1,333 comments

[ 2.6 ms ] story [ 319 ms ] thread
Unbelievable. When I read the tweet (tried to post here as well), I suddenly realized why my Mac was unresponsive an hour ago.

Here is another tweet that describes the problem in more detail:

https://mobile.twitter.com/llanga/status/1326989724704268289

> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.

EDIT:

As others pointed out, I put this to my `/etc/hosts` file and refreshed it like so:

    sudo emacs /etc/hosts # add `0.0.0.0 ocsp.apple.com` 
    sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder # refresh hosts
Can apple not use security certificates to verify publishers ? why does it need to go to their servers ?
They are checking for revoked certificates.
The URL mentioned in sibling comments suggests this has to do with certificate revocation (OCSP): https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...

I agree that breaking system availability when an OCSP server isn't available is user-hostile and unnecessary.

The alternative is OCSP being allowed if internet isn't available, which is a security risk for reasonable defense-in-depth strategies.
Most OSCP implementations fail-open, not fail-closed. I get the benefits of having it fail-closed, but it should be opt in, because having an always-online requirement for using a mac is ridiculous.
If your Mac is unambiguously offline it fails open. What it's handling poorly is the fail-slow case.
Ugh. IMO the network should not be on the critical path to running an executable.
Most browser vendors agree because they all stopped checking CRLs (like they technically should) when verifying certs.

I don’t think the design is wrong, I just think it’s tuned a little too cautious. If you’re going to verify certs then checking the CRL is something you really should do before approval. And you can’t sync the database entirely because it’s too big.

There really aren’t any good solutions to this unless you can solve the cache invalidation problem.

The OP literally says if you disallow connection or unplug the intenret it does fail open.

I think it's probably an unintended bug that this failure mode was fail-closed.

The costs of this unintended bug are going to be huge to Apple's reputation, as demonstrated in this whole HN thread, where many assuming what's going on is even WORSE than it really is.

(Personally I think having signed certs (with opt-in ability to run unsigned apps, as MacOS has) is fine. And fail-open OSCP revocation check is also fine-ish, although it would annoy me if it's making it slower to launch apps on the regular. The problem here is a bug, not one of design. But most of this thread is assuming Apple was doing something different than this. Of course, how often a company produces fairly catastrophic bugs is also on them).

MacOS already fails-open if the OCSP server resolves to the local host (see: every suggestion to edit /etc/hosts in this discussion).
What’s the alternative tho?
Publish revocations as security updates to the OS?
Security updates take too long. How bout each copy of MacOS keeps local copy of revocation database, and updates in background?

Much faster, updates relatively quickly, and not subject to network outages.

I'd imagine that revocations don't happen often. And when they do, Apple has a perfectly capable infrastructure to push those small incremental changes on demand. It's almost as if they intentionally ignored such superior solution and chose calling home for other reasons...
That way (current) Apple also has the app usage statistic ?
You don't need an alternative. The entire concept is totally unnecessary.
A limited change would be to fail-open more of the time, e.g., if the OCSP server does not respond within a few milliseconds. (MacOS already fails-open in some internet scenarios.)

A better option is to asynchronously update a Certificate Revocation List ("CRL") and perform any check local to the machine. This avoids disclosing to Apple every single time you run a program, which program it is, and what network you're on. It could also emergency-revoke certificates just as quickly as the OCSP design by polling at the same frequency (every app startup).

This is exactly right, and given Apple’s privacy commitment should have been implemented already.
(comment deleted)
Normally if there's no internet Gatekeeper instead checks the "stapled" notarization ticket from the notarization process. But since there is internet, and the ocsp server is technically "up" gatekeeper isn't checking the tickets.
actually I think the problem is not that it is not available, heck /etc/hosts fixes wouldn't work than. it's that it is unresponsive as hell, and they have no system wide circuit breaker, if it is slow.
I am calling an unresponsive service unavailable. I think we agree about everything else.
If it were unreachable then the daemon would fail fast. A slowdown on the other hand just makes requests to the daemon queue up.
> I agree that breaking system availability when an OCSP server isn't available is user-hostile and unnecessary.

Based on the OP tweet... depending on the way it is unavailable, the failure is indeed ignored in some cases. "Denying that connection fixes it, because OCSP is a soft failure (Disconnect internet also fixes.)"

So it may be an actual unintended bug that a particular failure path results in a DoS instead?

(comment deleted)
It does go locally if you are not on wifi. I thought the issue was my slow internet so I turned off wifi and suddenly everything launched just fine.
Note that it's ocsp.apple.com, not oSCp.apple.com.
dns is case insensitive
OP was commenting on the order of the S and C
parent is using case to highlight a typo in the domain name, not to imply that the problem is with the case.
"oSCp".ToLower() != "oCSp".ToLower()
(comment deleted)
(comment deleted)
it's transposed, not case difference
I'm sure if the SCP Foundation gets involved in filtering our applications, they have a very good reason, like keeping Zalgo out of our reality.
I would want to see what applications foundation is hiding from us. Like a FOSS version of Windows 10
Ahh, thanks for the hint. It was a bad typo, but I can't edit my post anymore.

Edit:

Just reached out to Dang with a request to correct my typo.

I started panicking mildly thinking my drive was failing or something.

And just before this, I finally managed to fix Spotlight pegging one core at 100% constantly. Next thing, I reboot into a laggy system. macOS is my favorite OS, but the shit I put up with... it's basically an abusive relationship at this point.

yeah, I had spotlight thrashing my disk too. Odd.
How interesting...Apple, couldn't, be doing a pied piper, right?

/s obviously.

> macOS is my favorite OS, but the shit I put up with...

Right there with ya.

Same. Panic attack. Thought the SSD was dying. I ran Disk Utility diagnostics and started coming up with plans to reformat and restore as a last resort.

Apple folks in this thread, this was terrible

(comment deleted)
I genuinely thought the same thing. I opened my MBP and it was sluggish, felt like it was dead. Browser wouldn't load, Zoom wouldn't load, I rebooted and the same problems persisted. I honestly thought the hardware was giving out.

I almost cannot believe the actual cause. Absolutely awful experience.

My condolences friend. Next time, be more lazy :)
Incredible I had the exact same thing. 2019 MB pro I bought for music production and ableton started to lag incredibly badly and the whole desktop was unresponsive. I started to search my email to see what warranty I had.
> macOS is my favorite OS, but the shit I put up with...

Idk, the several Linux distros I’ve used recently, and Windows, have a much longer list of “shit _I_ put up with”

Can you really think of a single thing worse than this?
Computer failing to turn on as a buggy, mandatory update has replaced broken or replaced a driver with a non-functional one.
Fair enough, but that's not a typical experience on either Windows or Linux in this decade - if that's happened to you, then I think you've just been incredibly unlucky.
It happens with forced win10 updates.
Albeit rarely, and with the diversity of commodity hardware out there, I would say that Microsoft has done pretty well with updates.

(P.S. I despise Windows from a technical standpoint though)

> with the diversity of commodity hardware out there, I would say that Microsoft has done pretty well with updates

This is a good point actually - with their walled garden approach, Apple has a much easier job with drivers than Windows or Linux have.

Of course, the end user may not care a jot, but it's an interesting point from a technical perspective.

It happened to me pretty much every other forced windows update, from broken graphics drivers to non functional start menu.

I just replaced that pos with a mac mini....

I use centos 7 for my daily driver, it'll get 8 on it next hardware upgrade. Touch wood not a single problem with that for years now, and amd5000/nv3000 are looking very tasty.

Nope, there have been a few issues with BSOD that have impacted quite a lot of people. The latest one was with nvidia drivers being old that caused BSOD after update.

In a previous company the IT dept had to revert a forced by MS update manually on each machine by “hacking” and deleting and replacing files as it was causing BSOD.

Disagree with Linux. I make an LVM snapshot before making any attempts to upgrade the graphics driver. It's a disaster. And don't say proprietary code, that's beside the point. Windows runs drivers in a way that one that crashes can be restarted without bringing down the kernel or the whole system.
FYI I've had the issue you describe half a dozen times with CentOS but literally never with Arch Linux (on both machines with similar nVidia cards, using the proprietary driver). In general I'm pretty impressed with Arch's package quality, I seldom encounter any issue and when I do it's patched very quickly.
Very true. I have used Ubuntu and Fedora for a while, but when I switched to Arch, I never go back. Arch is described as bleeding edge, but another way to put it is it always has latest software, which is what a dev machine should be. My experience with installing Nvidia driver in ubuntu is nightmare. Tried official repo then failed, and tried different ppa and then failed again and again. At last, I found that I have an older kernel version and I need to compiled a latest kernel which is not in official ubuntu repo. I gave up at this point because I don't want to compile kernel every time I need to upgrade. With Arch, you always get the latest kernel and you won't usually missing feature from using an old LTS kernel.
I tried Arch Linux in a dual boot scenario on this System76 laptop and I don't recall why I switched back... I think it's because I tried to upgrade the graphics driver and got into state where I couldn't get X to run at all.

A co-worker keeps telling me to try Manjaro. I'm just not sure if I want to spend a weekend reinstalling all the stuff I use.

My windows box has crashed over a dozen times in the past few years because of GPU driver issues with nvidia and amd
On the other hand I was gifted a 2015 MacBook Pro 15 and I can't run away screaming fast enough from it. I know people rave about the touch pad, but when I use it I find apps get minimized, or don't launch or some other weird gesture causing behavior. I guarantee that this is classic PEBKAC. The other day a family member with a MacBook Pro asked me to assist them with Safari which on launch wouldn't appear. I was able to get it to appear by using the Finder or something which allowed me to pin/size Safari to one side of the screen, but on appearing the window simply displayed a single pixel frame with a black interior. I liked the process, launched it again but it did the same thing. I told them they would have more success with Google than me. I have never had those experiences with Windows. Yes I've had other lame experiences, but I can always solve them, it at least find a solution online. Again probably PEBCAK so no fan boy retorts please. In the end all programs and operating systems suck.
I’m personally quite a big fan of the trackpad and gestures but I understand that they take some getting used to. If they are causing you frustration then you can turn them off under system preferences > trackpad in the “scroll and zoom” and “more gestures” sections. I’d recommend keeping most of the scroll ones and disabling most of the others, then one by one turning on any of the ones you think would be most useful as you get more used to them.

As for the Safari issue, I have no idea off the top of my head.

I have to say I also don't understand all the fanfare for the MBP trackpad. I have a 13" 2016 MBP, and I actively dislike the trackpad. You need to use far too much pressure to "click" (even when the resistance at the lowest setting), and there is something "off" about the mouse pointer tracking - I can't figure out what it is, like if it feels too smooth, too jerky, I don't know, but it feels wrong somehow.

Oh, I do like the gesture support, though even Windows 10 supports gestures nowadays.

I think you can enable tap to click
I believe you must have been using Windows 7 without updates for the decade, because with windows 10 every[1] update[2] borks the system so much that Microsoft had to pull updates. And last but not the least, a big guide to fix problems caused by a forced, mandatory windows update[3]

[1] https://www.techradar.com/in/news/microsoft-kills-off-window...

[2] https://www.techradar.com/news/dont-install-this-windows-10-...

[3] https://www.techradar.com/in/how-to/windows-10-may-2020-upda...

Meanwhile on Linux, I cannot upgrade to the new kernel that contains a lot of support and fixes for my new shiny AMD Ryzen chip because it completely breaks the Nvidia driver, refusing even to boot.

Apple may suck, but it still sucks less than the alternatives

> Meanwhile on Linux, I cannot upgrade to the new kernel that contains a lot of support and fixes for my new shiny AMD Ryzen chip because it completely breaks the Nvidia driver, refusing even to boot.

Well that's the problem with Linux distros for the desktop in general. A user upgrading a newer version of a single system component risks breaking the whole desktop: systemd, libdrm, x11, whatever and something else doesn't work. I'm even excluding drivers here but again it's clear what happens when a user finds that out for themselves on Linux. If they even have the time and energy to do all that digging and googling of cryptic errors.

To save yourself the time and frustration, Just keep using Windows 10 with WSL2. I don't have any reason to dual boot to a Linux desktop any more due to this.

And I believe you must not have been using Windows, and are relying too much of news of incidents affecting small numbers of people.

It is - quite clearly - a gross exaggeration that "every update borks the system".

Aside from MacOS, I use Windows 10, and have done for several years. I have the Microsoft Action Pack, which means I get multiple Windows 10 Enterprise licenses - and no forced updates.

If by this decade you mean 2010 - 2020, I have enough Linux examples.
I presume you mean desktop Linux - I admit haven't tried a desktop edition Linux in this decade, so I might me off there.
Desktop Linux on an Asus laptop officially sold with Ubuntu on it.
Happened to me with a stock install of ubuntu after an update about 9 months ago.
- Eternal maze of control panel that's now split into two.

- Lack of little useful apps in the $10 range. Windows seems either freeware or costly bloatware.

macOS' problem is fixable but OS being worse isn't something you can wait to get fixed quickly.

Why wouldn't Windows update deleting the user's files be worse?
That might have happened for a small number of users, but it was an isolated incident, not a "feature" pushed to every Windows user.
That has happened for the last three years in a row.
(comment deleted)
When there's filesystem corruption on boot, Ubuntu throws you into an (initramfs) shell and tells you to fsck manually.
Is it better than a message to take it to service center?
Depends on what technical level you have, how much time you have, and what's on your storage device.
My Lenovo Windows laptop came installed with malware that MITMed all my https connections and also allowed anyone else to MITM all my https connections.

https://en.wikipedia.org/wiki/Superfish#Lenovo_security_inci...

That's terrible, but it's not the fault of the OS vendor; presumably such a malware could be distributed with any OS.
Ironically, it couldn't be with macOS, which this whole thread is about avoiding.
It certainly could if Apple wanted to do the same thing that Lenovo did.
Would MacOS actually have prevented it? Would Superfish just have simply signed the binary? Sure it wouldn't have started up when the Apple servers are down, but that's a very small percent of the time.
Well, you're using the wrong distributions then. Use something stodgy but solid like stable Debian or a recent but not bleeding edge version of Mint and you should not have all too many things on your shit list. It won't be empty - printing will still trip you up every now and then, just like it does everywhere else to give an example - but it will mostly ' just work' unless you're trying to install it on truly exotic (as in "released this week") hardware. The overall facepalm experience will be comparable to that on Mac OS, better than that on Windows. Add to that the fact that it is free in every sense of the word as well as the glaring and welcome absence of draconic "features" like the one discussed in this thread and those Linux distributions will start to look very tempting.
Debian has abysmal hardware support( well gpus mostly). They need to do something about their kernels, my RX5700XT is miles ahead with the current kernel compared to whatever debian 10 ships.
Debian's default position is to only ship "free software" (OSS, libre, etc).

It is my understanding that a lot of modern GPUs that are cutting edge ship with non-oss binary blobs, which goes against Debian's core principals.

Unfortunately, it means that Debian has poor support for hardware vendors that mandate these binary blobs.

Neither AMD graphics nor Intel integrated graphics require a blob. nVidia is the only one of the big three that requires a blob for full performance.
AMD graphics require a firmware blob for all modern cards [0]. It used to be that the firmware was only needed for 3D acceleration and you could run X/text mode without the blob just fine, but that hasn't been true for years (I think since HD6000 series in 2010).

[0] https://packages.debian.org/buster/firmware-amd-graphics

My gpu works fine on newer kernels. It's not about blobs, debian is just slow.
Debian stable is meant for servers, use unstable (it's quite stable!) or stable-backports if you want a recent kernel.
> Windows, have a much longer list of “shit _I_ put up with”

Yikes. This is painfully true. Maybe Apple knows they have a ton of breathing room here.

I’ll jump through a few more hoops to continue using the machines they make. Then again all I do is edit text.

Perhaps the issue is, it didn't used to be like this.
The thing you get with Linux is "more _predictable_ shit to deal with", not "less shit to deal with", no large capable desktop OS is perfect and never will be.

Anxiety from what Apple's agenda will do to your computer next update? anxiety from if a 1hr windows update is awaiting you when you turn your pc on? ... Linux awaits.

Linux awaits and then when it comes it borks WLAN driver, because canonical decided to replace a perfectly working one with WIP FOSS alternative, forcing users to switch to cable LAN until it reached feature parity.

Linux awaits and then when it comes it borks AMD driver, because AMD decided not to support older cards on the new FOSS driver, and the old perfectly working driver is not compatible with modern kernels, driver ABI be dammed.

Linux awaits and then when it comes it breaks hard disk encryption forcing a full install, and feeling lucky that I actually backup /home regurlarly.

Linux awaits and then when it comes half of the stuff doesn't work in Wayland.

