If my app were to do something nefarious, my developer ID would get revoked and that would be the end of that.
Sure, but this strikes me as naïve. It can take less than being nefarious to get booted off of a service (like having an Apple developer ID) like having a corporation or government agency filing a potentially unfounded complaint against you (as we've seen with YouTube videos and, this very week, Jotform's Web site.)
The problem I have with Gatekeeper isn't in the pleasant, straightforward scenario Apple wraps into its copy. The problem is giving a corporation direct control over whose apps can and cannot work on a computer by default is a set up for some depressing abuse stories that can only be rectified by turning off security or performing UI acrobatics.
The problem with your comparison is that the stakeholders of SOPA/PIPA are people who want to screw you. They don't care about your experience they want to make the most possible money off you.
I'd argue that to Apple the consumers are their stakeholders. They want to do everything in their power to make the user's experience better.
If we see Apple pulling apps of honest hard working people then I'll eat crow but in the five years of the iOS App Store how many horror stories do we have (if any)?
I will continue to give Apple the benefit of the doubt until they do something to make me question. So far I've never been inconvienced and only had a better computing experience since I got my Mac and my iPhone. That is why I, and many other people, will continue to use their products.
Most (but not all) orient around violations of Apple's developer TOS which are famously fickle and changeable. No emulators? Can't use "private APIs"? Microsoft was hauled in front of the DOJ for better. Could those using an Apple account to sign their non App Store apps be subject to similar, shifting rules about what's kosher and what's not?
And if Atari has really had apps pulled for supposedly bearing a "passing resemblance to an Atari classic", we're in weird territory. From my POV, there's just a creepy potential for blacklist first, ask questions later style arbitration on Apple's part.
As a once Apple fanboy who's still surrounded by Apple gear, this all seems a bit weird to say, but as a developer I'm not keen on this move at all.
On Thursday, when the company had a chance to edit the DOJ's antitrust remedy proposal, it added language stating that "nothing in this provision shall require Microsoft to disclose any internal interfaces of a Microsoft Operating System Product."
Throughout its edits of the DOJ proposal, Microsoft tried to draw a distinction between external APIs (which the company is willing to give away and already often does) and internal APIs (which it is fighting tooth and nail to keep under wraps).
Restricting access to and the lack of documentation for private APIs was a key part of the case, although due to its technical nature, was not particularly well publicized.
Apple is a corporation that is traded on the stock market. Their primary customers and their board of directors are the stakeholders, not the paying buyers. Hence, they absolutely want to screw with us if that is producing better stock prices.
In the past, Apple has done quite a nice job at still doing a lot of stuff that benefits us--probably by promoting long term user satisfaction as their recipe for success. But at the end of the day, their allegiance probably lies with the stakeholders, and many of them are more interested in short term earnings than long term investment.
Agreed. It would be naive to think that the stock holders have absolutely no say. But Apple seems to have done such a great job at putting the customer experience first and making a ton of money off of it. They also have more cash on hand than God so I'm not worried about them tanking somehow and needing to gouge us anytime soon.
If all of a sudden Apple stops making money and starts doing shady stuff then I'll look at my other options and possible switch again just like I've done before.
Gatekeeper looks like it won't require anywhere near the UI acrobatics that are necessary to install an unsigned driver on Windows, and it will be easier for open-source developers to get signing keys for OS X.
While I can't say much bad about Gatekeeper (yet), I can't help but feel this article is a bit scare-mongery (" As Macs enjoy increased popularity, they become a more attractive target to identity thieves and other criminals. Sooner or later, bad people ruin every nice thing. It’s an immutable law of humanity.")
And I think the author takes a scary turn, in that he grows used to the loving walls of the closed garden. Just the quote("You can let anything run on your system, whether or not it is signed. This is the Mac OS of today. It’s like having a jailbroken iPhone.") makes it feel like a walled garden of ios is the norm, not a computer where you have full root access, and undoubtedly, that kind of sentence has the average computer user thinking "omg!, you mean my computer is out in the wild, just like a jailbroken phone, that sounds dangerous!". If this starts to become the prevailing viewpoint, it's lights out, free and open world.
[Edit]: Obligatory Ben Franklin quote: "They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."
