I guess it's will be to late when some "hackers from country X" gonna start to leak sensetive information on EU politicians and their relatives just before elections.
Saying "the EU wants to backdoor encryption" is like saying "the USA wants to backdoor encryption" when one working group is talking about it. "The EU" doesn't want backdoors in encryption just like American politicians don't all agree with trump's Twitter mania.
The previous discussion was about how Big Sur has some built-in exceptions for Apple software.
The current discussion is about the discovery that these built-in exceptions can also be abused by non-Apple software, rendering the firewall completely ineffective.
TBH, I didn't expect this. I've been wary of the iOSification of the mac for a while now (and following that, splitting Apple, effectively killing the mac), but I hadn't expected them to do something so dumb with the network routing. What benefit does it bring them?
You get industrial grade security solutions out of the box with many Linux distributions. You get namespaces, firewalls and seccomp for free with any Linux kernel, and any Linux system with systemd gets unprivileged containers and sandboxes for free, too. AppArmor exists for MAC, and there are userspace sandboxes.
How many user applications actually fashion a sandbox that is non-trivial to escape with those protections? I struggle to think of any outside of the more popular browsers. The Snap and Flatpak sandboxes are good case studies in the practical limits of Linux sandboxing: it’s rarely effective without designing your entire app around it because the way most applications interact with the system was never designed for it. X11 probably being the most egregious limiter, followed by no standard trusted file access UI.
On the server, there’s a reason Amazon built Firecracker and Google built gVisor instead of just using the Linux sandboxing primitives. I think calling them “industrial grade” is pushing it when they’re rarely used as the first line of defense against code that is expected to be actively hostile.
I agree with the thrust of you comment though, outside the webbrowser, proper sandboxing a barely used outside web browsers. However, I think the problem is as much social as technical. Every time Flatpak comes up, it mostly gets hostile reactions.
The situation is rather unfortunate. A lot of people believe that Linux is more secure than other operating systems, but in practice the Linux desktop is far less secure than e.g. macOS, iOS/iPadOS, or Android.
And no, you aren't safe because it is open source software. Sandboxing also protects against unknown vulnerabilities in open source software.
> On the server, there’s a reason Amazon built Firecracker and Google built gVisor instead of just using the Linux sandboxing primitives. I think calling them “industrial grade” is pushing it when they’re rarely used as the first line of defense against code that is expected to be actively hostile.
actually firecracker is not a sandbox. it's basically qemu/libvirt and a minimal implementation of devices. it's qemu-kvm with a http interface and way less devices.
the reason why they rewritten qemu-kvm is because qemu-kvm contains a lot of code that is not needed and is way more bug prone. and also loading a kernel is way faster in firecracker since they optimized the kernel loading code.
I’m not sure of the distinction you’re drawing here. Originally Amazon used the Linux namespaces, cgroups, etc. for isolating Lambda invocations, but they only did this at the AWS account granularity (i.e. your Lambdas only shared the same VM with other Lambdas from your account) for security reasons. They built FirecrackerVM so they could run Lambdas freely on the same bare metal machine as others without having to group by tenant VM in this way. Obviously they found using the Linux primitives to be insufficient for maintaining isolation when dealing with hostile native code.
> On the server, there’s a reason Amazon built Firecracker and Google built gVisor instead of just using the Linux sandboxing primitives.
The reason is that Firecracker is a virtual machine, and Linux containers and sandboxing primitives are not meant to be used for virtual machines.
Pointing at Snap and Flatpak's "sandboxes" is disingenuous when they're notorious for having sandboxing as an after thought to app distribution.
When I say industrial grade, I mean that the sandboxing and isolation primitives that are used in industry are those that are either provided in the kernel, or are deployed as part of a standard Linux server deployment.
Firecracker is a virtual machine that exists to provide a container-level interface. It is not designed for nor capable of running a full virtual machine. GVisor is even less virtual machine like: in fact it originally only worked via a ptrace sandbox and added a KVM-based interface (without a real Linux guest kernel) latter to improve performance.
I point to snap and flatpak because outside of browsers they are AFAICT the only attempts to sandbox user applications on Linux. It would be disingenuous if there were some other apps or distribution channels doing a better job that I hadn’t mentioned, I’d love to hear of some.
All you need to do is to know about the linked page and have it open on another computer, disable some initial disk protections, reboot into recovery while holding down some unmentioned key combinations, disable further restrictions by typing in cryptic Terminal commands that don't match the public names of the features they affect, reboot again, type in more cryptic commands as root to modify deeply nested system files and perform filesystem voodoo, and then reboot yet again with an optional prayer. Repeat for every OS update.