Eventually I rather just deal with macOS, Windows, Android and leave Linux just for the kernel itself.

I haven't had to deal with any of that, but I've had Windows straight up refuse to boot multiple times and the only fix I found was to reinstall. I've now had to advise multiple people who couldn't turn on their WiFi in Windows (the switch just did nothing). I also couldn't fix that without a reinstall (not for a lack of trying). My family iMac refuses to import photos from an iPhone into Photos, failing the transfer silently. I have no idea how I'd even go about fixing that besides calling Apple and forcing them to fix it.

No man gets to deal with all of the possible computer problems, thankfully. But in my experience, most Linux problems have been fixable and I managed to fix them, while more closed OSs have left me stumped many times. I no longer believe that a computer can work without problems, so my priority is making sure that when problems appear, I can diagnose them and fix them easily.

Windows sometimes has these artificial problems, purely for market share play. Hell, I'm still a bit angry at them because of what they did to RE-DOS with Win 3.1 Beta. I was working in a small computer shop and we were blindly recommending MS-DOS as we were sure RE-DOS had compatibility problems. The tracking, and the constant nagging, silly software signing shenanigans...

So I agree, Linux problems are usually much more fixable.

You can see debug logging about photo import in Console.app. When I do it, it takes forever but eventually works.
Thanks, I already tried that. It does give an (easily missed) error from the underlying library there, but it's just some number that some other people are also complaining about on support forums.

If you have any other insights, I'd be happy to hear them. We have a workaround, but It'd be nice to get imports working again.

Well, that's why I use nixos where I can just easily rollback select programs or even my entire system if some upgrade goes wrong.
To each their own I guess, but in 20+ years of using Linux I've never had any of those issues. Maybe it's because I'm cheap an I run it on older laptops.

As for Windows... really no issues there other than forced errors of whatever absurd company policies are in place that cause software I don't want or need being forced on my machine.

Hell no. I work with RHEL every day, and while I'm by no means an expert, I would say I'm reasonably proficient with Linux.

Every time I've tried using Linux on the desktop, it's worked just fine until I tried to update something. Sooner or later, there's some broken patch or some incompatible thing here or there that breaks my window manager and throws me to the command line, ruins my network settings, overwrites my boot config or some other maddening mess. Linux works brilliantly, AS LONG AS YOU NEVER TOUCH ANYTHING

That's true in most Linux distros, I've been there, even with the most robust ones (like Debian). But then I found Manjaro, with a semi-rolling update system, that is a perfect balance between recent version updates and rock-solid stability.
(comment deleted)
I've been using Linux as my primary OS since 2008

Today my mouse and keyboard were acting as if they weren't plugged in. Just no power, no reason, no change. Reboot fixed it for now

The thing that's changed recently is that I had to update the kernel to support my audio interface.. which was also a pain in the tits

The only relevant search results are StackOverflow spam talking about a version 10 years old

Linux awaits

Linux doesn't force you to sign your binaries or lock you out of devices you own.
> macOS is my favorite OS, but

Ain't that the truth with every OS. I use Windows for gaming, PopOS for work on my desktop and MacOS for work on my laptop. The amount of weird issues is about constant.

> The amount of weird issues is about constant.

But linux is free both as in free beer and in free speech, windows required you to pay the Microsoft tax to use, and lastly macOS required you to pay a premium on hardware.

True. Linux is the best value and the best developer experience IMHO - unless you need commercial software that is Win/Mac only. Even then you can virtualize which is safer too. I can also easily get a Darcula theme OS-wide for Gnome so..
That freedom of Linux comes at a cost that people aren't paid to take care of the level of details other OS have.

Paying $100 for Windows seems like a better solution if you just want a working OS without a hassle.

And what premium do Mac hardwares have? It seems I paid what they deserved as I can't find anything better in the market. Even moreso now that M1 is out, it seems all Windows machines have premium.

If Windows is working for you "without a hassle", you must be using some version that us mortals can only dream of.
What hassle do you have these days?

Yeah, I don't use peripherals as it's only a gaming machine (I don't see other reason to use Windows) but it's working as intended for years.

Activation, for example. An activated and running Windows system can turn into a nagging SOB by something as simple as enabling a motherboard's Ethernet adapter in BIOS.

A level of detail I value is that none of that BS is baked into systems I use. Doesn't matter whether those who did not do so were paid for it or not.

I didn’t even have to reactivate after changing my MB. I never had to reactivate an activated Windows 10 in general.
I had a new mobo broken in 1 week and replaced it with the same model and it ended up license being invalid despite the mobo being the exact same model.

I had to make a phone call since none of the methods Windows or the internet suggested worked and that phone literally took 30 min to reactivate my license again. That wasn't fun.

Had this happen to me after installing a secondary SSD. Windows was deactivated, and wouldn't reactivate. I ended up having to use the Windows Restore tool before I could activate again. Having to reinstall all of your programs is never fun.
If only there was a way to get LTSC as a non-institutional customer and a way to activate it.

(wink wink)

I also don't get about this complaint about Windows. I had as much problems with as my Macbook...which is almost always never.
>> That freedom of Linux comes at a cost that people aren't paid to take care of the level of details other OS have.

>> Paying $100 for Windows seems like a better solution if you just want a working OS without a hassle.

I've been running Fedora for 15 years and haven't had any of those pesky Linux issues for at least 8 of those years. Meanwhile, I was issued a new Windows laptop at work just last week and it Sucks pretty bad. It's smooth and polished, but with all the advertising and "first ones free" preinstalled shit it feels a lot like Facebook rather than a computer. I'm glad its me-at-work being monetized and not me at home...

> working OS without a hassle

I can't help but think you meant, "I've accepted there's no real way to salvage and diagnose my computer when it breaks so reformatting it has become second nature. I always keep an up to date Win10 install USB ready, and I even have a second hard drive that I keep all my files on."

With Macs, you have to put up with MacOS and Apple (one big premium is lack of choice). It's also not that easy to self-administrate without MDM, and software options are relatively limited if you come from either Linux or Windows.

Oh come on stop spreading the Windows 98 old stories. Windows 10 is a piece of crap spyware but it is stable.
They completely broke Alt-Tab in 20H2 so no, it's not.
The unspoken rule didn't change because it's Windows 10: never install a fresh release of an OS right away (I'm still on 20H1). And judging by the comments I read here it's true for MacOS too.

FWIW I switched from XP to Vista 1 or 1.5 year after its release date. It has been a great OS for me, I never had a problem with it (except that it's then they started with the bullshit telemetry).

Of course YMMV, but since late Vista stability isn't a major issue anymore.

We have >8K active Win10 workstations on our domain.

I wish you weren't wrong.

I'm a software dev but since we're only 2 techies at work I also maintain about 40 Windows PC, 3 Hyper-V hypervisors (with something like half a dozen Windows server, the rest are Linuxes) and the printers.

If Windows 10 was unstable I should be swamped. But I spend more than 90% of my time on software dev.

And the machines are not new with fresh installs, I all migrated them manually from Windows 7.

Never reinstalled Windows unintentionally at least for the part 10 years.

> software options are relatively limited

When was the last time you used macOS? I see the options limited on Windows rather and even moreso on Linux.

> That freedom of Linux comes at a cost that people aren't paid to take care of the level of details other OS have.

What do you mean "take care of the level of detail"?

I can download Debian right now, install it on hardware in about 10min, and get everything to work rock solid without any hitch.

I can't say the same about either Windows 10 or macOS.

In fact, I had mojave crash and reboot more times in the last month than Ubuntu 18.04 since it was released, and mojave is preinstalled in its own target hardware, which is supposed to be high-end, while Ubuntu is installed on a cheap laptop that cost between a third and a fourth of my apple laptop.

What exactly do you mean by level of detail?

macOS I understand, but what machine do you have that Debian will work but Windows won’t?
Maybe the desktop environment itself is fine but for third party apps I don't see $10 range nifty apps that boost productivity on Linux.

Half of the apps I use are on Linux as well but that won't get me to the productivity on macOS.

> macOS required you to pay a premium on hardware

Or just run macOS in a virtual machine

It comes with the cost of a comp science student debt and manhours to poured into.

It wouldn't be necessary if people standardized & automated the sharing of workflows and finding of problem solutions.

I never have problems with the new MacOS or iOS. The trick is to just wait for the X.1 update.
This is happening to Macs running Catalina and Mojave, not just those that upgraded to BigSur.
My music software became completely useless on catalina, and I was also running into issues with spotlight so I disabled it. I downgraded(painfully) to Mojave and my system is so much speedier. wish I could completely switch to linux.
yeah, but in the end, choice of OS is secondary to choice of application. I'm staying on Mojave for the foreseeable future, but I'll stay with Mac because Logic Pro is not available on any other platform. Sometimes applications are fungible, or you're lucky and your critical application is available on multiple platforms, but sometimes there are only certain applications that can do what you want. I run a MacOS System 7 for software to edit my Yamaha VL-1. I run MacOS 9.2.8 due to hardware drivers for a Korg OasysPCI. I run MacOS 10.6.8 Snow Leopard because is is the last OS that runs rosetta and keeps numerous PowerPC apps that never made the jump to Intel. I'll keep Mojave running when eventually I have to jump to Arm because I'm sure a lot of the software I run won't make the jump to Arm. I'd LOVE to drop any of those systems, but each exists because there are applications that do not have replacement on modern OS'es.
And that, my friend, is exactly why they bought Logic. Don't know if you were in the music game back then, but they way it played out was:

- Logic had the pole position for non-pro-tools music at the time, and sold (IIRC) for about $600

- Apple bought Logic and stated publicly "we will not discontinue it on windows"

- I think a year later, might have been two, they cancelled it on windows

- Some time later, they dropped the price, and also put out garage band, using Logic's engine.

- Logic's product roadmap (from what I've heard) became more general user friendly (can't attest to this personally though)

Basically, anything Apple owns becomes part of the plan to get you on a mac and iEverything, secondary to whatever it's originally purpose is. I won't touch any music software now that doesn't run on at least 2 operating systems. Fortunately most of them now realize the importance of this.

I'd recommend looking at other options like Reaper, Cubase, or Digital Performer, all of which have been improving steadily and can on windows or OSX.

Personally I'm sticking on High Sierra, and doubt my next machine will be a mac. Man I'm going to miss Bash everywhere though. Sigh

This happened to me too! What the hell.
If I do any simple math calculation in Spotlight it pegs all cores at 100%. Its easily reproducible and really annoying because I've used spotlight as a calculator for years.
I finally think I found a fix for this, toggle off and back on the Calculator service in System Prefs > Spotlight.
Just wait until you can only run signed binaries.

As developers and engineers, we ought to be jumping off this platform like a sinking ship. It's clear that they want to lock it down like the iPhone. Why else would they be measuring which apps are in use if they didn't want to control it?

If your argument is "compatibility research", you're missing the other warning signs.

(comment deleted)
Found another reason for me to not get a Mac
You can't go wrong with a ThinkPad. I switched from Mac to a T480 with Arch for dev work and it's been great.
If they brought back taller displays I’d be right there with you.
Check the article on anandtech about the new Razer laptop.

Disclaimer: not affiliated.

They are, next crop will be 16:10
Another poster mentioned the Huawei Matebook Pro has a 3:2 screen. I'm now looking into getting one for that reason alone.
I'm running a bunch of ThinkPads with Fedora & all works fine (and worked fine for years).
We’re running Thinkpads at work with fedora and they really don’t.
Any specifics what does not work ?
Hibernation. External monitor support is buggy. Pulseaudio is buggy with external microphone. IR camera face login isn't supported. Fingerprint scanner isn't working properly at login after sleep. Sound from internal audio is much worse than was on Windows. No app I know of can reliably share screen on Wayland.
Very true. Run FreeBSD and OpenBSD on Thinkpads at home and work and life's a peach...
Huh apparently I win by still being on an old OS version?
My policy is to never upgrade anything until everyone I know has upgraded to the next version and not downgraded after N weeks.
My policy is to upgrade my secondary/personal/low importance computer on day one and my primary computer a few weeks later.
LOL, my policy is to never major-upgrade the OS the machine came with.

I have machines around the house with OS'es going back a ways...

This is the correct policy. I upgraded my mac because I couldn't install a certain application on the version I was running and now it runs crazy hot and the fans run on full blast whenever I watch a video on the internet.
Depends on how old, I guess. I'm running Mojave, and ran into the problem.
Right around this same time, I had 1 macBook hard reboot (watchdogd timeout) and shortly thereafter, a second macBook froze, fan maxed out, with the display not coming up. Then it rebooted into recovery mode.

Yeah, these _could_ be unrelated issues to what has been going on in Apple land today, but it's uncanny...

I keep reading in the tweets how all Macs are unusable. Is this an OS bug that doesn't effect older OSes? I'm on Mojave on my 2017 MBP, and have had zero issues at all.

When was `trustd` introduced?

`/usr/libexec/trustd` exists on Mojave, too. There's a (very unhelpful) manpage.

I think you were just lucky to not open non-Apple applications during the outage.

Checking for notarization on each launch was introduced in catalina. Older versions have trustd, but it was only used for the gatekeeper checks added in 10.8.
I ran into this on trying to load a new video file on VLC, with Mojave, so I guess it's not just apps, but maybe any new file load.
My 2018 MPB on Mojave had some serious issues launching apps for a little while yesterday (3PM central) afternoon. It seemed to resolve within an hour though. Not sure how that lines up with the outage described here.
I discovered this by running unbound – a DNS server – locally (block some unwanted hosts and do dns over TLS). I guess the rest of the story is pretty obvious; having your default dns server not being able to resolve because you're trying to verify it – since you cannot resolve your verify hostname – is obviously Not Great. As you can imagine, there is no waiting in the world that fixes this. I couldn't kill (-9) the process either; had to reboot into safe mode, rename the binary and switch the default dns on the network.
So yesterday I wrote about the blurring lines of ownership, and people came back with some fairly disparate responses. It's fair to say that I was mostly dismissed. https://news.ycombinator.com/item?id=25058952

And this is why I won't be moving to Apple silicon. Apple already has the ability to restrict whats apps I can run (they can simply toggle a switch for all users to "no unsigned binaries"), and congrats! Apple is the sole decider of what we get to use on our computers.

Of course Apple's Craig Federighi assures us that the people making such assertions are "tools" (https://youtu.be/Hg9F1Qjv3iU?t=3177 , timestamp 53:33) and they have no intention whatsoever of taking away our ability to do general compute on the machines we buy and own.

Except...

Apple can already decide what binaries you can execute. Should they choose to.

Apple is now restricting what other OSes you can boot into. As they've chosen to.

Apple can now make their machine reject a new, third-party repair part like a bad transplant. Should they choose to.

It's clear where they're going. And I'm jumping ship. It's painful to do so, given how invested I am in the ecosystem, but we're already beyond the threshold that many of us would have left earlier in the decade.

---

edit - It's also really hard as a designer + developer + would-be researcher in the making to find a good computer. Most non-Apple laptops don't have very good color accuracy. They also don't have good trackpads, and their keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)

I'm trying to find a laptop with good build quality, long battery life, a good display that I can design on, a good trackpad so that I don't have to carry around a mouse, good speakers would be a plus, and light enough that I don't feel like I'm lifting weights while working on my laptop. And this package should ideally come with 512GB of SSD storage and, at least, 16GB to 32GB of RAM.

Oh and it shouldn't be more expensive than a Mac as many of these laptops are!

Any suggestions?

2012 Macbook Pro. Get the highest-spec Magsafe laptop you can find.
I second this. Catalina runs great on my 15" mid-2015 16GB/1TB, and it even runs shockingly well (bootstrapped) on my (unsupported) 13" mid-2009 8GB/512GB.

The 2009-2015 era of Macbooks are, not were, truly phenomenal machines.

Ugh i actually considered buying a 2015 mbp to replace my 2016 when it died for the last time THIS YEAR
What does bootstrapped mean? I’m surprised with Catalina running well on a 2009 MacBook. I felt it was slow on a Mac Mini 2014 where it is supported and went down one version.
Are there no other suggestions beyond the 2012 MBP?

I use arch linux on a Lenova Thinkpad T580, and I'm really happy with it, but I'm not sure about the colour accuracy of the screen. I doubt it's as good as you find on an Apple.

I, for one, am really interested in good, high quality alternative to apple laptop hardware, that meet the parent's criteria.

I just got an eluktronics. Basically barebones powered up systems. I got one running windows but that's only because I need the ableton software.
My partner bought a razer 13 inch to replace a MacBook Air. It wasn’t cheap, the build quality is excellent and it handles everything (she’s in an orchestra and records her parts on it, does graphic design and sometimes plays fortnite.). The screen is quite nice and the build quality is better than my system 76 (onyx pro) which I really like too.