This feature isn't for us. Playing Captain Hindsight and telling a regular user "you shouldn't have opened that suspicious attachment" doesn't get their data back.
Put simply, a computer is a dangerous tool in inexperienced hands, no different than a table saw or a gun. A user has the ability to do serious damage to themselves, by destroying or leaking personal information; adding a reasonable safety feature that is activated by default is not an infringement of your freedom when you have the ability to disable it trivially.
Now, if we're talking the App Store, then I agree with you completely. iOS should behave exactly like Mountain Lion, and if I had my druthers, the level of vendor lock-in they employ on that platform would be considered anti-competitive and illegal. If it turns out that Gatekeeper is merely a stepping stone to similarly walling off the Mac ecosystem, then I suppose I will have to eat my words.
For anyone who manages "IT" for their relatives, I'm sure they'll upgrade to Mountain Lion and lock down the application execution to "App Store and Signed Only" right away.
Some people have a talent for getting malware on anything.
Um no one is giving up any liberty. Apple is sheltering the uneducated until they are more learned. That is all.
If in five years I can only run apps on my Mac that come from the App Store then I'll eat crow but I'd bet everything I have on that not happening which is why I am a iOS and Mac developer.
I understand. Without talking to the author directly we'll never know if he especially crafted it to be received that way.
Personally I feel this is just the authors genuine opinion/enthusiasm for this topic coming out on paper. I think he believes (just like I do) that this should be the "norm" and is a correct step forward. I see this as how I would have a conversation with my parents and explain to them why Mountain Lion is going to be so great for them. Obviously I would be crafting the conversation to lead them towards this being the "norm" because I think it should.
But again I am bias because I basically agree with the author whole-hardily.
I don't think the fear is entirely unjustified. I always wonder, in the back of my mind, if the thing I'm downloading from a developer's site is the real thing or some kind of trojan impostor that's been shunted into place.
We depend on the "take one for the herd" principle where the first few people to get stung by the trojan will alert others and the app can be taken down. Usually this is quick enough to make the viability of this kind of attack limited, but can we truly depend on that?
Code signing not for DRM purposes but for identifying the vendor is a big deal. Most Linux distributions make a point of validating the MD5 or SHA1 hash of the contents, yet on OS X most just download and open without really thinking.
The "liberty" you complain about sacrificing is only one click away.
True, and I don't believe Apple is taking my freedom away with Gatekeeper (yet. Always be wary of slippery slopes though). The point I'm trying to make is that I think the article was written in a crafty way, so as to alter what it's readers consider the "norm" and/or "right" as far as open vs closed ecosystems go.
I honestly think gatekeeper could be a good thing, and I would like to see a similar system be used to help open up ios. As it also appears that ios and OSX will eventually end up as the same entity (which I also think will be a good thing).
I have no issues with signing applications and I heartily support it.
I have many (so many) issues with trusting apple to tell the world which applications are the 'trustworthy' ones, when they have proven time and time again that they will purposefully hobble their software/devices in such a way as suits their business models and bank balance.
As a life-long open source enthusiast who has been pragmatic around the existence and use of propriety systems, this entire situation is the straw that broke the camel's back. I won't give them any more of my money, regardless of how sexy the hardware is, because ultimately the Price is just too high.
"As a life-long open source enthusiast who has been pragmatic around the existence and use of propriety systems"
If you're boycotting Apple over this, you're no longer being pragmatic, you're being fanatic. Yes, Apple has closed platforms (iOS, iTunes, Mac App Store), but they aren't adding Macs to that list or doing anything else objectionable yet. If you were ok, you should still be. Macs are, and will continue to be, awesome Unix workstations that you can run whatever you want on.
Apple also has nothing to gain from completely closing off OS X. It would destroy their developer base and be really bad PR, with only potentially a bit of added revenue (and Apple is anything but financially desperate).
If you're pissed that Apple is merely capable of acting unethically, and you're going to boycott them because of that, then don't call yourself "pragmatic".
I'm hardly being fanatic and I'm not "pissed at apple for being capable of acting unethically". I simply don't trust them enough to act ethically, it's more of a resignation to that fact.
I have just reached the limits of what freedoms I am comfortable with relinquishing to Apple. Having to ask Apple for the permission to be able to write and distribute software that can actually be used on the majority of computers crosses that line for me.
