksums are there if they happen to grab the binary in some way that is not "using HTTPS directly from my website" and they'd like to check. Why do the know I'm not writing malware? Trust in my software, mostly? It is unclear that notarization actually stops malware–Apple has failed to explain how it helps, but enforces it by decree.
1. You submit your app bundle and your credentials to Apple for notarization.
2. Apple records your information and goes through each library, framework, and your code, checking the code signing info and "fingerprint" of each for known malware.
3. Apple issues the ticket for stapling to the app bundle.
Now say, for example, that libffmpeg-0.1.2-beta2.dylib is found to mine cryptocurrency:
1. Apple goes through their database and finds the app where the malware was reported.
2. Apple marks that fingerprint as malicious.
3. Apple now flags any other apps that use libffmpeg-0.1.2-beta2.dylib (by checking the fingerprint) and disables any versions of any app running that version. Additionally, any other attempts to notarize apps with the malicious dylib are rejected.
Notarization provides 2 major benefits for devs that I can see:
1. Apple doesn't need to revoke your entire certificate just to block one version of an app.
2. Apple's audit trail of who notarized the app (and from where) prevents cases where stolen credentials result in a DoS of the victim (e.g. your account being locked, your name and address permabanned, and funds frozen).
I'd be interested to see the track record since they implemented notarization. How often has it caught malware, both before and after the fact? I haven't seen any headlines about e.g. a popular application failing to launch one day because Apple found a miner in it some time after initial notarization.
They can do that if they’ve obtained a copy of the specific binary with malware. But with notarization they can proactively scan for things that look like they might be malware, and follow up with either automatic rejection, or approval followed by manual inspection.
Ok, I guess that does make sense. Still, it does have the drawback that all distribution must go through Apple, and you need to now need to pay to develop software for the platform :(
Because notarization has the very concrete downside of costing money to do, plus the fuzzier steps of it being a fairly complicated and often picky/opaque process to have to deal with when shipping your software.
If the message were completely transparent, something like "The developer didn't pay $99 for us to do a cursory check on them (or whatever it is that Apple does with that money), are you sure you want to run their software? [Move to trash] [No] [?]", then that would give the user the relevant information to make this decision, but as it is, virtually no mac user will understand what is really going on.
I also can't imagine $100 is easy to come up with in countries below level 4[1]. The OpenStreetMap Foundation recently introduced a way to waive the yearly £15 fee for OSMF membership if you have a certain number of map edits or otherwise contributed to the project. The OSM community seems to be quite diverse, but I can't imagine that Apple computers are less widespread than OpenStreetMap.
[1] https://www.gatesnotes.com/Books/Factfulness#incomegroups