Dave2d on YouTube gives pretty short and decent laptop reviews. I think he has a discord channel discussing the machines too

My 2017 razer stealth 13" has rather questionable build quality.

* Once a month or so, the touchscreen flips out and starts registering dozens of random finger taps per second. There are tons of complaints on the internet, but Razer never acknowledged it as a known issue.

* One of the long rubber pads on the bottom fell off after about a year and a half.

* The USB-C power cord's insulation was frayed from day one.

* When running Linux, the kernel continuously reports "correctable" pci-e errors, indicating a signal integrity issue. I had to turn down the verbosity of the messages to keep from spamming the journal.

* When running Linux, a monitor connected via HDMI has random "snow" noise. When playing any sound through the builtin speakers, the monitor blacks out every 10 seconds or so. Plugging in headphones "fixes" it.

* The bios' ACPI implementation is buggy and doesn't properly report whether the lid is open or closed. As a result, the laptop sometimes fails to go to sleep when I close it, and sometimes fails to wake up when I open it. It works most of the time but not always in windows, and linux got into a perpetual sleep-wakeup-sleep loop until I found the right workaround.

* A plugable brand thunderbolt dock "glitches" every 10-20 seconds when typing on a USB3 keyboard. Plugable claims it's due to buggy Intel firmware in the laptop. To be fair, a different brand of dock works fine, though.

Many of the signal issues can be caused by a faulty or low quality power supply. It took me a good half year until I finaly fugured why my Thinkpad touchpad and screen was acting up similar to your description. Turned out that my 65W power supply from Amazon was causing all the issues.
I never bought a Razer product because every time I'm looking at one I see negative reviews about their reliability.

It boggles my mind how they can be so successful.

Yeah so basically in the windows world, a lot of the good laptops are under the "business class" of the various manufacturers:

Dell Precision, HP Elite Book, MSI Prestige

In the consumer world the Dell XPS, Asus Zenbook, Asus Pro Art are the way to go for a designer.

Dell Precision is probably the overall best laptop. MSI Prestige is targetted right at you though, with color accuracy and a good display. The only brand I can personally vouch for is Dell. I and my partner use XPS's, and a good friend of mine has a super nice Precision that I am jealous of (specifically the ports! I'm so over USB-C)

Lenovo Thinkpad is another popular line, seems conspicuously absent from your list. They're known to have good resale value, and to work well with Linux. If you're getting up to the Precision line, the Lenovo P series workstations are also worth considering, though given they're actually professional-grade machines with Xeon and Quadro parts they'll be more expensive than a Macbook Pro.

There are also boutiques like System76, that white label, upgrade, and manage driver compatibility for Clevo laptops which may be worth considering, they just came out with a new Lemur Pro like yesterday.

Having used everything from xps to surface book 2, no laptop comes close to a ThinkPad. I am pretty much a fanboy of ThinkPad keyboards
I used to be too, until they changed them
Lenovo might be known that way, but they are exceptionally bad at supporting Linux. https://www.notebookcheck.net/Lenovo-admits-ThinkPad-CPU-thr...

As far as I know this issue is still not fixed so I have to use this hack: https://github.com/erpalma/throttled

I’ve also had tremendous Thunderbolt-related firmware issues that could only be fixed in Windows. If you use Linux, there are much better options than Lenovo. I still use my T480 daily but I miss my old XPS 13, which gave me no issues ever.

I run Linux (Debian) on my Lenovo X1 Carbon and it works perfectly.
Linux works perfectly on mine as well, but I use Fedora.

The trackpad is bearable, and I have a 3rd generation so my 1080p screen isn't IPS, but it works well enough for $200.

Not sure about Carbons, but for T-series there are aftermarket IPS displays that you could swap for the original TN ones. Could be done in 30 min, with no previous experience, just with the service manuals from Lenovo and enough dexterity to handle a screwdriver.
>Lenovo might be known that way, but they are exceptionally bad at supporting Linux.

Absolutely no trouble on x395. It's been running Linux (Arch) for a year, and it is my main system.

Piling on to say I cut on teeth on Linux installing Breezy Badger on a Thinkpad T20. Since then I’ve never struggled with a Debian based OS on Thinkpads.
Thinkpad was one of the first laptop series which supported Linux explicitly.

Their competitor was Compaq NX series (HP EliteBook of today). Dell was late to the party and closed the gap by actively developing software for Linux (DKMS, Privacy Drivers, etc.).

I don't think you can conflate classic Thinkpad and current "Thinkpad".
Why not?

Lenovo's ThinkPad line is still quite differentiated from their other offerings. What are your objections to it?

When IBM didn't like the panels they could source for Thinkpads, they started a new company called International Display Technology to manufacture panels they did like. Thinkpads used to be special.

While it's entirely possible there's a connection between decisions like that and IBM's PC division being unprofitable enough they sold it to Lenovo, it might be reasonable to hope that Lenovo would make the effort to offer competitive panels when it's obviously possible for their competitors to source them.

Are they doing anything to prevent Linux from running well on them? As far as I can tell, since all big three (XPS, EliteBook and Thinkpad) are considered enterprise devices and their BIOS, IO tables and hardware layouts are crafted with Linux compatibility in mind.

They're explicitly sold with FreeDOS option to imply that you can directly install Linux on them.

Even my run on off the mill desktop shows more soft-errors about IO layout and memory mapped devices on board.

Exceptionally bad is a bit harsh. Windows is first tier support with Linux coming in as a second. In my experience they are pretty good about fixing remaining issues in firmware updates, which can be installed using fwupd (I don't have a Windows partition at all). I belive there's even a GNOME Software front-end if you prefer things being very easy.

I don't need to use throttled on my X1 Carbon 7th and they recently added mainline support for the fingerprint reader. All I had to do was enable it in GNOME Settings.

I have X1 Carbon 7th and need to use throttled to get full power.

Try to run performance test with s-tui if you see a difference.

On Arch the command to enable the fix is:

sudo systemctl enable --now lenovo_fix.service

I love my X1 (also 7th). This is the laptop which made me retire my actual desktop. Bought a docking station and a MOTU 8A for sound connectivity, and have no need for a classical desktop since.

I am not into gaming or graphics though. Still, with my (unusual) usage pattern I get almost 10 hours battery life time on the road, and all the CPU power I need locally. For heavy stuff, I compile remotely anyway.

I can't stand the (lack) of brightness on my X1 7th gen. Is that not a problem for you?

I can't for the life of me get it to be bright enough to use in a lit room. A bit of hyperbole here, but I basically have to hide in a closet and stuff a towel under the door to see the fucking screen. I love the keyboard, but I basically won't use the thing now because it's such a drag to use.

I don't think I've ever even set my 7th gen X1C to full brightness, it's perfectly usable. Is this a problem you tend to have with screens?
This is the only screen I've ever had to fight with to get something bright enough, and I'm nearing 40 so I've been through a metric buttload of computers and screens. It is hands down the worst screen I've ever had (and I still have a couple ~ 2006 20" acer lcds pressed into service in various comms closets and shop space in my house). The brightness on these is appalling and it doesn't help that Mint insists on resetting the brightness to 60% on every boot so I feel like I'm trying to walk through a house of horrors with only a single birthday candle for light.

Edit: the joke is that the house of horrors is my code

I had similar thoughts after purchasing my X13 AMD, not sure if you're experiencing the same thing I did. I was extremely disappointed with stock brightness when I first turned it on.

Turned out windows power saving and battery settings actually capped my brightness. So my user-controlled "100%" (via keyboard) actually becomes more like 60%, depending on the power profile.

As soon as I got a new m2 ssd, I shelved Windows and installed Fedora WS, which has no such issue. That is, if I say I want 100%, it obeys.

You can quickly test with either a live USB, or tweaking your power profiles.

I am blind (no joke), I couldn't care less about brightness :-) Well, actually, no, I execute a script after boot which basically does:

for backlight in leds/tpacpi::kbd_backlight backlight/intel_backlight; do dir="/sys/class/${backlight}"; if [ -d "${dir}" ]; then echo 0 > "${dir}/brightness"; fi; done

The firmware issues are fixed just fine with fwupdmgr. It also integrates nicely with Gnome.
You can even buy thinkpads with ubuntu out of the box now, so hard disagree.
I don't know about Ubuntu, but Lenovo offers machines with Fedora already installed.
> Lenovo has now admitted to the problem – and announced that it will be fixed.

How is that exceptionally bad support? I'd say that's the opposite.

I get firmware updates on my X1C because Lenovo decides to work with fwupd and the open source community, something most manufacturers refuse to do.

Check Thinkpad screens carefully as a lot of the new amd ones come with terrible 'business class' screens that I don't want to use as a developer, let alone as a designer .. and a repairman told me they are glued on these days so you can no longer swap them as you used to be able to.
Can confirm. I made the mistake of buying a T14s with a Ryzen 4000 CPU in it

The screen was something like 30% color accurate

Using something like F.Lux or Redshift to shift the color space at night resulted in...this

Linux: https://www.youtube.com/watch?v=UhLBx4mmPrM

Windows: https://www.youtube.com/watch?v=QgjqeDF9c50

Lenovo refused to replace the panel with a less atrocious SKU, claiming I could instead purchase it for a "mere" $600 USD(!)

Thankfully Australia has strong consumer protection laws and I was able to get the unit returned and refunded

Lenovo has got to be amongst the top, imho.
Lenovo P series workstations are also worth considering

I have a P72 and it is garbage. Plugged into a docking station it works OK as really expensive mid-range workstation. Trying to use it as a laptop causes the fans to spin like crazy, performance throttled to shit and the and battery life of maybe 90 minutes for even fairly modest workloads. The similarly specced Dell Precision I had before was much better in every way and was actually usable as a laptop.

The P5X series that many of my colleagues have seem much better.

>Trying to use it as a laptop causes the fans to spin like crazy, performance throttled to shit

So, just like macbook?

I was going to say - that does sound very much like my MacBook Pro.
The P4X series is also working quite well - I went with that for the smaller footprint. Since I mostly dock it, the smaller screen is acceptable for the limited amount of time I use it undocked.
I've got a P51. It's essentially always on fire and the fans are really loud.

Not sure I'd recommend it. Build quality is very good however.

P51S might have been a better choice then.
The P51S is "slim" and has poorer thermals than the P51. Why would it be a better choice?
It uses low-power components (U rather than H CPUs for example) and isn't capable of generating nearly as much heat, regardless of what you're asking it to do.
Switching from a core H to core U will cut your perf in half. I like my xps 13 but in all fairness it struggles to run Firefox with youtube+gmail+slack and Office open all at the same time. As someone who primarily uses beefy desktops, it feels about as snappy as a Core 2 Duo machines with DDR-400.
I sent my Lenovo in for warranty service for a faulty SSD ribbon cable and... they lost it. And they haven't replaced it. They've told me four times over the course of the last five months that I'll get a call in 3-5 business days. It has never come of course.

I know I'm not alone; even just in my circle there are two other stories of horrible mishaps with this company.

Lenovo makes some decent machines, sometimes, but their warranty service is not to be trusted.

Lenovo took around 100 days, within warranty period, to replace my motherboard of my Ideapad Y500 because the parts were not available. I am never buying any Lenovo product ever again.
I have always used their on-site service. Tech always comes out the next day and fixes the issue.
Big bonus of the proper "business" laptops also is support. Wouldn't want a work machine I rely on without on-site support anymore (of course ideally you want a machine that never needs support, but since you can't rely on that from anybody...)
Indeed. Worth looking at the Thinkpads with this as well. A lot of the 3 year old discarded corporate units still have a couple of years of warranty left on them and Lenovo actually honour it!
Interestingly, Apple covers more than sRGB, their panels are now being set to the broader DCI-P3 gamut. Whereas these laptops (at least in 2019) were slightly less than the sRGB gamut on testing. Except for the surface book,

https://imgur.com/a/6dGz3LO

I got these results from, https://www.notebookcheck.net/MSI-Prestige-15-A10SC-Laptop-R...

I got a 2019 Dell Precision 5540 with an UHD OLED, 3.840 x 2.160 and have 100% DCI-P3. And i think many other OLED Screens have it too.

When i configured the Laptop i could choose from these options:

FHD IGZO4, 1.920 x 1.080, 100% sRGB

UHD IGZO4, 3.840 x 2.160, 100% AdobeRGB Touch

UHD OLED, 3.840 x 2.160, 100% DCI-P3

Almost no displays get 100% when tested for gamut coverage. I'm not really sure why, I think it's some testing artefact. At this point (around 99% sRGB) what you should be looking at is coverage in larger gamuts (here 84.8% AdobeRGB).
> In the consumer world the Dell XPS [...] are the way to go for a designer

I have to use a Dell XPS 9560 and had two issues with it, most people never realize:

1. The Intel Thermal management driver is buggy so the device shuts off on very high-load tasks. You have to find the old driver on the internet and install it, and prevent windows from reverting to a new driver.

2. Only after two years of hanging connections and dropped UDP-packets I ran a speedtest and realized that this is not my home-internet being weird, but a systemic problem of the Wifi-card, which others have reported on the internet as well. Switched cards - getting windows to recognize the new one was difficult - and now I have normal Wifi.

Both of these issues are terrible for customers, and I still wish I wouldn't have ignored/overlooked the Wifi-issue for so long, as it interrupted work for a very long time.

Dell XPS 9360, good keyboard and touchpad, but my two issues, Dell software for updating drivers is just buggy. In general Dell can't write good consumer software.

Second is the same as yours, the Killer Wi-Fi is subpar. Can't keep a steady connection. Can trigger bluescreens if resuming without power cable and running Firefox (I think). Have not changed my Wi-Fi card yet.

I seriously recommend the switch. I went for an Intel ax200, costs about 50$, and my download speed went up 8 fold.
I got an XPS 15 7590 in part because I read that the "Killer" Wifi problems of old were finally fixed. Well not for me, after waking the laptop I have to manually disconnect and reconnect Wifi for it to work. Have not had time to contact support about it yet, but I'm very disappointed that they've stayed with "Killer Wifi" after the long history of problems.
I use MSI laptops almost exclusively although they're definitely wiped and reinstalled to win10 ltsc or freebsd.

In as much as I love the Mac touchpad for kanji/hanzi input the 2015 pro will probably be my last.

Try metabox. (https://www.metabox.com.au/). They have a wide range of laptops at various specs and prices and form factors and whatever else. A lot of the guys at work have started to switch to them and they feel nice to hold and fondle.

I'm currently in the same boat as you and my next machine will be from these guys when my (admittedly very new) Macbook Pro gives up or gets taken over by Apple.

> keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)

Those are laptops with numeric keypads, the trackpad is still centred relative to the "main area" of the keyboard (the home row and in particular the rest keys - the two keys with a little bump, F and J on a QWERTY) but it is off-centre relative to the body of the laptop due to the presence of the keypad.

Macs don't have numpads so if you've always used Macs it's understandable that you're not familiar with this type of layout.

In any case that type of placement makes no difference while you are using the laptop, because keys and touchpad are still where they are supposed to be relative to each other.

I use my laptop on my lap, and usually when I sit with my hands folded in my lap, my hands fall along the center axis of my body. We are bilaterally symmetrical beings (with some internal asymmetries).

So unless I scoot the laptop off-axis or I have to move my hands off axis to type.

I'm unsure how this isn't unergonomic. It's not something to get used to. It's bad design. Period.

If you're using a laptop on your lap you've already given away any chance of ergonomic comfort.
Yes this is true, I see your point, with a laptop on your lap, in order to balance its weight optimally, you need to centre it relative to its mass, not relative to the hands rest position (F and J keys) so then when you have to type you need to move your hands sideways and it's not very ergonomic.
Yes this has always annoyed me; having it centred under the keyboard makes no sense except in some weird universe where everybody uses only their thumbs to operate the trackpad. Trackpad alignment was one of the major causes of my RSI due to the horrible bend in the wrist it causes.

I haven't used a Mac in years but the one thing they always nailed was the trackpad. It's big and actually centred on the laptop body.

I think it depends on how much you type. If you type most of the time, your hands will tend to stay centred on the keyboard. Of course this is highly variable based on so many factors...
A lot of laptops, Dell for example, offset the touch pad to the left even though there is no keypad. You might be right that these are technically centered on the q to p span of the keyboard.

https://upload.wikimedia.org/wikipedia/commons/thumb/b/b4/De...

https://i.pcmag.com/imagery/reviews/05RhNkV9HnULG0LW4YRfKzZ-...

https://www.tec-int.com/media/catalog/product/cache/2/image/...