I don't care if apple has anything to gain from closing OSX, because it has become too closed for me to consider it a serious option anymore. That wasn't always the case. I've loved all my macs, including this snow leopard MBP i am writing this on.
To boycott something would mean not buying something that you might have bought otherwise. 'as punishment'.. That's really not what is going on here. OSX has changed in ways that make it no longer meet my requirements for what a computing device needs to be, so i won't buy another one. that's all.
OS X is not becoming more closed in any real sense. As described so far, launching an unsigned app (or even one signed with a blacklisted key), regardless of system settings, will take at most one extra click. If that's your "pragmatic" definition of "too closed", then I can't imagine what you must think of Windows these days, especially with what's on the menu for Windows 8.
You said before : "If you were ok, you should still be."
I wasn't OK with it when they introduced the mac app store, I got really unhappy with it when random open source tools suddenly disappeared offline and became $2 pay-to-play software on the mac store. Then the sandboxing restrictions and now the signature things.
I never wanted to play in apple's walled garden. It was fine when it was all the way over there on ios. But the walls are going up around OSX as we speak, and someday they might even remove the back gate, but at that point it will be too late.
Because you will already be living in a world where to get into the nickle-and-dime scam that is the mac app store, you need to bow to apple's wishes, which get even more erratic as it gets more powerful (see sandboxing).
For anyone who doesn't want to play on the app store they now have to now get 'certified' by apple that they are allowed to write software for the mac. If you don't play by those rules, you can expect your software to be widely ignored regardless of the quality or malware status.
And really, the operating system is so much less important than the browser these days.
Don't go blaming Apple for Growl's dick move, or anything else that is similar. Anything that was truly open-source still is, even if future versions have gone proprietary. (And by the way, you can still checkout the latest source code from Growl's mercurial repo.)
The Mac App Store sandboxing rules, while not perfect, are obviously a good thing. Complicated pieces of software should come with ACLs. I really don't want to trust Adobe's stuff to not mess up my system or phone home with all my data. As long as the option remains to acquire software elsewhere (which it will!), the sandboxing thing is nothing to complain about.
And why do you assume that Gatekeeper will be so much more effective than UAC at stopping unsigned software from running? It really won't be hard for users to learn to open an app through the context menu when Gatekeeper complains.
"I got really unhappy with it when random open source tools suddenly disappeared offline and became $2 pay-to-play software on the mac store."
This has nothing to do with Apple.
"For anyone who doesn't want to play on the app store they now have to now get 'certified' by apple that they are allowed to write software for the mac. If you don't play by those rules, you can expect your software to be widely ignored regardless of the quality or malware status."
Sensationalist drama. The people who will be looking for software outside of the Mac App Store are the people who will know how to click to disable needing signing.
I wasn't OK with it when they introduced the mac app store, I got really unhappy with it when random open source tools suddenly disappeared offline and became $2 pay-to-play software on the mac store.
As described so far, launching an unsigned app (or even one signed with a blacklisted key), regardless of system settings, will take at most one extra click.
That's not how it seems to me. From what I can tell, "cancel" simply doesn't move it to Trash, it doesn't let you launch it.
> they aren't adding Macs to that list or doing anything else objectionable yet.
Ah, but they are asking me to cede power to them. To trust them with saying whether or not the majority of users can, by default, run software that I may write.
Sure, they haven't yet abused that power, but I find their asking for it to be a bit objectionable on its own.
"Apple also has nothing to gain from completely closing off OS X. It would destroy their developer base and be really bad PR"
That is the situation today. But a few years down the line, when the vast majority of apps are signed, we find ourselves in a completely different environment. One were it becomes possible to prevent untrusted apps altogether, because there's not that many of them, and it will help "protect" users.
They're doing this now, to create an environment where they can do more in future. This may not actually be their plan, but it strikes me to be a very likely outcome.
There will be OSX jailbreaks of course. But how many people are going to feel comfortable voiding their warranty on an expensive Macbook?
"The Price" being that you have to click the "Allow unsigned apps" radio button if you don't want the system to bug you again? That seems like a much lower price than the actual price of their hardware.
