Follow

Within the eco-system, software is doomed.

Unless your binaries are signed and certified by $APPL, Mac users will have to jump hoops to get it running on their system.

On top of that, if your software accepts incoming connections from the outside, you’ll have to tell the to authorize connection, every time you run the software. E.v.e.r.y.t.i.m.e. (Unless you disable that firewall)

@judeswae don't forget that they can't be licensed GPL if you wanna put them in the Apple Store.

@judeswae Stuff like this and more really pushes me away from Mac as a whole.

Maybe their best is bygone... I guess I could never afford them at their best.

@judeswae omg, it feels like a lot of extra work for several projects of mine :(

@frankiezafe It’s a fast process. The devs sign the apps.

I tried to get this signing rights for Polymorph stuff. But the process to get AppleDevID and all was too cumbersome and expensive.

I did not want to pay the fees and all.

@frankiezafe Last time I checked it was $50/y (but who cares) and you need to be in possession of an Apple device.

The second requirement is the worst tbh.

@judeswae clear! :D it's more like 700$ + 50$ to have the privilege to be an apple dev...

@frankiezafe Which Apple device costs only $700? I don't think Airpods count as an Apple Device ;)

@judeswae the new max mini m1, it's the basic for developpers, saw some in windows based companies

@judeswae according to this page that's only true for unsigned apps that check their own integrity. Not for regular unsigned apps.

I haven't been running Macos since Snow Leopard, but unless that's changed recently I can vouch for their support page to be correct.

support.apple.com/en-us/HT2016

@fedops Thx for the clarification. I don’t know if the app I’m using is self-checking its integrity. The app is github.com/debauchee/barrier

@judeswae signing isn't super difficult though. And I would say that it helps the overall security of the system.

Reality is that for most folks FOSS options aren't there if they aren't any the OSX store anyway. So it is important for FOSS projects to get there.

@ted I tried signing some software for distribution. And It’s freaking complicated. Not the signing part. The whole thing before that requires and AppleID, an AppleDeveloperID, an Apple device to be able to get an AppleDeveloperID, a credit card to pay whatever AppleDeveloper fee they want every year. I stopped at step 25 If I remember correctly. And signing keys were not even in sight.

@judeswae non-trivial for sure, and unreasonably complex. But not worse than most FOSS build systems. 😉

@ted We’re deviating here. I can run almost any piece of software on a FOSS built system without it complaining about certificates or preventing me from shooting myself in the foot.

You’re talking about signing software only.

It’s not easy. Whatever the system. And with Apple, it’s freaking expensive.

@judeswae that is true, but I would argue that a FOSS Desktop today is less secure because of it. The lack of application confinement and pervasive side-loading makes for an environment where most users can't keep their system secure.

It is basically a 2000's security model playing against a 2020's threat model.

@judeswae

Well maybe there's lesson there somewhere. If you want to use FLOSS software start with the OS.

@judeswae @celia This is hyperbolic. First of all, even the requirement as stated isn’t any death knell for FOSS; just get the thing certified. But even beyond that, unless I’m misunderstanding something, you can sign it yourself, with a certificate Apple has issued/signed. Direct distribution doesn’t have the same requirements as the App Store.

@a I complain that only signed (floss) apps work out of the box. Else the user needs to "jump through hoops" to get it running.

Your proposition is: sign the app already or jump through hoops.

🤔

@celia

@judeswae @celia Sure. But you also asserted that makes FOSS in general “doomed” (which seems unsupported by your point) and that the things need to be signed *by Apple*, which I believe not to be accurate (but again, I could be misunderstanding things).

@a
Right. I misrepresented the signing and certifying process. My apologies.

Though if it’s so simple and not a threat to FLOSS, why do so many FLOSS don’t do this?

Of course, big FLOSS brands are not the ones we are talking about here. I’m talking about the millions of indie software projects. The long tail of FLOSS if you wish.

That one is under threat. @celia

@judeswae @celia I didn’t say it wasn’t an impediment or a problem; it’s certainly is another thing the dev needs to do, and (IIRC) has $ associated with it (I forget if you can get a signing key outside the dev program). I objected that “doomed” is hyperbolic. Plenty of small indie devs do, in fact, do this. Others don’t. They get to make that choice. The result will be a marginally sparser FOSS landscape on MacOS, but no great doom.

@a You can’t get the signing key if you don’t register as an AppleDev which costs money (yearly fee + Apple device)

And for a FLOSS defender, I find you pretty cool with the idea that Apple gets to decide which FLOSS software is worth for an individual to use or not. And overall if the FLOSS ecosystem looses some feathers along the way, that’s just natural selection. Right?
@celia

@judeswae @celia Ahem:

“I didn’t say it wasn’t an impediment or a problem; it’s certainly is another thing the dev needs to do, and (IIRC) has $ associated with it (I forget if you can get a signing key outside the dev program). I objected that “doomed” is hyperbolic.”

I’m afraid I don’t have time at the moment to defend positions you’ve made up for me. Have a nice day.

@judeswae Got a link to Apple's policy on this? Where can we submit feedback? Surely they want developers as customers?

Sign in to participate in the conversation
toot.Thoughtworks

A Mastodon instance running on Thoughtworks infrastructure for its employees to interact with the Fediverse.