Good eye! I had never noticed those before. Yes I think those are centred to j and f. on the Macbook Pro I'm using right now, if you look carefully, the touchpad is centred relative to the body but it is slightly off centre relative to the home row.
But you want to align the keyboard and the touchpad with the vertical axis of your body so you end up with 2/3 of the screen to your right. That's why I'm advocating no number pads on laptops.
I’d rather align myself with the screen, otherwise I’m mostly constantly looking towards a slight right, which is a terrible twist for the spine.

It’s much easier and more comfortable to adjust my hands over a slightly offset keyboard.

Is this what you're actually doing?

I gave it a try for one minute when I unpacked my new laptop in 2014 and I immediately shifted it to the right: typing as you suggest was terrible for wrists, shoulders and probably the spine.

My workaround: I move the windows I work more often (eg: the editor) to the left part of the screen.

To be fair: there is no way to fix an ergonomically broken design. There are only mitigations and those a probably subjective: everybody is a little different and muscles/skeletons/etc can accommodate different twists.

Their SSL certificate revocation server (the default for macOS) goes down an you try to tie it to Apple Silicon being created to lock-in users? I understand the feelings people have about this but today's failure seems orthogonal.
It's just one of many recent actions that they've taken that have made people wary. The changes to app signing in recent OS X versions was another example of this
> they can simply toggle a switch for all users to "no unsigned binaries"

That switch was toggled with Big Sur and Apple silicon: https://mjtsai.com/blog/2020/08/19/apple-silicon-macs-to-req...

While true, that doesn't mean that an Apple-controlled key decides which apps will run:

> There isn’t a specific identity requirement for this signature: a simple ad-hoc signature issued locally is sufficient, which includes signatures which are now generated automatically by the linker. This new behavior doesn’t change the long-established policy that our users and developers can run arbitrary code on their Macs, and is designed to simplify the execution policies on Apple silicon Mac computers and enable the system to better detect code modifications.

(Source is the link you provided.)

Thinkpads. Lenovo is far from perfect, but they have been good stewards of the brand.
I like Lenovo ThinkPads and even IdeaPads (I own one for personal use) but I do hesitate dealing with potential Chinese spyware from the factory for work uses.
Manjaro GNOME on any of the Thinkpad models.

I switched away from Macbook Pro about a year ago, after using Apple hardware for about a decade.

It's working great, GNOME interface is solid and productive, Manjaro and AUR libraries just work. Highly recommend making the move, sooner the better as I'm sure you see the writing on the wall.

(comment deleted)
I agree with you that Apple is doing way too much to restrict users. But I also agree with Craig in that I don't see how Apple silicon is useful for them in helping to restrict users.
It is useful as a justification. Not from a technical point of view, but just to support the pathway they have planned and the story around it.
How is it useful as a justification? I don't see how forced signature verification can be more easily justified on a M1 Mac than on an Intel Mac.
Yet mandatory signing of binaries is enabled on the ARM build.

It is basically a milestone; since new binaries are needed, they might be as well as signed.

X1 Yoga 4 is what I went with recently when my 2016 macbook pro died for the 4th time since owning it.

Its very similar to the x1 carbon but converts to a tablet and it has an aluminum body.

I can't say I'm out of the apple ecosystem entirely, but I decided to spend my money elsewhere given the abysmal quality of the macbook pro line these days.

Get a Thinkpad, P-series, lots of options. Run Fedora on it. Great machines, great keyboard, 4k screens, good color, goot battery life, lightweight. Everything works. Mac-level price, and worth it.
Aren’t those all huge?
If you think so, then I recommend you get an X-series instead.
I have a 15" MacBook Pro and I like it just fine.
P1 Gen 3 is 0.72" x 14.24" x 9.67", compared to the 2019 15" MBP which is 0.61" x 13.75" x 9.48". Slightly larger? Sure, but I wouldn't call it "huge" if the 15" MBP is what you're used to. It's only 0.11" thicker than the MBP and half an inch longer. (And it weighs less.)
I would like to get a thinkpad, but I'm not sure Lenovo can be trusted any more than Apple can, especially since Apple atleast pretends to care about customer security.

https://slate.com/technology/2015/02/lenovo-superfish-scanda...

That would be a worry. At least the people using Apple cares and tell you. And observe them very closely.
Lenovo is junk for anything but business class laptops. That the thinkpads X P W and T. The rest is the disposable, unrepairable, bloated junk you’d expect from consumer level products.
Seems like I am working since four years now on my junk Lenovo Yoga 13 under Manjaro and didn't realize that.
Don’t feel bad, Lenovo intentionally blurs the line by calling everything a thinkpad. But they’re not all the same.
"Disposable, unrepairable, bloated junk" describes pretty much all non-business laptops these days. I don't think Lenovo is special (and the Yoga often reviews as "good for the price")
I work with thousands of their business class Thinkpads and they are also junk. They seem made for corporations to just churn through. I see harware/bios bugs that carry through generations.
Could be. I stopped at the 2011 and 2013 variants. Still powerful enough for me, cheap to repair, and the intel me can be entirely erased/corebooted. I don’t know about the more recent business class TP.
Well, if you immediately overwrite the hard drive of the machine with some Linux variant (as I think the GP implie), I think it will solve a lot of problems like this from any manufacturer.
No it doesn’t. If memory serves, Lenovo rootkits have been in the UEFI firmware which auto-install hooks into the OS after boot.

Linux is not magically immune to this attack. One could argue it is more susceptible than other OS due to lack of binary signature checks on executables at runtime (at least by default).

How is 4K support and fractional scaling? Does it work well?
In my experience, fractional scaling and 4k support is finally fine on at least whatever GNOME and Wayland Ubuntu 20.04 ships with, with two major caveats:

* Chromium-based applications (the browser and Electron apps like VS Code) still don't know how to render themselves with fractional scaling and end up ever so slightly blurry (but correct sized) on fractionally scaled displays. Think like very old applications (like Control Panel) on Windows 10. I use Firefox so it doesn't bother me that much. There's a issue in Chromium bug tracker following this, but I can't find it right now.

* Screen sharing full screen or other windows than browser tabs doesn't work on Google Meet / MS Teams. This is and has been an issue in Wayland since forever.

Cool, I don’t use chrome or VSCode or chromium apps. And no ms teams or google meet either. Sounds like limitations I could live with.
> Chromium-based applications (the browser and Electron apps like VS Code)

This is most likely because they don't support Wayland. The scaling with XWayland doesn't really work great a lot of the time.

I don't use scaling for my 4K monitor, and just set text sizes larger. It feels a bit weird for a while but eventually it's actually quite a nice balance where the content is relatively larger vs. the chrome.

> * Screen sharing full screen or other windows than browser tabs doesn't work on Google Meet / MS Teams. This is and has been an issue in Wayland since forever.

Chrome has experimental Pipewire support; enable it in here: chrome://flags/#enable-webrtc-pipewire-capturer

Firefox (at least on Fedora) has enabled it out of the box.

Good battery life? You must be joking? Less then 4 hours of light usage on x1 carbon gen 8. No hibernation.
I think you should stick to Apple, frankly. Every time Apple comes up with something new (or just a new software release), people come out of their sheds to warn about all the bad things that will happen.

And then almost none of those bad things happen. I've witnessed this dozens of times now, so a safe interpretation would be to assume that this time none of those things happen.

Not running 32bit code anymore die definitely happen
And it couldn't have happened sooner.

Do you want to be burdened with layers of backwards compatibility and end up like POSIX or Autoconf with provisions for things that once run on some long forgotten UNIX OS version?

32 bit support certainly isn't going to Bury you in backwards compatibility. It just runs
Just runs with 2 versions of the same library (32/64), and with older programs that can't take advantage of 64bit ABI / arch changes...
It was rumored for like a decade. The last 32-bit computers were sold in something like 2007-2008? High Sierra started throwing warnings when you launched 32-bit apps. In 2018, they announced Mojave would be the last version to support them. Mojave just got an update yesterday and will likely get updates for at least another year. So nobody has been forced out yet.

I'm aware end users with discontinued software were forced into some no-win choices. But as an ecosystem, it's one example where this happened and was given a ~15 year possible window and an explicit 4 year window to transition.

Except bad things did happen. Like their capricious application of Appstore “guidelines”; the increasing difficulty of running software on Mac where the developer won’t pay Apple a tithe; the drop in Linux support for the platform, as they locked it down more and more at hardware level; the imposition of their authentication and payment portals (and hence 30% taxes all around) on web apps... etc etc etc.

We have been effectively boiled like obedient frogs.

I love macOS but my next laptop won’t be a mac and my next phone won’t be an iPhone. Divesting from the ecosystem will be painful but we’re well past any grace period at this point.

I have not experienced any difficulties in installing or running apps from outside the Mac app store (if that’s what you mean by paying Apple a tithe).
First they restricted execution of unsigned binaries unless you run in a substantially-unprotected mode: https://github.molgen.mpg.de/pages/bs/macOSnotes/mac/mac_pro...

Then they disabled execution of all unsigned binaries. To run on a default Mac, you either pay Apple or compile on the user's own machine which is obviously unsustainable. https://eclecticlight.co/2020/08/22/apple-silicon-macs-will-...

They've also removed any 32bit support, in case you could make do with old programs that don't make Apple some money.

I'm still on Mojave and will not upgrade. Personally, my last MBP was bought in 2016 and I have no intention of getting another one as long as they continue exploiting developers and the public in this way.

> To run on a default Mac, you either pay Apple or compile on the user's own machine

This is not true. Apple silicon runs code with any signature, even an ad-hoc one.

What exactly do you mean ad-hoc? Can my friend without an apple account compile an executable with GCC send it to me and I can run it on my new Apple Macbook?
(comment deleted)
"I love macOS but my next laptop won’t be a mac and my next phone won’t be an iPhone. Divesting from the ecosystem will be painful but we’re well past any grace period at this point. "

same here. I hope this will lead to a leap in quality in alternative mobile & desktop OSes, because at the moment the situation looks pretty bad.

I’d suggest using a Mac until it doesn’t actually work. Then you can find a new computer to compromise with.
My ASUS Zenbook has been solid ! But the macs are definitely prettier.
> I'm trying to find a laptop with good build quality, long battery life, a good display that I can design on, a good trackpad

Sounds like you might want a Microsoft surface (or surface book).

Not sure about the TouchPad - but at least there's a pen for drawing on the screen.

My Huawei Matebook Pro has been everything I wanted in a Mac, in a way I couldn't get from Apple.

Pros that Macbooks don't have: USB-A (along with USB-C), no touch bar, 3:2 screen, can enable secure boot if I choose so feel like I'll be able to run whatever I want on it, replaceable SSD, etc.

Pros that Macbooks also have: still has a great build quality, full day battery

Cons that both have: Non replaceable RAM

My huawei matebook pro is the best laptop I've ever owned.

The only downside is that I have Windows 10 on it, and considering Microsoft actively destorys user data and has for 15+ years as company policy...I won't use it for serious work, only entertainment. :(

User state is also a time investment, so rebooting and destorying this is not ok even if all files by some stroke of luck were saved first

Are you not worried about your data going to China? Huawei looks indeed great, but I would never use it. Maybe if there was a way to replace components with ones from legitimate source like Mouser or digikey, to ensure there is no spying going on.
I think a firmware- or hardware-level exfiltration system that works anywhere would be valuable enough that they are not likely to burn it by putting it in systems sold widely to consumers, where it would only be a matter of time before it was detected. Unless monocasa is someone fairly important, that is!

  > 3:2 screen
I'm sold on the screen alone. Thank you!
I can second this, I'm on the Matebook 14 2020 with the Ryzen 7 I think rather than the Pro. But after a dreadful run of luck with the XPS15, the Matebook (so far) is an amazing bit of kit for almost half the price.

It feels like if they play the next iteration right Huawei could blow most of the top end out the water, there's so little choice at the top end and they all seem riddled with build quality, hardware or software issues.

I'm glad I took the risk on the Huawei and I don't really regard the Chinese spying moral panic as an issue. If they want to spy on you I'm sure there's far easier ways online than trying to backdoor a highly scrutinised laptop.

NotebookCheck is a great website for laptop reviews. They even get into the nitty-gritty details of display calibration, input devices, power consumption, etc.

Here's a list of the laptops with the best displays: https://www.notebookcheck.net/The-Best-Notebooks-with-the-Be...

And here's a list of general multimedia laptops that would be roughly equivalent to a MacBook Pro: https://www.notebookcheck.net/Notebookcheck-s-Top-10-Multime...

I find that their reviews are amazing but their "top 10" lists are lacking. Their search: https://www.notebookcheck.net/Search.8222.0.html is marginally better, but in general, they're for researching specific models, not finding models, imo.

Edit to add: The other thing is that for their percentage laptop score, you should generally subtract 80 and multiply by 10. I've never seen them review a laptop below 60% or above 92%.

Re colour accuracy, checkout thinkpads, they even come with a colour calibration sensor so you can have them autocalibrate daily/weekly or whatever suits you.
> edit - It's also really hard as a designer + developer + would-be researcher in the making to find a good computer.

I woukld agree on desginer.

Absolutely not on developer or researcher.

Actually MacOS is for the reasons you mentioned incredibly developer-unfriendly (unless you target is of course the iOS ecosystem).

And for research there is no better platform but Linux. Unless you are in clicky-colorful frontend applications where I would doubt you are doing serious research.

Wow so many words to just say “this product isn’t for me”
The only tool in that video you linked to is that dishonest cheerleader Gruber.
Dell XPS have an option for a fantastic 4K screen. After calibration it's better than the Retina screen on my 2013 MBP.
I don't know why they don't use a 2560x1440 for the 13" model
I have the 4K version. You can’t use it, you have to downscale to 1440p because you get lag at 4K. They released a 4K laptop that isn’t powerful enough to run at 4K.
I don't have any problems with the video. Are you trying to game on it?

Laptops and gaming is a terrible combination because of the thermals.

It's hard to say who is now Apple's target audience. It seems like their products are ideal for people who don't know much about IT and just want to watch a video or edit their holiday photos and maybe create a CV and will probably never go beyond that. Other people still enjoy Macs from 2012, but things are moving on when you look at desktop PC and what you can do. Apple looks more and more dumbed down.
It's like being trapped in a beautiful plastic cage. I used a MacBook Air (2012) for years as my primary development machine and really loved a lot about it, and it had some fantastic apps in the environment like QuickSilver, especially since it just worked compared to some of the Linux distros I had before that. But I'm glad I jumped ship when mine went obsolete.
>> It's like being trapped in a beautiful plastic cage.

To be fair, it's like being trapped in a silver gray aluminum cage with uniform body and irreplaceable bars. I wish more companies would make a PC laptop that doesn't suck aesthetically. Even when they use aluminum, most PC manufacturers don't spend much time on designing a good keyboard (arrow keys not having the same shape comes to mind.)

The feel of the keyboard is far, far more important to me than the look. Lenovo Thinkpads (business class, not the consumer ones chasing after the foolish "thin" trend) are the only ones that have are the only ones that have a reasonable shape and response. This includes Apple, which tends to be one of the worst offenders in the feel of a keyboard. I want to have some amount of vertical movement to the keys, not to jam my fingers into a hard surface repeatedly.
I understand people doing live music with it. Think about what would happen if Windows forces you to update during your performance^^

Graphic designers because the nice display...

Otherwise i don't get it. I think for most other people it's a status symbol ;)

I especially don't understand why IT affine people buy it. Just buy DELL, HP, Lenovo, Alienware and install linux. Gives you more bang for the buck...

Very small audiance, but people with bad vision do enjoy the good displays on their machines and the GREAT built in zoom in OSX. Zoom in Windows is a joke.

Unfortunatly Linux isn't really an option just yet for a lot of us.

> their keyboard + trackpad alignment is wonky (it's off-center in a lot of cases! How weird is that???)

Buy something without a number pad. Unfortunately most 15" laptops do have one.

If anybody from HP is reading this, I'll pay an extra for a keyboard without number pad on your 15" ZBooks with 3 buttons on the touchpad. Space bar and touchpad aligned with the center of the screen please.

Wow, the way Craig is laughing at the question and so dismissive of it is really insulting. Maybe it's the more casual nature of the interview/discussion, but this really is the crappy icing on the cake of Mac users' continuously-declining control over the machines they spend their hard-earned money on. "Where do you even begin to come up with that theory"?? I mean, maybe we're seeing the gradual hampering of control over our computer with every OS X release in the past 5-10 years?
Huawei Matebook X Pro. A friend has one, 2019 model. Runs Ubuntu on it.

Trackpad is as good as it gets outside Apple, I'd say.