"...when they have proven time and time again that they will purposefully hobble their software/devices in such a way as suits their business models and bank balance."
As pointed out in other Gatekeeper threads, it would be nice if users could choose which signing authorities to trust. Signing is a good security model, but a single authority sounds risky to me. Perhaps I feel that Signing Authority Foo has a better definition of malware (read: which certificates to reject) than Apple has.
Say you've made a bunch of apps and you are signing them and one day Apple judges that one of them is nefarious and revokes your developer key. Does that mean that /all/ of your apps will now fail to run in the "signed apps only" mode, rather than only the nefarious one? If so that's more punitive than the iOS App Store, where I've heard of individual applications being taken down but never of a developer itself being black-balled. (Will you be able to apply for another key? Will you have to play identity games to try and pass yourself off as another person?)
Secondly, I've said above that an unsigned app will no longer "run", which is what the language on the Panic blog implies. Will it really check the validity of the developer's certificate every time a program is /run/? Will you be happily using someone's app one day, and then the next day find it doesn't start up anymore because some other app from the same developer which you might have no interest in or knowledge of has been judged to be bad? That doesn't sound very user friendly. I mean, I would have assumed that such a check would only apply at /install/ time, rather than run time, but everything I've read so far seems to be leaning towards the latter.
(Sorry - doing a quick check before posting this of Gruber's article - which I hadn't actually read yet - seems to confirm that both of my concerns are real. Oh my.)
> Does that mean that /all/ of your apps will now fail to run in the "signed apps only" mode, rather than only the nefarious one?
Probably. From what I've read, it sounds like Apple's revocation mechanism more or less involves simply pushing a blacklist of keys. Thus, if your key appears on that list, none of your apps signed by that key will work.
Having read a few more articles[1] I should correct myself and say that the majority of those which explain how Gatekeeper will be implemented in relation to the "File Quarantine" feature state that the signature check will only apply the /first/ time that a program is run.
Collectively blacklisting all the works of a developer based on trouble with a single app is still a thing, though.
So if I upgraded to that version (which after nightmares I've seen my fellow coworkers undergo after upgrading to Lion I'm not very keen to do) I'll be greeted by the system that by default does not let me to install any software except one approved by the OS maker without annoying me with scary warnings that will not be even read, let alone understood, by 99.9% of its users? I think I know one OS that already does that.
There was a view held by some that Apple innovates and then other companies (including certain Redmond one) copy. Now it seems to be going in the opposite direction.
Windows Vista's UAC was to ask "Are you sure?" for everything, not just running applications. There was no whitelist of secure apps short of what was installed with Windows.
The major difference with Mountain Lion is Apple actually has an App Store which 99% of the people who need this feature will use by default.
Everyone else will turn of(or turn down) this feature just like they did with UAC.
Changing one setting so I don't get emails from my mother saying she ran virus.app and now her computer is acting funny is worth it to me.
No, 99% of people will be using whatever they used before to get programs. Because these programs won't be in App Store, at least for quite a while, so people will get trained in ignoring those warnings and turning them off.
The direct consequence of the system that brands thousands of legit and safe apps "dangerous" would be desensitizing of users to this system and training them that the warnings system gives mean nothing and proper reaction to them is turning it off. You yourself would do this once asked to install new IM program that somehow isn't in Apple store. And then virus.app would have absolutely no problem running.
The app does not have to be in the Store, it only has to be signed by Apple. The default setting is to allow any app that has been signed by Apple to run. If a developer does not have the time in the next six months to sign their app then I do want a warning.
I agree with you in that too many modals can desensitize a person but let us look at what would need to happen to occur in this space.
Your average consumer would buy their new Mac with Mountain Lion and would immediately be prompted to look at the App Store. It is right in their dock and constantly promoted by Apple. This person downloads an app or two that they heard they MUST get (through friends/family/colleagues whatever). Some of the apps the person hears about are not in the App Store so they go to Google. Maybe they've been told about Adium or VLC or Chrome or Firefox or any of the other extremely popular Mac apps that have active developers. These apps are all signed by Apple because it takes like 15 min to get a certificate generated.