The display looks gorgeous. Can't say about color accuracy/fidelity though.

> Oh and it shouldn't be more expensive than a Mac as many of these laptops are!

Clearly there's no need to jump ship if it's more expensive on the other side.

Assuming you were going for a Macbook Pro "15 for 2399$

Recommendations for linux laptops (or checkout https://linuxpreloaded.com/ ):

* Tuxedo https://www.tuxedocomputers.com

~1000$ 1.5kg, Their "15, 1080p flagship is configurable with AMD Ryzen 7 4700U, 32GB RAM, 500GB M.2

They also have more expensive versions with 4k OLED displays if that's what you're into. Also "13.

* KDE Slimbook https://slimbook.es/en/store/slimbook-kde/kde-slimbook-15-co...

~1200$ 1.5kg, "15, 1080p, AMD Ryzen 4800 H, 32GB RAM, 500GB NVMe

* System76 https://system76.com/laptops/gaze15/configure

~1350$ 2.2kg, 15", 1080p, i7-10750H, 32GB DDR4, 500GB NVMe

* Purism http://shop.puri.sm/shop/librem-15

They're trying to become and opensource Apple --> high prices, own linux distro, trying to make their own ecosystem, etc.

~2000$ 1.8kg, "15, 4K, Core i7 7500U (Kabylake), 32GB RAM, 500GB NVMe

(comment deleted)
>Apple can now make their machine reject a new, third-party repair part like a bad transplant. Should they choose to.

It seems the iPhone 12 is already rejecting non-original parts, even if the part comes from another iPhone 12: https://news.ycombinator.com/item?id=24924761

Get a Thinkpad. I replaced a 2015 MacBook Pro with a Thinkpad P1 Gen2 and love it. The trackpad isn’t as nice. The keyboard is better. Running WSL2 you have a great Unixy development environment in Windows. Or just install Linux. As thin and light as a MacBook Pro. Much better thermals, though still not awesome. Other, somewhat larger Thinkpads have better thermals. You can upgrade your RAM, add 2 SSDs and other peripherals like a 4G card etc if you like. Thinkpads come with fantastic service. Next business day on-site repair including for accidental damage and they mean it. Looks: It’s the design Apple copied for their very first laptops and is IMO better looking. They got it right the first time and haven’t changed it materially. Built like a tank. Not quite a tough book but they will take some abuse.
If I got a Thinkpad I'd switch to Linux. I absolutely can't stand the Windows UI.
My thinkpad works very well with linux, I recommend Zorin or Arch
How do you run photoshop?
Photoshop works pretty well in Wine, and Windows runs quickly using KVM.

Linux also has native support for hardware pass-through if your machine has an IOMMU, so you can give virtual machines direct access to graphics cards and get GPU acceleration in your VM, along with USB devices, etc. VirtIO is built into the kernel and can provide you with paravirtualized network and storage access, which can speed things up considerably.

Arch is only a recommendation for people with a fair bit of experience. I have some experience, and I still needed to check some webpages to find out what I was missing when I tried installing Arch as the official manual doesn't spell out every step that is needed.

For "easy" for people who don't have time or experience, I would instead recommend Pop!_OS https://pop.system76.com/ flash a liveusb stick and you can try it out on your hardware without needing to install it first.

If the only concern is the install process, I would recommend Manjaro. It has its own installer, but you still get the powerful pacman package manager and the Arch repositories which are the most cutting-edge around.
I've had Manjaro bork itself a couple of times. I'd recommend against it.
Arch is neat, and their documentation and forums are amazingly great. However, I have zero desire to be my laptop's sysadmin. Pop! OS runs great on my Thinkpad.
If you have a simple setup and friendly hardware (e.g. all Intel), the sysadmin burden is super low.

In this regard, only NixOS compares. Even macOS is much much worse, as you need to go through upgrades. I have used the same Arch install for 8 years.

I've been using Ubuntu for over a decade because my days of fiddling with my computer to get things to work are over. In general, Ubuntu just works without much configuration on the user's end.

I've noticed a trend where people who are new to Linux will jump on Arch because they believe it'll give them more power, or that they'll learn more by using it. Or people will install Kali because they think it is what hackers use, and completely miss the fact that Kali isn't meant to be installed at all.

It's all Linux under the hood, and you get the same amount of power no matter which distro you use. And when you use a distro with sane defaults like Ubuntu, you're able to dig into the internals whenever it suits you, and not because an update broke your computer.

The biggest problem with Linux is not enough people use it so you run into all kinds of edge cases with hardware and software. I just stick with Ubuntu because it's the most popular, so the most likely someone bumps their head on the problem before I do, and maybe I find their stack exchange question or bug report when I search.

I've been very happy with Ubuntu 20.04. Not without issues, but overall it's been quite stable and snappy (pun intended) and I prefer it to macos and windows.

Linux UI is far worse than Windows. It's not even close. I use Linux but definitely not for its UI.

Windows can out-of-the-box do HiDPI, multiple monitors, multiple desktops, trackpad gestures, hardware accelerated UI rendering, facial recognition logins, and more. It was designed as a desktop OS.

On Linux some things are getting better if you stick to the Wayland+GNOME stack, but it's still so bad I can't recommend it to people on technical grounds. Use it if you believe in free software, not because you think it's "better" (it's not).

I am seriously wondering why Linux UI development is lagging so much considering it’s at the forefront of many developments, and probably with the worlds best devs using Linux. I can only come up with that it’s console centered approach doesn’t attract a lot of UX designers of caliber to take it to a new level.
Most of the money being thrown at Linux is to make it better on a server. The laptop/desktop market is dominated by Microsoft, with Apple a distant second.
I have that exact laptop (work provided) and I’m not a fan. Trackpad is OK but not nearly as good as my Mac. 4K display sometimes looks amazing but the color accuracy is terrible and there’s a weird speckle texture that I assume comes from the touch overlay. I have a thunderbolt dock that supplies 85w of power but the machine refuses to charge from it and requires connecting the huge external power supply. But the worst part is I’ve gone through several incidents where some update occurred (never could narrow it down to one in particular) and I started getting multiple blue screens a day.

Edit: forgot one more annoyance. The laptop seems to frequently power off completely overnight even though it should just be sleeping/hibernating.

I am still suprised by the number of people that want trackpad's

If lenovo would come out with a laptop with no trackpad I would be the first to order it, I normally disable the track pad completely..

Traditional mouse or even a trackball are far far better

On my Macs I have always used both mouse and trackpad. When I use a PC like the thinkpad I usually ignore the trackpad.
> I am still suprised by the number of people that want trackpad's

I occasionally have need to use a laptop in conditions where a mouse is inconvenient, so i prefer to have a trackpad, but I find that even the best trackpad is far inferior to a mouse. (Trackball, at least the kind that gets integrated into a laptop, isn't an improvement, IMO over a trackpad.)

Never had a blue screen. Haven’t had the power off problem though there is a distinction between regular sleep and deep sleep. When coming out of deep sleep it boots up like normal and restores RAM from disk. Don’t have a touch screen but have the highest end, non-touch 4K screen Lenovo offered. They also offered a very good HD screen and a not so good 4K screen. Display is not as good as on a Mac but this is more a Windows problem than a hardware problem. If color calibration is an issue, you could have had them calibrate it for you for 25 bucks when you ordered it. I believe Lenovo support can send someone to calibrate later on too for a somewhat higher fee.
(comment deleted)
Lenovo was caught 3 times installing spyware on their machines. I don’t know why people forgive that
Because any self-respecting developer will reformat and reinstall Windows or ideally Linux and problem solved, no spyware.
I don't think there's a one-sized-fits-all solution without something custom and extremely expensive ($15k+). Maybe a Lenovo T480 for most purposes and a dedicated second screen for color correctness? I had a Dell Studio XPS 1645 with an RGBLED screen with an insane gamut. It begs the question: Why aren't such screens widely available?
What about getting a T480 and replacing the screen itself? You can find a decent one for ~$400 USD, and a 1080p or WQHD screen for another $100.

As for screen availability, I think it's more to do with the fact that these are business computers. Lenovo only recently started blurring the line between their premium and business class devices.

I think every post-Haswell ThinkPad comes with a 720p screen in it's default configuration. At least up until Tx90/5 series.

>it's off-center in a lot of cases! How weird is that

It is off center if they have a number pad to the right of the normal keyboard layout. At first glance it looks weird, but it is 100% what you would want if you were using the laptop. Otherwise the trackpad would end up being right over where your right wrist is.

I just gotta say that I don’t think it’s clear where they are going. You are of course free to do however you like. And if you are leaving because of what they already have done, that’s reasonable, but if you are leaving because of what you are guessing that they might do tomorrow, is that really wise? I mean even with the ARM switch won’t it be as easy to switch to win/linux intel after a year if you are not satisfied?

I don’t like the boot thing either, and it’s a bit scary not being on intel as everyone else is right now, but I also think ARM feels really interesting and it might turn out to be a great new platform!

Edit: i mean it is not like they never listen, they did take bake the mac pro, they did fix the keyboards, you have cli tools to make a lot of changes in how macos works, etc. Of course I would like hundreds of things to be different, but I believe that is true of all platforms.

You can disable this behaviour by listing terminal under Dev tools, and launching from there.
The Dell XPS line is my recommendation. But it’s not that much cheaper than the Mac equivalents
System76 may be good
I have one. It’s not the finest quality hardware (rebranded Clevo I’m told)but it’s lasted and the os has been trouble free. I’d get another.

The onyx pro model, it’s not great on battery when using the nvidia graphics but it can play 3D games via steam.

I do kinda like the pop! Os Linux distro.

Buy an Intel Macbook Pro and boot Linux.
Then you don't get to use what is probably the biggest selling point of MBPs, their patented touchpad and gestures.
Do you _really_ need a laptop? That's my solution to the problem of no good Linux laptops. I've got a desktop at home now, and when I go back to the office, I'll pick up a mini desktop. I'll keep an old MacBook in a drawer if I need to take it into a meeting. When I used laptops only, they were just plugged into a monitor/keyboard/mouse at all times anyway.
What would make a good linux laptop for you?
One that reliably goes to sleep when i close the lid and then wakes up again when i open the lid.

Wifi that works... Audio that works... Plugging in and out external monitors that work... Netflix/Youtube in HD without burning the cpu and draining all battery

Basic hygiene essentially.

I use linux on a laptop every day for the past years and have tried Dell, HP, Lenovo, Asus, Ubuntu, Arch, Mint. Lately things are working, but only most of the time, never really really 100% as a Windows/OSX machine does. You always have to live with those 1/20 times sleep did not wake up or oh time to reinstall pulseaudio again for microphone to work.

We need new touchpad drivers (which are in the works) and screen resolutions that work at either 1x or 2x, not something in between.
I really like my surface book. They are priced like MacBook pros (and spec'd like them too). The track pad is great, the pen input and detachable screen come in handy more than I'd have guessed when I first switched.

Apple has a pretty broad utility patent around their trackpads, which requires other manufacturers to work around what would seem like pretty obvious things.

PDF: http://assets.sbnation.com/assets/2017767/USD674382S1.pdf

Over the generations, I have had three Macbooks, four Vaios, a ThinkPad, a HP, multiple ASUS and Huawei. Most of the devices I have killed by travel: dust infiltration, vibrated the BGA chips off the boards by motorbike vibrations..

My requirements have all been fulfilled with the Huawei MateBook X Pro.

You could say it's heavily inspired by the MacBook. Aluminum case. Chiclet keyboard with decent travel. 2000x3000 display (2:3 ratio!). Awesome trackpad. Good battery life. Portable. Solid. 2x USB-C and 1x USB-A. Sustained multiple drops.

For context, I am able to pull solid 12-hour days on the device, without a mouse, without fatigue or frustration.

Cheaper than a MacBook. Might be worth a look.

But then you have to buy a Huawei ...

Not the best idea security and privacy wise.

I was skeptical initially. The laptop has been dissected and scrutinized by multiple people with nothing suspect discovered. On the other hand - which brand is safe ? Thinkpad has installed rootkits multiple times. Until there's proof to the otherwise, I think it's worth withholding preconceived ideas.

In any case, everyone has their own level of comfort, and that's important.

Owning a Lenovo X1 Carbon 7th gen, 2019, 4K screen, 16GB RAM. extremely impressed with the hardware, running Linux Mint and going to move to Manjaro. Initially i tried PopOS! but they removed from Gnome the intermediate scaling (1.5X) of the UI, just like in MacOS you have Display - Scaled options. I really like the per monitor setting which you don't have in Linux. (or i didn't research enough); e.g. More space on main display (external 4k monitor) and Larger Text on the macbook screen. I'm also jumping ship due to the worst experience i had in 25 years dealing with technology, 1 month to replace a swollen battery with a 3rd party repair service. Apple throws now all this "complex" hardware issues to 3rd parties since their employees are pressuring them not to execute hazardous repairs in their own "centers"
> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.

That's another case of a product not doing its primary function - OS running apps - because company placed their own (data gathering) objective above it. See thermostats not turning on heat when the internet connection is down and other equally stupid examples...

See also: all electric vehicles (except a few very old designs).
Tesla is not all electric vehicles.

My Twizy and Ioniq haven't got a single touch of data gathering neither a SIM card/wifi connectivity.

Pretty sure Apple is doing this for security reasons, not data gathering reasons.
Well, security starts with Availability.

Otherwise, my car is very secure when I never use it. Like, totally. Flying also has become very very much safer.

Edit: is/use/

Please. It's just data gathering. Security doesn't means giving away privacy.
Correct, I believe the main intent is to stop worms and ransomware.
Like most times in life intent is not relevant. Actions are.

Nobody cares what you intended, they care how you actually affect them.

Fair enough.

What actions on Apple's part have tangibly compromised their user's privacy?

and people was shocked at Windows 10 doing telemetry. MacOS isn't doing it better as I see
Ha! So that's what it was. Last night (I just woke up in the UK) my macbook pro started to crawl, I started to threat that it might be the SSD starting to fail.
There is a mistake here. It should be “ocsp.apple.com”
That oscp server must be compiling a huge set of stats on application usage. That doesn't sound right, privacy-wise.
It probably just gets a fingerprint, or the cert’ information.

But when the endpoint is dying and it gets called every time you try to run any binary…

Welp, I won't be updating today then, not unless they fix that.
The server is called OSCP which suggests to me that if we look at Apple in the most positive light - they sign and certify binaries as safe. If an app gets later reported as malicious, they need to revoke the certificate that has been used to sign said binary.

So when you open an app, how else are they going to check whether the certificate is still valid or whether it has been revoked?

Can anyone confirm whether this lookup applies to unsigned as well as signed binaries? As far as I know if I build a brand new binary with cargo, and run it, it doesn't do any checks.

Here's an idea: log all opened binaries somewhere and then every hour or so check them against the list.

Never block me from opening something, but warn me about bad stuff on a regular basis.

They could also keep the current solution and just use a CRL as a backup to OCSP to check the revoked certificates and update it every other hour...
Yes but with your solution if an app is malicious, and did malicious things, it now has a whole hour to fuck your shit up before being disabled.
Here's a wild idea: don't block executables from running.

Or if you do, only do it for a set of known bad ones, as antivirus products do.

Do not put a cloud service (or anything for that matter) between the users and their ability to run what they want.

Sure but how does that work? If a cert-revoked app is allowed to run, the damage is already done.

I think perhaps a better tradeoff would be if a revocation list could be synced hourly or so and the app could be checked sync locally and then asyncronously on open. And of course, always give the power user an option to ignore things.

Why isn't apple doing OCSP stapling & caching? Reverse proxies have long since solved OCSP availability with stapling and caching.
Currently the workaround seems to be /etc/hosts override or firewall-level blocking.

Just a small reminder that this can soon stop working: Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur - https://news.ycombinator.com/item?id=24838816

Will they prevent changing hosts file as well?
It's more likely that their will be an Apple-only private API that uses /private/etc/hosts which already exists, but is editable (for now) instead of /etc/hosts.
This might be a stupid question, but is there a downside to blocking this "feature"? I can't think of any.

I've been using Big Sur beta for some time and one of the things that annoyed me a bit was the sudden lack of responsiveness, which is a tad annoying given that I upgraded to a 16inch MBP earlier this year and everything felt so snappy.

OCSP not OSCP

You can also run these commands to disable ocsp (and crl) since it can no longer be accomplished in Keychain Access → Preferences:

  defaults write /Library/Preferences/com.apple.security.revocation.plist CRLStyle None
  defaults write /Library/Preferences/com.apple.security.revocation.plist OCSPStyle None
  defaults write com.apple.security.revocation.plist CRLStyle None
  defaults write com.apple.security.revocation.plist OCSPStyle None
I had both my personal and work laptop become unresponsive at the same time. I was wondering what kind of problem could cause that - was thinking EM interference or possibly something on my network. This explains it.
(comment deleted)
ocsp.apple.com also has an IPv6 address. Firefox connects to it even with 0.0.0.0 in the hosts file and a flushed cache (you need to also clear firefox's internal cache if you're testing with it), so I'd assume that trustd could connect to the ocsp site as well. I don't think this will work without ensuring there is no IPv6 traffic on your network, or otherwise dumping both IPv4 and v6 packets to ocsp.apple.com.

Disable IPv6: sudo networksetup -setv6off Wi-Fi (where Wi-Fi is the name of the network service)

Can you not just add an IPv6 entry for it in your hosts file, e.g., ::1? That would work in Linux and seems like a much less nuclear option than disabling ipv6 all together, but admittedly I've never worked with ipv6 networking on Macs.

Last time I played with a Mac they also had the BSD `ipfw` command for kernel packet filtering [1]. Could try something there if it still exists.

[1]: https://www.unix.com/man-page/FreeBSD/8/ipfw/

Just to confirm: Yes, that works fine. It's probably the better solution here.
My MacBook is basically unusable right now. This appears to be the reason. Is there any way to fix it without installing little snitch?

Edit: working as usual now, moments after i wrote this. But seriously Apple, how can you allow this to happen? Your services hanging should _never_ prevent my device from running things locally. This is seriously making me reconsider my next computer purchase.

Apparently you can set ocsp.apple.com to 127.0.0.1 in your /etc/hosts

This is really terrible, but at least the workaround is simple.

Add the `127.0.0.1 ocsp.apple.com` line to your /etc/hosts file.
Thank you, this fixed it for me. (What a mess!)
Turn off your internet, open the app, turn it back on.
I'm laughing so hard at this right now.

And people somehow still love their macs...

Because Windows is so much better?
It doesn't have this particular failure mode, at least.
Both Linux and Windows perform similar checks.
I'm sure Linux (the kernel) does not. I don't know of any Linux distro that does, but, I'd be curious if you can point to specifics.

If you could point to any documentation of Windows performing app-start OCSP checks, I'd love to learn more (and recant my earlier statement).

I assure you my Linux machines do not.
That's a rather extraordinary claim. It's really setting off my BS meter- Can you show us where the code is to do that in the Linux kernel?
Do you know of a Wireshark filter that will reveal this on Ubuntu? What you're saying doesn't sound credible, but to incentivize, here's the bet:

If you can provide a Wireshark filter that will show a certificate check on a vanilla Ubuntu 20.04 system when the following commands are executed in a bash shell, then I will donate $25 to a charity of your choice. Commands follow:

    cat <<HEREDOC >/tmp/file.c
    #include <stdio.h>

    int main() {
      printf("Hello World");
      return 0;
    }
    HEREDOC
    gcc /tmp/file.c -o /tmp/app
    /tmp/app
No, Linux does not.

Linux does provide application-level and per-application security, as well as sandboxes, but they exist to help the user and the user has complete control over them and their system.

The comment you are replying to states other OS' do not have this failure mode so your response is quite the non-sequitur, nevermind of questionable veracity (linux).
Users should not put up with this kind of thing, no matter what OS. Forced updates, online startup checks...all unacceptable in my opinion.

Imagine no car or train in the region starting because of a server outage. People would riot on the streets. But for some reason in the IT world this kind of crap is marketed as a feature.

I agree! I would love that.

However... Where can I buy a computer free of all of those issues?

Yeah because we’ve never seen windows or linux users have to perform crazy workarounds right.
This was my intuition!

I was in the middle of a call to fix a problem with a customer, I need to near-panic telling them MY computer was frozen.

Thanks Apple!

System76 is pretty great and they have amazing customer support. Plus between ProtonDB / Lutris you can run pretty much anything you want that needed Windows before.

https://system76.com/laptops

I use and love Linux, but come on man, that kind of statement does not help. Even with proton and friends, wine is not perfect. There will most likely be problems, and it's not a one to one transition. However, in my opinion, it is worth it, but there's no sense pretending there is no cost.
It's certainly not perfect, but it's good. If Windows-specific stuff is what's keeping someone from Linux, I'd encourage them to at least see if it works in Wine.
If you're willing to use Windows, honestly one of the better solutions today is to just run Windows 10 in a VM. It's even feasible to do this for video games with VFIO.
Given that they're using a MacBook they probably aren't using very much Windows specific software if any, so I don't know that Wine would be much of a factor.
It'd be cooler if they were called "system32". JK
I don't know if the slow downloads of Big Sur are related, but the underlying problem is that ocsp.apple.com[1] is fubar, and certificate revocation lookups are failing.

EDIT: This might indeed be Big Sur-release-day related. Most certificate revocation failures are "soft", but with ocsp.apple.com black-holed in /etc/hosts I can't resume downloading the update.

[1] https://twitter.com/lapcatsoftware/status/132699029641299148...

Talking about a cluster.

Now when I get my new mac, I'm going to find a way to opt out of this.

You should never, ever, install a MacOS update the moment it comes out. There is a high chance (> 30% from my experience) that something will be wrong with it. iOS too for that matter.

Wait for at least one week and check out other people's experiences first.

This applies to every Mac, with or without an update.
Not only Macs. “There is a high chance that something will be wrong with it” applies to almost all software of the size of modern OSes.
Yes, Windows 10 forced updates have broken so many things for me.
This.

To save yourself the headaches and frustrations, wait for the bug fix releases and updates to come first before installing this very first new release.

It makes no sense to immediately update the system and then risk your computer being rendered unusable with such bugs and problems whilst having a deadline hanging over your head.

I ran the beta over the summer and it was awful. I loved the changes but it was just unstable as hell. And people kept saying it was the most stable is yet, I don’t get it.
I’ve been running it as a daily driver since the first day of the developer betas and have found it to be vastly more stable than the previous version, with basically no issues before this.

I don’t know what to tell you, beyond the fact that all use cases are not the same, apparently.

Unstable in what way?
Having to restart every day. CPU was also pretty much pegged nonstop when in clamshell and connected to two monitors. Catalina doesn't do that.
Thats strange, I run 2 34" displays from mine and haven't seen that. Did you upgrade or clean install?

Must be an absolute nightmare trying to handle every possible configuration someones Mac could be in. I dont envy the devs.

> Wait for at least one week and check out other people's experiences first.

Of course if everyone does this, there is no experience upon which to draw.

Furthermore, the title is straight up wrong: this is not related to Big Sur and is in fact also affecting other versions with Gatekeeper.

The software quality of Apple is embarrassing. They have the money to hire the best of the best, and to do tons of manual QA yet their OS releases are always riddled with errors. Why is software the red-headed step-child of Apple?
This has nothing to do with a software update. I haven't updated anything and am still running into this. It's their online services that are the problem.
To elaborate on what others are saying, macOS has been doing this phone home for a while, it just looks like the server it phones home to started being _really slow_. So if you were offline, the software behaves fine, but if you're online, it blocks on getting a response.

Great example of how you should never block UX on network requests.

This was a problem on previous releases too.
It's same for any other OS. There's a reason Ubuntu won't try to update itself to the next LTS until it hits X.1.
This has nothing to do with the problem we're discussing.
Does anybody now how to disable all hashing on macOS? The best I could do was disable GateKeeper with `sudo spctl --master-disable`.
You can also disable code signing enforcement and amfi by adding the following boot args:

cs_enforcement_disable=1 amfi_get_out_of_my_way=1

Would anyone be able to explain more specifically how cs_enforcement_disable is is different from disabling Gatekeeper?
I believe GateKeeper only works on first launch.
Thanks, you can also disable library code signing validation too:

`sudo defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist DisableLibraryValidation -bool true`

Install another OS? *

There are some work around in this thread but in reality you don't know how and when Apple may choose to automatically re-enable it without your consent.

* You should probably just smack you Mac with a rock just to be sure ;)

The title is slightly misleading. ALL macs with a recent macOS (Catalina?) are freezing, since the security checks that happens when you launch a binary is down. Even if you don't update to Big Sur.
My Mojave was also affected.
Indeed, I was bouncing a session in Logic and even that crawled, activity monitor showed a blank screen when it finally opened and iterm2 was unresponsive. I thought the machine was under load but the fans weren't even on.
Yeah, that's the weird thing. CPU load etc. were all normal in the Activity Monitor.
(comment deleted)
You've got to be kidding me. When Apple's servers are down, all Macs worldwide start freezing randomly? My XCode is hanging during builds, is this why?

This code signing enforcement stuff has gone way too far. Heads should roll for this.

That's correct. AFAIK Catalina will check online for everything, even binaries you compile yourself.
wait what, how?
The behavior documented there is on FIRST run of a new executable.

You can like that behavior or find it unacceptable, but the issue in OP is not that, it was applying to executables that had already been launched plenty of times on the machine.

[deleted]
Microsoft Windows also uploads your private exe’s, and then runs them on Microsoft servers:

https://medium.com/sensorfu/how-my-application-ran-away-and-...

Holy Shit. That should be illegal. All it needs is one rogue employee to potentially steal trade secrets? And dont tell me MS employees never go rogue after the recent events...
Surely it's against copyright law
A law is only dealing with the consequences, it's not prevention.
> Surely it's against copyright law

It almost certainly is, but

1. You have to know it's happening before you can do anything about it

2. If your "work" isn't registered with the copyright office, you're limited to actual damages, which are probably close to $0

TL;DR: It's an option that can be disabled, unlike on Mac. Also doesn't lock up your PC if Apple's network is having a bad day.
Almost certainly so. Apple has built chains of certificate trust very deep into the OS, along with apparently an assumption that this particular revocation service check is reliable & fast enough to call out to the network a lot.
Oh man, imagining a DDOS to fail that over.

Imagine how many people would lost their productiveness, maybe not at the big corps or govt (I assume they use a version of mac that call somewhere else/don't). But very very many people.

Today I was late to join a corporate conference call. It took like 5 mins to start conferencing software.

First time ever I'm genuinely frustrated with apple - macs are not those unicorn tools anymore that work reliable

> Oh man, imagining a DDOS to fail that over.

That might be what we just saw happen.

Wait what happens if you don't have an internet connection? Can Macs not be used offline any more, surely that's still a relatively common use case for a laptop even today in a lot of places?
My understanding is that if you're offline, it skips this check and everything works fine. The reason this is a big deal is that the problem's on their end, so you're not offline, so it keeps trying and waiting instead of just letting you skip the check.
Unfortunately there’s not a way to differentiate “we’re online but Apple’s servers are having issues — probably fine” and “we’re online and something something is preventing us from talking to them — something nefarious might be happening.”
Local copy of whatever Apple is checking? Update that daily (on sign on or something). Not going to catch zero day type stuff, but better than making the laptop unusable.
I think the point is that that database is too large to store on a single machine which is why it has to be ad-hoc queried and cached. I mean it will have the signature of every program run on a Mac.
Funny how DNS has that same issue, and yet, we still decentralized it to a point, even if there is some inertia going on to keep it as centralized as possible.
I'm going to make a bold claim but Linus made a claim to this effect. Security is important but it cannot be the only main priority when designing systems. Apple's mistake here is probably the main story but more generally this attitude (letting systems spectacularly fail for the sake of hypothetical security) is foolish and results in rather terrible bugs like this.
That still seems weird. Why does running unrecognized software become safe when you're off line?
Yes, can someone clarify this? What the hell is going on here?
It doesn't become safe when you're offline, it's just that you're no worse off than you were. OCSP is s a certificate revocation protocol. It's only used for disabling certificates which were issued in good faith but now need to be revoked. Suppose Apple signs application X, and the signature is good for a year. Six months later, Apple discovers that application X contains malware, so they revoke the certificate. However, your computer doesn't know about the revocation until it checks the OCSP server, which requires you to be online. If you're offline, it just skips the check; the certificate wasn't revoked yesterday, so it's probably fine today too. The bug is that if you're connected to a network but can't contact the OCSP server (either because the OCSP server is down, or because you're not connected to the internet) then OSX keeps trying to connect and becomes sluggish and/or unresponsive. This is how we know that it's a defect rather than a deliberate choice; if they had decided to make the OS non−functional unless connected to the internet they would have done a better job of it.

It wouldn't surprise me if they one day wanted to require you to be online 100% of the time so that you can't skip the OCSP checks on applications, but I don't think that would go over very well. Apple wouldn't even be the first to produce applications that refuse to work if there's no internet connection. If you don't like the thought that they might one day spring this on you, I recommend investigating Linux.

It's a security theater
Thank you. Phrased perfectly.

It's an invasive restriction, cynically designed, poorly engineered and improperly managed, that impairs your ability to function.. masquerading as security.

macOS is my favorite OS, but I don't need to use it. I was so psyched reading about the new Macbooks, and I've had to walk all that excitement back now. I cannot invest in a computer that locks me out of my job if a cable gets cut by a maintenance crew in Cupertino.

I agree that it’s security theater and a suspect implementation, but I was playing a game of “let’s imagine why someone might do this...”—

I’m wondering, suppose it was designed this way because part of the goal is to prevent the spread of malware, the fastest means of which is an internet connected computer. In that event, the feature only intrudes when the computer, by virtue of it’s internet connection, is a member of the threat class.

So... plausible?

Apple built the computer; I exchanged money for the computer; now I own the computer.

Apple does not own the computer.

If Apple wants to own the computer, they can pay me instead.

They own the software.

You didn't pay for that. You licensed it from them.

That's a fair point that I hadn't considered, and I appreciate it. But I still feel like "ability to use your computer as a service" is not something I signed up for.
Plausible a la NSA, yeah?

I presume this setup wasn't public knowledge.

If you point the request at localhost, the problem resolves. This means that a cable getting cut in Cupertino won’t matter. It is a revocation protocol; it fails open.

The problem today is that not that the connection to the server failed, but that it succeeded very slowly. The result was an accidental denial of service on the client.

It is a bug, and an easily fixed one at that.

This particular issue is easy to work around for technical users; the _problem_ is the philosophy that made it possible.

This is the reason I can no longer use Apple computers - the continuous battle they are waging against the users freedom on all fronts - the anxiety of what they will do next to _my_ computer is too much.

Good luck finding a suitable replacement. Microsoft does unpredictable things to Windows. Linux maintainers do unpredictable things to all sorts of things.

Your only real recourse is to compile everything from source after a thorough review every time...

...or else trust someone.

Sure Apple had a problem here, but there are so many other reasons to trust them over any other org that I can't in good conscience switch platforms, because there's so much more anxiety elsewhere.

> Linux maintainers do unpredictable things to all sorts of things.

With Linux you don't have to worry about every program you launch being reported to the mothership, or that failure of the mothership to respond would cause your computer to not function.

If you're not reading all the source of everything you're running, any or all of it it absolutely could be reporting usage/stats/your data to a "mothership".

Just because there's no single central org involved doesn't mean there aren't risks.

You don't need to read it, you just need to be able to read it.

Just because there are risks doesn't mean the risks are meaningfully comparable.

> If you're not reading all the source of everything you're running, any or all of it it absolutely could be reporting usage/stats/your data to a "mothership".

there's a big difference in threat vector between one mothership and 200.

Just because there's no single central org involved doesn't make it safe.

We already know that, by design, macOS will report back to the mothership. If things are working 100% correctly, Apple will collect what programs you run and when you do so.

Linux won't report to the mothership by design. If things work 100% correctly, you don't have to worry about some company knowing what programs you run and when.

I've already found a replacement, Debian stable + i3wm has been my happy place for the last 5 years. No unexpected behavior changes on update, just bug fixes, it does what I tell it, nothing crazy like Debian maintainers dictating what binaries I can run... if you want more or less control you've got plenty of Ubuntu style distros in one direction and Arch style in the other.

If you're a media person then yeah, I feel bad for you, i've been there and it sucks, you're stuck with mac and windows if you require mainstream design apps.

Mandatory OCSP is security theater? That’s a pretty bold claim.
Mandatory OCSP that fails open when you're offline is security theater.
OCSP fails open by definition because it is a revocation protocol. In the absence of revocation, a valid cert continues to be valid.

The problem here is simply that Apple did not build a short enough timeout into their client.

Make OCSP fail locked and it would be a software imprisonment protocol instead.
Or defense in depth.

I hate it too, but 'theater' implies it isn't useful in any way.

And probably a ruse to amass application usage stats.
Because it is not yet illegal to operate a computing machine that is not centrally monitored. New Normal, get used to it. Soon, this corner case will go away.

"Why were you offline when using your computer?"