So now let's say we're at 4-8 apps downloaded. I would say a case could be made that your typically consumer isn't going to install 50 apps right after they get their computer but let us assume they download some app that is not signed by Apple. They are prompted with this warning and here is the valuable first impression and the learning experience. If this warning can properly convey to the user why the app doesn't start then you've won. The user will either decide they don't want to run "unsafe" apps or they will change the setting.
This warning isn't going to be constantly popping up because you wouldn't see this each time you went to run the app because you can't even run it. The only options are "don't run this" or "don't run this an get rid of it". The user can't just blindly click past this they need to understand it before they can advance.
Now let's say your typical use sees this and is scared and decides installing this apps isn't worth the risk. If for whatever reason they have been told to download a lot of unsigned apps they will then need to make a choice. Do I turn this feature off or am I OK with not having this app.
If you think the typical user is going to be installing dozens of apps from lazy developers then yes the user could be desensitized.
I believe that from past experiences we can see that even having to download a DMG is a jumping off point for so many people. Most users are going to experience this just a few times and if Apple controls the experience correctly then the user will be smarter and more protected than before.
Allowing only App-Store-signed apps on the Mac would be suicide for Apple. They know this. It wouldn't happen, and if it does happen, then it would mean the end of the platform. Techies only have locked-down iPhones and iPads because they can still run any open-source or third-party tools they want, wether to write their own programs or just create content like websites, or play indie games, etc..
It just won't happen. If anybody was going to do this on the desktop already, it would be Microsoft, and they've already made it clear that "trusted computing" is just a feature along side that all-important cornerstone of computing: running whatever the flip you want.
Does it? Without strongly worded messaging, users would be apt to blindly forge ahead and run untrusted binaries, wouldn't they?
It's exceptionally frustrating to see this situation playing out. I really, fundamentally, do not trust Apple, but at the same time, this sort of pervasive code signing is an enormous boon to the majority of their users. And I think fear-mongering dialogs may be an important part of actually making that work.
That all sounded really thoughtful and was pacifying me until that very last bit ("One worrisome rift"). If Apple is going to make non-App Store apps begin to look inferior, then eventually they will want every one to move to their distribution network.
Agreed. I'm trying to figure out the logic behind the decision to restrict iCloud and Notification Center access to Apple-signed apps, and I just can't. If you have installed malware on your machine, you have bigger problems than a few spam notifications showing up.
The difference is that for those, services - which cost Apple to provide on an ongoing basis, they want your app to go through App review. I could easily imagine a poorly written app that still worked and was useful, but that caused a disproportionate load on the iCloud service perhaps even through just a bug. If it went through app review, Apple would be able to enter into a dialog with the developer to fix the issue.
If it was just signed and wasn't actually malware, then would Apple be able to legitimately disable all of that developer's apps because of a performance problem with just one of them?
Basically, signing apps provide some assurance against obviously ill intentions, but no quality control. Since it's your machine, this is a reasonable balance - if you're ok with an inefficient app that does something you need, then that's your choice.
App store apps can use infrastructure outside of your machine that is provided by Apple. This means they have a stake in quality control as well as assuring benign intent.
I guess that is fair. The point I guess is that developers will always be able to develop and distribute outside of Apple's channels, so I guess all this sky is falling talk is unwarranted.
I don't understand the "Move to Trash" default for Apps that are unsigned if your default is to only run signed apps.
I think the chances are greater that a user intentionally downloaded a piece of software that happens to be unsigned rather than unintentionally downloaded malware. Wouldn't it be more appropriate to prompt the user something along the lines of "This application was not created by a trusted developer. Run anyway?"
>So it seemed feasible that we’d wake up one day and Apple would decree that all Mac apps must be sold through the App Store.
>But instead, Apple went to considerable effort and expense to find a middle ground.
Offering an option to users that locks out even signed apps is a middle ground? Huh.
Sure, but this strikes me as naïve. It can take less than being nefarious to get booted off of a service (like having an Apple developer ID) like having a corporation or government agency filing a potentially unfounded complaint against you (as we've seen with YouTube videos and, this very week, Jotform's Web site.)
The problem I have with Gatekeeper isn't in the pleasant, straightforward scenario Apple wraps into its copy. The problem is giving a corporation direct control over whose apps can and cannot work on a computer by default is a set up for some depressing abuse stories that can only be rectified by turning off security or performing UI acrobatics.