I experienced this a couple of weeks ago. My wifi was up, but my internetprovider was down. My Macbook came to a halt. Nothing worked anymore. The whole machine was extremely slow. When the internetprovider came back up again, everything was fine again.
So you can't use a computer on an airgapped network? That seems counterproductive if the objective is security.
If your computer is actually airgapped and has no networking interfaces configured, you won't have this issue.

If your computer is able to resolve DNS for ocsp.apple.com but to connection-timeout all traffic, yes, you could possibly reproduce today's issue.

Airgapped network — an IP LAN not connected to the internet. These do exist, sometimes permanently for security reasons, and sometimes just where external connectivity sucks but you still want your laptop to talk to your NAS.
Agreed. These are really useful in various settings, but seem to be outside of most people's experience.
The point stands: if you allow a host to resolve ocsp.apple.com to an unresponsive (timeout) address, it might break macOS the same as today — whether by air gap, by firewall, or who knows what else.
Had the same thing earlier in the week as the isp was doing maintenance two nights in a row. 5+ seconds to start sublime and other really basic apps. Apple apps had no problem of course.

Remembering the notarization problems people were having months ago I did some tests and confirmed.

Now have little snitch installed again and my laptops going to be an Apple orphan. So I never noticed this problem today by virtue of it pissing me off 2 days before.

On iOS, after a period of disconnection "the phone won't let you turn it on again until it goes online": https://youtu.be/BW32yUEymvU?t=1212
I'm guessing this is to help trigger the wipe of stolen phones.
That sounds like it might just be a bug. At least, I wasn't able to find any information whatsoever on this phenomenon on Google.
If you don't have a connection, it just doesn't do the check. If you have a crappy connection like many of our students, it takes forever to check. If the server is down, life just sucks and non-Apple programs don't open.
That's why notarized applications should be stapled too. The stapling "ticket" is embedded in the app bundle and allows macOS to perform an offline check.

Basically you'll get the usual GateKeeper window, but with a slightly different message, along the lines of "I can't check this binary in realtime but I trust the embedded notarization".

If you are connected to a network without an Internet connection, it just becomes unusable. Internet connection is somewhat unreliable in my area, and I had an internet outage that lasted for days during the COVID lockdown. I feared it was a malware infection causing the slow down. I switched over to Linux not long after.
With Android is the same. I have an App Firewall on my Android phone and since then the standard Android gallery app does not work really anymore. A lot of things break, for ex. when I_ like to send a file with Threema, I have to go offline, choose the file and then go online again. Otherwise the file dialoge does freeze. It's just standard these days. Also a lot of things break, if you are just on a network without internet connection. Welcome in 2020.
Often when I would see this type of error it would be when something silently drops TCP packets (rather than sending a RST). This is one way to configure a firewall, and it's indistinguishable from high latency. Hence the difference in behavior. If the address was unroutable, or immediately closed the connection, it would fail quickly (and presumably for the OCSP check, it would be skipped immediately). But when packets are silently dropped, it's up to the client to decide how long to wait for an ACK, which might cause a hang.

I've seen an identical problem where Chrome would hang for minutes when loading sites, and it was because I was in a firewalled environment that was outright dropping packets to Chrome's OCSP server.

This seems to explain why my Mac was nearly unusable after a reboot last week. Turns out bind crashed on my firewall leaving me with no DNS.

After I restarted it I could actually launch apps other than terminal again.

"Heads should roll for this" - careful with the language. Nowadays you may get banned for preaching "beheading".
There's a non-zero chance that this bug has caused at least one death.
Are you referring to Steve Bannon who said Dr. Fauci should be beheaded? Or something else?
You need to set up your own DNS caching resolver and start selectively filtering out Apple domains. Pihole does that wonderfully. Ask your Apple geniuses whether they would help you setting it to make your Macs work.
Code signing is an okay thing as long as the signing identities don't get discriminated. Android has had code signing ever since it was released, but you always generated the certificate yourself, and the purpose was simply to stop someone else from making an apk with the same package id that would install over yours and gain access to its data.

The thing Apple does, on the other hand, with trusting themselves more than the user, is disgusting. I'm mostly libertarian, but if I ever become a president, this would be one of the first things I'd make illegal, right after shortening the copyright term to like 3 years.

Give me, the owner of the computer, over the keystore for the root certificates I trust, and code signing is great.

> I'm mostly libertarian, but if I ever become a president, this would be one of the first things I'd make illegal, right after shortening the copyright term to like 3 years.

As a libertarian I can see the argument for getting rid of presumptive copyright (and tanking the US economy), but the government preventing people from entering into contracts that you don't like? That's just hypocritical.

> but the government preventing people from entering into contracts that you don't like?

It's not that. Plain and simple: in an ideal world, more money shouldn't grant more power and immunity. Governments should disincentivize this growth into the sky by, for example, progressive taxation for companies. The world would be a better place if tech companies actually competed with each other by making better products, not trying their damnest to lock everyone into their walled gardens to earn even more money they have no clue what to do with. Currently, when choosing something like a computer or a phone, you just pick one that sucks the least. There's no healthy competition.

That does not sound like a libertarian view at all.
Libertarian is not a well defined word. I have a friend who identifies as a Socialist and a Libertarian. He believes that true libertarianism (anarchy) would result in a collapse of capitalism since there would be no state to enforce private property rights.

So yeah, always gotta find out what a person means when they say "Libertarian"

This is brutal.

I've found a work around for now.

* Turn off wifi

* Reboot

* Open everything you need

* Turn wifi back on

Adding: 0.0.0.0 http://ocsp.apple.com to /private/etc/hosts solves it.

Can't believe Big Sur is somehow affecting my Mohave Mac! Yikes!

Having this issue on a 13' MBP. Running this to append ocsp.apple.com to the hosts file did the trick:

echo '127.0.0.1 ocsp.apple.com' | sudo tee -a /etc/hosts

Apple software quality and design is a joke.
Dude you work at Wix.
And? I am the first to admit Wix quality isn't great either. But yes, let's compare the 2T$ OS vendor to a website builder. That makes sense.
Maybe so, but please don't post unsubstantive comments here. We're trying for something a bit different.

https://news.ycombinator.com/newsguidelines.html

You are right. I was just letting off some steam. I am just really frustrated with a company that I respected for so many years, going downhill so much over the last 5-6 years.
Champions of privacy, phoning home a hash of every executable your computer runs!
> Champions of privacy, phoning home a hash of every executable your computer runs!

What’s the matter with privacy? That’s a basic signature check, and you can do so while preserving privacy by using salted hashes or a similar solution.

I don’t understand how salted hashes would obfuscate the query. Private information retrieval is much more complicated than private password storage, and how do we know what the protocol is?
A centralized repository of all your executable hashes is a high precision fingerprint.
There are two major somewhat misleading bits of buzz around macOS “phoning home” all of our executables.

1: among Windows, macOS and Linux only Linux distros don’t do such checks, and most of end-user Linux installations are arguably secure in spite of this—mostly because they are very rare and thus not a priority target for malware.

2: this only concerns files you launch. If you wrap your binary invocation in a shell script, that shell script’s hash will be sent, not your binary’s.

What does the author of the operating system phoning home have to do with Linux not being a target for malware? It seems like you're mixing up two different issues with this.
Phoning home in this case is done to check whether an app’s signed with a valid certificate. Not checking that opens user’s machine to attacks where malware successfully pretends to be an authentic trusted app, likely gaining access privileges (Keychain, etc.) granted to that app by the user previously.

Linux distros can arguably get away without these checks since their users are typically more aware of what they are launching, but importantly also because they are not as big a target due to smaller user bases.

Don't Linux distros accomplish these checks with GPG key signing, which don't need to phone home?
Does it ensure the executable you downloaded and granted access to is still the same and was not modified afterwards?

Another reason is that if a cert (or a cert in the chain) is known to be compromised it can be revoked—would the mechanism used on Linux give some equivalent of that, or one has to be rely on bug trackers or apply updates to ensure trusted signatures are up-to-date?

The binary you get from your upstream repositories are signed but they aren't verified after that. On macOS if you download vagrant and grant it the ability to read your project directory I can't overwrite or modify your binary without it tripping the system and losing those privileges.
Yes it is, but merely sending hashes doesn’t mean such a centralized repository exists. We need more information on the actual implementation.
Who is laughing at the Gentoo folks now ey?
For one, they now have a list of everyone running Tor.
They can perfectly do that without recurring to sending the hashes, using asymmetric cryptography.

But... this way the also gather some data.

Enablers, that is what they are. If the EU manages to push that anti-encryption thing through, Apple will be the one forced to remove the App from your PC. 1984 is here already.
Soon, phoning home a hash of every file your computer has.
(comment deleted)
Maybe it's just me but the idea that my computer lets Apple (+ any LE organizations) surveil my app launches seems so much scarier than any malware.
I don't know about you, but hashes of the binaries I run don't exactly reveal any sensitive personal information about me. That said, obviously they should have much more graceful degradation in place for when something is wrong with the service.
In this case, isn't the hash of the binary consistent across all devices, so Apples can in fact derive exactly which binary you're running (assuming they have a large database of application binary and hashes)?
> assuming they have a large database of application binary and hashes

A database like an "app store"?

(comment deleted)
yup! and the variety of ways to leak that information along the way...Privacy(tm)!
Yes. My personal data involves what I do within those apps, not which ones they are.
That's not even close to true. Apps that you have downloaded can reveal a massive amount of potentially personal information.

Think about someone having a dating app that would out them. Or a therapy app that they don't want people to know about. And that just scratches the surface.

Only if linked to personally identifiable information. Do we have any evidence this is happening?
That's unrelated to my comment. I was simply responding to the astoundingly wrong claim that "My personal data involves what I do within those apps, not which ones they are."
(comment deleted)
You are moving the goal posts.

It is also trivially linked to ip address, which is usually personally identifying.

Do you have any proof this is happening?

This is Apple we are talking about, which has the strongest privacy commitment of any device maker, and no advertising business outside of the App Store. Linking IP addresses to app certificate requests provides them zero benefit and exposes them to substantial brand damage.

Do I have proof they have your ip address? Of course, that's how the internet works.

Do I have proof that they could be ordered by a court to store it? Of course, that's how warrants work.

Do I have proof they are currently storing it? No, nor was that ever the claim.

Then the claim is ridiculous. Apple isn’t keeping any of this info, because it would have no purpose.
I'm not an Apple user so forgive my ignorance here.

1. Do you need an apple account to use the app store?

2. Do you need to provide personal information to use an apple account (I'm thinking at least enough to get a credit card working for app purchases/subscriptions)?

3. Is the data sent to this anti-malware service linked to your Apple account or an apple hardware id? (Has someone wiresharked the data to confirm/deny)

1. Yes

2. Yes

3. I doubt it

But regardless of 3, simply by using the App Store at all (similarly to any other App Store out there) you're already giving them more information than they get from these hashes (at least for the apps that come from the store). I know for a fact that they keep a record of which apps you've downloaded there, associated with your account, because they check for updates and let you re-download them. As does the Android store. As does the Windows store.

Correction: You don't need to login to install apps from Microsoft store and software control on Linux.

Android, yes playstore requires an account but you can install an alternative store without signing in.

Part of it is that, when we're talking about a traditional computer (contrasted with a phone), all of that stuff happens in the web browser these days. The average user's native binaries are mostly limited to said web browser, some work communication apps, maybe a notes app, maybe some dev tools or office tools or media tools depending on the person. Nothing remotely interesting to advertising companies. Maybe that will change with the new iOS app support, but I kind of doubt it.

And anyway, when we are talking about a phone, it would be literally impossible to run an app store without recording (and personally identifying!) that information. Maybe that's one more argument to allow third-party app stores, which I'm not against (though who knows if they're more trustworthy with that data?), but nevertheless.

My point is that in the grand scheme of privacy concerns, this is a very silly hill to die on. In the grand scheme of system reliability, on the other hand, it's totally legitimate to be upset that this effectively took down thousands of expensive workstations across the world for a few minutes.

> My native binaries are mostly limited to said web browser, some work communication apps, dev tools, maybe a notes app. Nothing remotely interesting to advertising companies.

Translation: "I've got nothing to hide".

That's a bad-faith reading of what I said. I've edited it to be extra unambiguous.
So you're okay with it because at the moment you personally (or at least some vague idea of the "average user") don't have any "interesting" apps on your traditional computer? You should step back and understand why this is the wrong way to look at it.

Take a look at the macOS App Store medical section. Doing a quick scan of the top apps there is one app to help with some diabetes pump, one for a personal ECG machine, one that says it's a "mobile lactation consultant". Those can reveal a lot about a person that they might want to keep private. Searching "therapy" or "dating" also shows many results that people might want to keep private.

I don't think that's necessarily true. Meta data about your usage can be very revealing in itself. To use an analogy, if someone tracked every location you visited that'd be very invasive, regardless of whether they recorded any details about what you did at those locations.
I think this is more analogous to someone tracking what models of car you drive.
And where you drive it since they track IP numbers.
Its what apps you’ve got, exactly when and how often you use them, and where you are at those times via network info. Casual gay pickup app, last night in a coffee shop in the red light district, while your wife thought you were at the office working late for example.
It reveals how often I am running new software, it reveals what time of day I run new software, it reveals what networks I connect from
"Hey Siri, select every Tor Browser user in America for additional screening."
That's scary. What if you set it up inside a Virtual Machine?
Ironically, if tor was already running, the check would run over tor and not be traceable. But to start it in the first place it would be traceable. Damn.
The connection would run over tor, but the app you're running and any other PII could/would still be sent regardless.
> I don't know about you, but hashes of the binaries I run don't exactly reveal any sensitive personal information about me.

If they know the hash of (let's say) a pr0n app which you run, then I'd say that's pretty damn sensitive information Apple is getting.

What about the hash of a password cracking binary or the hash of some sort of binary used for piracy or stripping DRM off of something? Or just in general the ability to profile users based on the apps they use seems completely trivial. I imagine it would not take a particularly brilliant data scientist to correlate people who use FTP programs or developer programs or whatever else with people who buy high value items from certain e-commerce sites, for example. Seems like a marketer’s dream if they could ever get access to that. And sure Apple wouldn’t do that, today, on purpose, but are you 100% certain that could never happen? And if there was some way to tie that illegal piracy app binary hash to you personally and the government came knocking with a subpoena, seems like something Apple might be forced to comply with. It’s a very slippery slope.
I run Tor browser occasionally. That fact alone is sensitive personal information about me. It makes me stand out. Someday it might be held against me.

I already expect the ISP to detect my Tor traffic.

But I didn't expect Apple, of all companies, to have a detailed audit trail of every time I've ever opened it, to the nearest minute.

Don’t forget that client IP geolocation gives coarse location, so they have your timestamped track log, too.

Big Sur prevents Little Snitch from blocking these system level connections, and these OS apps will also bypass any configured VPN.

The information reveals in exquisite detail what times of day I'm working, what times I'm slacking off, which days I work too.

And whether I'm taking a long or short lunch break, or lots of breaks. Whether I stay in bed until late, or work late at night. It's enough to predict whether I'm a "good" worker.

It also reveals whenever I travel, which coffee shops and libraries I frequent and what times of day. It also reveals what time I open any of several video conferencing apps.

And the sort of thing some HR would like to browse when assessing job candidates. They wouldn't need to ask "do you know X", they could just consult the Apple log of how often I run the relevant commands. Things like "we see you ran 'git' an average of 145 times per day last month, tell us more about that".

And whether I'm running tools I "shouldn't".

All that seems quite sensitive and personal to me.

> It's enough to predict whether I'm a "good" worker.

If your employer is willing to be that invasive, they already have a much easier route for getting that information: forcibly installing surveillance software on your work machine.

> It also reveals whenever I travel, which coffee shops and libraries I frequent and what times of day.

How...? How would the binaries you're running have anything remotely relevant to say about this?

> They wouldn't need to ask "do you know X", they could just consult the Apple log of how often I run the relevant commands. Things like "we see you ran 'git' an average of 145 times per day last month, tell us more about that".

That's a pretty contrived use-case for a pretty significant and unscrupulous bit of data-sharing. From a PR perspective Apple would never intentionally and publicly share this data. So assuming this data is even stored anywhere after the check is complete, and assuming any personal identification is kept with it, both of which are huge ifs, that leaves a couple of possibilities:

- Hackers gain access to the data

- Government subpoenas the data

- Extremely lucrative contracts, probably from advertising companies, are enough to motivate Apple to sell the data despite the risk of a massive PR scandal

I don't see any of those falling under your proposed scenario of random employers casually perusing the logs.

> If your employer is willing to be that invasive, they already have a much easier route for getting that information: forcibly installing surveillance software on your work machine.

The question was whether the information gathered is personal and sensitive.

The fact there is another way it could be gathered doesn't make the information less personal or sensitive.

> How...? How would the binaries you're running have anything remotely relevant to say about this?

Because your temporary IP address is part of the hash request, and that's usually enough to identify which major organisation's network you are on, not counting any geolocation.

Thus, coffee shop (which brand), library (government network), home or mobile, at least.

I expect the websites and services I'm using to have this when I'm using them. That's reasonable, I'm reaching out to them.

Apple itself is not a service I'm using constantly, so I don't expect it to be sent a minute-by-minute update of my movements whenever I'm doing work in a CLI, and happen to have wifi on.

(I don't use iCloud, btw. Perhaps people using iCloud expect activity to be streamed constantly.)

> From a PR perspective Apple would never intentionally and publicly share this data.

Again, the question was whether the information is personal and sensitive. That's a property of the information itself.

Not whether Apple intends to store it and share it.

> Because your temporary IP address is part of the hash request, and that's usually enough to identify which major organisation's network you are on, not counting any geolocation.

Okay. You realize that you literally have to turn off the network connection completely to prevent dozens of companies from getting this information every waking moment? Windows and even Ubuntu constantly send back basic telemetry, not to mention the many more less-trustworthy apps that are refreshing in the background, the websites you interact with (even with ads/tracking blocked, the site itself still knows your IP address and time of access!), and so on.

Maybe it's not the exact point I was making originally, but my point now is that this is a ridiculous thing to focus on in the grand scheme of privacy concerns. It might be the single least-privacy-significant network request that any of your devices ever makes. Personally, if that's the only cost, I'll take the tradeoff for the security benefits. But even if I didn't feel that way, it's not what I would be spending my energy worrying about.

> You realize that you literally have to turn off the network connection completely to prevent dozens of companies from getting this information every waking moment

I do. (A look at my comment history would show I know quite a bit about networking.)

Again, the question being addressed, or actually the assertion being challenged, was: "hashes of the binaries I run don't exactly reveal any sensitive personal information about me"

I replied to show that those hashes do reveal that information.

But I threw in that how the hashes are sent (revealing the IP constantly) also reveals sensitive and personal information.

You might think that's inevitable, maybe so trivial it doesn't merit a mention. But in fact it isn't. It's purely a consequence of a technical decision. There are many ways Apple could perform the hash check without revealing your ephemeral IP to Apple.

Still, you asked what I thought was "how does sending your hash to Apple reveal where you go?".

Since you asked, I answered.

But perhaps I misunderstood your question, and you were asking how does Apple having the hash reveal where you are, not the act of sending it to them.

Fair enough.

I think that for some users, the applications they run and the frequency they run them at would be enough to identify them across time and accounts. I could change my identifier, even my name, but at the end of the day, I've been using the same apps for at least a decade more or less.
Is this the one-time signature checking that has been in place since Catalina, or is this something else? (And if so is there any information about it?)
I experienced the issue with Mojave while this was happening. So not just Catalina.
Ok, but this doesn't answer the question. If this is the same behavior since Mojave, why aren't those users complaining about this outage on their Mojave and Catalina based system?

Presumably something changed, but so far I haven't heard an explanation that makes sense of it.

Because you do not notice until they f*ck up like this.
According to statcounter.com [1] there are over 4x as many Catalina users as there are Mojave users (62% vs 14% of MacOS users), so I think it's just that the people complaining about Catalina are louder.

Anecdotally, I'm using Mojave and experienced this issue, a person I was trying to have a Zoom call with was experiencing the same issue on their Mojave.

I think there are enough comments scattered across Hacker News to safely conclude that it affected Mojave too - although it's possible the timeout behaviour / error handling is different to Catalina.

[1] https://gs.statcounter.com/macos-version-market-share/deskto...

Has anyone confirmed if this outside the error-reporting agreement step?
This has happened since forever on Mac, Windows and Ubuntu.
No it has not.
I'm fairly sure Windows does upload at least some hashes if you have it enabled in Windows Defender (which it is by default). Don't expect Ubuntu does this though.
Yeah, Windows Defender does worse if you let it have sample submission on. It'll send binaries to Microsoft and they will run in Azure!

https://medium.com/sensorfu/how-my-application-ran-away-and-...

That said, "this has happened forever" is false too. These behaviors are relatively new and relatively under the radar. Many people don't know they exist to get upset about it.

Can you please provide resources for Ubuntu?
I would guess they are referencing the Ubuntu Amazon search thing from about 5 years ago (IIRC)
Sorry, not on Ubuntu. It's easy to check, compile a binary, run it, and use wireshark to watch your uplink.
Ubuntu did upload what applications you launched to Amazon.
Link?

There was a connection between the search bar for awhile, if you typed in pants you'd get potential amazon links. It was easy to turn off and disappeared awhile later.

It is exactly that. And you can turn off spying on other OS'es as well, doesn't defeat the point - they all spy.
Linux operating systems don't spy on their users. This is false. Stop repeating misinformation.

The Ubuntu Amazon fiasco is, if anything, evidence of extreme resistance to this kind of thing. The Linux community rejected Canonical's opt-out ad partnership with Amazon collectively and almost unanimously. The program was relatively benign, but it went against ideals of both users and developers, and there have been no repeats.

I did not say "Linux" anywhere. I said Ubuntu.

Did it happen? Yes. And that is enough information.

You said "they all spy", implying generic Linux.

You have been called out for multiple falsehoods in your comments here and you've still failed to provide any evidence.

Why is it scary that your computer checks for malware?

It’s not like Apple us building a database of apps you’ve launched linked to your address and social security number.

I don't know they're not doing that, is the problem. They probably aren't, but as Bill Kristol offered recently, 99% sure isn't 100% sure, and the fact that I'm not 100% sure is a problem unto itself.
I can't tell if you're being sarcastic or serious. Schrodinger's sarcasm.
It’s not like Apple us building a database of apps you’ve launched linked to your address and social security number.

Linked to your identity if you have a credit card saved for say iTunes.

Any proof of that audacious claim?
In the modern age isn't the audacious claim that they're not?
For an advertising supported business, sure.

But not for Apple where advertising revenues a rounding error on a rounding error, and they’ve built their brand on their commitment to privacy.

Apple runs ads as far as I know.

They also run the app store, which is an advertising platform

We're talking about the ads in apps here?

It's hilarious: most of the journalism I'm finding via DDG search is anti-Apple from the advertisers perspective. All these bloggers and Forbes writers decrying the fact that Apple keep making it harder for third parties to exfiltrate user data. Outraged that Apple would use this data internally making the marketplace non-competitive to both "tiny ad networks" and "Apple's corporate rivals" alike.

This is bogus. It seriously strangles the capabilities of the rival giants to get hold of that trove of data, but the small ad networks, representing businesses with whom Apple has a formal supplier relationship (the Apple Developer Program) and no direct competition are really no worse off.

Shock and awe.

The big change that caused this flurry of self-serving smear? Making 3rd party advertising opt-in. Forgive me if don't swoon with relief that they are now holding off on this user-empowering, privacy focussed change until next year: "to give advertisers and publisher more time to prepare" and come up with ways to subvert the new order.

Throughout this whole discussion users are talking about "ecosystems" and buying in to one or the other, and the effort of changing. The original issue in this thread was serious, reasonably short-lived, and an infrequent screw up (though that frequency is increasing if you ask me). The issue of Apple's ads is moot. They protect their right to be custodians of the user data they hold (or own, I'm still kind of unclear on that) and they continue to shore up the fences that keep the wolves at bay.

Point me to another major hardware/software/data vendor who shares those values.

No. Apple has a history of being extremely careful with personal data, and almost always goes out of its way to make sure it never even collects anything personalized. Of course, those could all be lies, I suppose.
They run an ad network and are the entity that manages device identifiers for iOS.

I certainly trust that they are better than Facebook or Google on the privacy axis. I don't blindly trust that they are innocent.

To which ad network are you referring?

They have a couple: https://searchads.apple.com, https://support.apple.com/en-gb/guide/adguide/apda0878bbd9/i....

They cover ads in Apple News, the App Store Search ads and promotions, and there's the results of Siri search I suppose too. But all of these are internal Apple products and marketplaces. They are not running advertising auctions to any bidder on the basis of guaranteed user groups or targeting strategies.

If you are in fact suggesting that they sell ads beyond their internal marketplaces I'd consider that motivation to move away from them myself, and I converted away from OSS when I got bored fixing my workstation more than my work.

Any proof of that audacious claim?

Proof that if you are signed into any of their cloud services they know who you are? Is this a serious question?

And that that service is using the malware detection data?
> Why is it scary that your computer checks for malware?

It isn't just checking for malware, its broadcasting your app opening behavior to apple and anyone else who might be listening.

> It’s not like Apple us building a database of apps you’ve launched linked to your address and social security number.

You know this how? Seriously, I don't get why you would believe that.

Because Apple would not benefit from doing so, I’m fact could be hugely damaged doing so.

They don’t have any significant advertising business. They don’t need to collect any personally identifiable information. They’ve promoted their brand by putting their customers privacy first.

So why would you believe they would intentionally risk all of that here?

Let me tell you a story about this frog and this scorpion..
For those not familiar with it, the fable is that the scorpion asks the frog to help it cross a river, it stings the frog, the frog asks why since they'll both drown, the scorpion says it's my nature to do so.

A corporation's nature is determined by their business model.

If you want to apply that fable to, say, Apple's relationship with independent repair shops, I'd 100% agree.

> They don’t have any significant advertising business.

This refutes that they're the scorpion in this relationship.

What if a 3 letter agency told them so? (Since apparently it is entirely impossible for people to even conceive that apple might be doing it for their own benefit)
Only if catched. You've claimed Linux does similar checks. Linux is not a company, it is community. They don't need to collect PI, they don't play PR.

Why would private company not utilize leverage? You have no source, you can't even turn off these checks without hacks. Privacy first is open source and audit. It is removing feature people don't want.

You are assuming that Apple would have a say in the matter. The US is deteriorating socially and becoming much more authoritarian every day. It is not at all outlandish to believe the US could simply compel Apple to store this information and/or funnel it right to the NSA/FBI/Whoever. They could even be ordered to lie and say they are respecting our privacy and would never do such a thing.
> They don’t have any significant advertising business. They don’t need to collect any personally identifiable information. They’ve promoted their brand by putting their customers privacy first.

Yes... now. Can you say that with certainty 10 years from now? 15? 20? Would you want an evil Apple 10 years from now having that? Or one that a 3-letter agency forced to collect it and they could never tell anyone because National Security Letter? Is that a bet you want to take? One you NEED to take? Is it truly unavoidable, sufficient to justify such a thing?

The best bulwark against overreach is to not create the capacity for it in the first place. Power will only ever do 1 thing, and that's amass more power.

(comment deleted)
Well it would be pretty good information to have to do analysis against.

You could easily see knowing how often an app is used on an OS to be useful business information if apple wanted to create software to get into a trend before it gets to big.

Of course that doesn't require fine grained time data just daily would be more than good enough.

However you could also see the business use of knowing if two pieces of software are often used together or sequentialy which could inform creating an all in one/integrated experience that would do well in a market. So you need that finer application timing.

Of course that doesn't require tying it to a particular user account,not even a device ID, just a sessionID that changes each time the device restarts would probably be granular enough.

However since we've got that other stuff in place per device wouldn't it be great to see if there's a correlation between people using an app on there Mac and using it or another App on there iphone, ipad, or watch. What piece of data can we include to match up a user across all their devices? Maybe some kind of obfuscated or derived userID.

Of course you'd hope that other interests such as a commitment to privacy would rule out the use of such a dataset. If Apple did have such a dataset then you'd hope they'd be doing whatever processes (social, business, and technical) it can to obfuscate and seperate how that dataset is tied to a specific user.

The only real argument against Apple not having it is the balance between the cost of creating/exploiting such a data set, the expected profit, and the legal and reputational costs of such behaviour.

(comment deleted)
If you haven't downloaded your data from Apple recently I suggest doing that. The amount of personal info they collect has exploded over the last couple years.

Their Services business is moving them into Google levels of data collection.

Having downloaded my data from both Apple and Google, "Google levels of data collection" seems inaccurate.
This is horrible. How can launching apps be depending on a cloud service being available...
> How can launching apps be depending on a cloud service being available...

It's not, per se. The apps will launch if you block the specific subdomain, or turn off internet. The problem is if the computer thinks it can connect and keeps trying.

Ah yes - the “poor X is worse than no X”-problem.

It’s a huge problem on Windows where Explorer.exe still blocks the UI thread while it checks SMB shares if it thinks it can connect to them, but it skips them if it knows the computer is disconnected from a network. So using a Windows computer on a very spotty WLAN is actually more painful than being disconnected due to all the timeouts and dropped packets. Office Outlook is another main offender. I have a Windows Firewall rule just for Outlook.exe when I know it’s going to lock-up a lot.

It's like no one at Apple has ever had sporadic internet access and they don't plan for it. The Apple Music app does the same thing, if you are connected to wifi but don't have internet access it takes 60 seconds for a song to start playing every time you click one. Because apparently that is a reasonable timeout for a UI action
So, yes: they do depend on the local (to the user) availability of that service. So they depend on that.
No, they don’t! If the server is unavailable everything works fine. The problem is when the server can be reached, but is nonresponsive.

I think that’s an important difference. If Apple’s servers ever go offline, the OS will continue to work.

It takes courage. Think different.
(comment deleted)
It's a rental market.
And also, if you decide to implement such a horrible idea, how come you don't have a proper plan for when shit happens?
“We think you’re gonna love it”
Walled-garden strategy at the core of Apple's business.
Both my Hackintosh and MBAir are on Catalina and have been freezing repeatedly for the last hour. Definitely is effecting Catalina.
Sad state of affairs that apps are slow because it can't phone home to a server to verify it's okay.
Unacceptable ecosystem, for both 3rd party app devs and users. What I guess we won't see - but need - is an apology from apple and a commitment to quickly fixing this bug.
Is it a bug really or design problem where they are trying to do something they should not do in the first place.
Again, it turns out that Stallman[1] and others[2] were prescient.

[1] https://www.gnu.org/philosophy/can-you-trust.en.html

[2] https://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

Don't forget the World Economic Forum, but they're happy about all this:

https://www.weforum.org/agenda/2016/11/shopping-i-can-t-real...

Hardly "happy about all this". From the end of the linked article:

Author's note: Some people have read this blog as my utopia or dream of the future. It is not. It is a scenario showing where we could be heading - for better and for worse. I wrote this piece to start a discussion about some of the pros and cons of the current technological development. When we are dealing with the future, it is not enough to work with reports. We should start discussions in many new ways. This is the intention with this piece.

The author, Ida Augen is without a doubt one of Denmark's most respectable and intelligent politicians.

The article sohuld not be read as an endorsement of that future. It's her prediction of what the world is going to look like, for better or for worse.

Every year Stallman seems less crazy.
Only in relation to the wider world which is getting progressively more crazy.
I think the intent of the statement was more:

> Every year Stallman seems more correct.

In the sense that the exact risks he was trying to mitigate are in fact materializing in mainstream computing platforms.

Yes, but framing it like that that won't rise to the top and get people to pay attention to all the other important things he has to say.
If you just read his writings on the importance of free software, he never was that "crazy" to begin with. He simply saw examples of companies locking down their hardware so that they could control it at the consumer's expense.

Exactly this is happening with Apple now. Although Apple computers were fairly hackable in the past, with users being able to install Linux or Windows, that is changing. Apple is changing the hardware _and_ software to make it more difficult to do things that Apple does not approve of.

Stallman was keenly aware of this type of behaviour, and he was also aware that companies that have the potential to use this behaviour to this advantage, will often do so.

Apple wants to be in a position where they sell computers as appliances, and Apple Silicon is their step towards doing so.

By the way, I'm typing this on a Macbook pro that is no longer supported by Apple, but running Linux. I am not sure this would be possible in the world of Apple Silicon.

(comment deleted)
I don't think Stallman's crazy, he's just passionate about his beliefs, and people whose careers depend on not acknowledging the truth in what he has to say like to dismiss him.
He was short sighted in many parts. Eg: the definition of free software as something that can be freely redistributed.

For infrastructure parts, it makes sense to be even permissive open source. For something in applications level, it would be nice to make money from it by charging corporations using it, while still being freely available for students and hobbyists. This could have combined best of open source and commercial software.

Stallman's belief is that everything is either good or bad, and there is nothing in between. He is write about consumerization of computing devices though.

(comment deleted)
(comment deleted)