The easier it is to opt out, the more likely it is for sketchy developers to guide tech-novice users through that process, the more likely it is for malicious actors to take advantage of those who opted out.
Yeah but as a counterpoint, most Hacker News users have used Linux at one point, which lets you run commands like `rm -rf /` as root. I think it's fair to allow power users to easily disable these protections.
Ironically, coreutils introduced[1] a requirement to add `--no-preserve-root` to `rm -rf /` way back in 2003, so that particular example doesn't really support the counterpoint you're trying to make.
Although possible to disable the feature, those steps are crazy complicated, and probably impossible for anyone who isn't a developer. (Apart from anything else, regular users should never be advised to disable SIP.)
What stops a Linux program altering the system? I guess you need root access to change things outside of /usr/local this could easily be done on macOS too but the wheel had to be reinvented by Apple in a way that is probably less trustworthy.
You actually need root on macOS to modify anything under /System, and this was the case even before SIP. This is why some installers ask for the root password.
With SIP you can't change some things even as root. SIP has definitely made macos a harder target, though it is still lagging Windows in some areas. Linux is almost comically unprotected.
You can check binary signatures on disk (tripwire) but that is extremely tiresome to maintain and does not prevent straight loading of shellcode into memory.
/usr/bin/vim was installed by my package manager, but there's no guarentee the version I'm running matches the version that was installed. Now in debian there is a file which has a checksum of the version the package installed, but that's not checked on execution, nor is it itself signed (so the process that replaced vim could just as easilly replace the checksum, or the process that checks the checksum)
A year ago, a Chrome update (its Keystone auto-update agent) corrupted system files in Macs which had SIP disabled [1]. The result was that they didn't boot anymore. Mac users who had SIP enabled were not affected.
I won't disable SIP and I'll avoid installing Google Chrome on my new Macs, if possible.
The issue is defaults. Personally, I prefer using an open source alternative OS where generally everything is disbled by default. (NetBSD is best exemple I have found.) Commercial OS like the ones created by Apple, Microsoft, Google, etc. have default settings that are opinionated, i.e., some users might not wish to choose these settings. This puts a burden on the user to disable or work around them somehow. Apple iOS and MacOS by default generate a considerable amount of network traffic to Apple servers as soon as they are powered on. When I power on a computer running NetBSD, there is by default no traffic to a corporate mothership.
Given the choice between (a) a corporate OS that requires me to perform some amount of work to "turn off" some "features" the corporation has enabled and (b) a non-corporate OS that requires me to perform some amount of work to "turn on" the "features" that I want to use, I prefer (b).
The problem is that people who work on some specific fields (music, cinema, graphics) have almost no choice when choosing OS and computer.
Most of them won't even care about sending too much data to a company if that's the price to have the same device everyone else is using in their industry...
> The problem is that people who work on some specific fields (music, cinema, graphics) have almost no choice when choosing OS and computer.
Came here to say that.
> Most of them won't even care about sending too much data to a company if that's the price to have the same device everyone else is using in their industry...
I do, I truly do care. So much that I'm looking at open-source/Linux options, at least for my home projects. Doesn't look very bright on the video side, but DaVinci Resolve is at least available for Linux. Rawtherapee is getting there with local adjustments as we speak. Darktable has lots of power but terrible UX.
I have a G4 I bought for use as a DAW. It still has OS9; I never installed OSX as I knew it would probably slow things down. I never needed to connect the Mac to the internet. If I needed to send/receive files via internet I moved them via crossover cable to a laptop or PC that was connected to the internet.
People today, even more so than in the 2000's, have multiple computers. Would it still be feasible to have a Mac used for {music, cinema, graphics} that is not connected to the internet. Certainly one would have other computers that were connected to the internet and moving files between computers on the local network, preferably via Ethernet, is much faster.
But the point of me telling personal stories is not to suggest anyone could/should do the same things; on the contrary, it is to illustrate that "one size does not fit all". Today's Apple chooses for the user, rather than letting the user choose.
It seems to me that the issue with this approach is that those commercial OSs have to deal with a way more diverse audience than NetBSD and even Linux.
While most of Linux's audience (and probably practically all of NetBSD's) is rather technically inclined and could possibly be expected to turn on the security features as they need them, most of Windows' and macOS's audience will very likely have no idea that there is even an option to do this.
Also, software companies would probably take the easy route and just assume that since those features aren't enable by default, most people don't enable them and develop their software in a way which could be incompatible with them.
So I think that for an OS like macOS, where most people flock "because it just works and has no viruses", strict defaults are a sane choice. Having people go through hoops and click through warning messages would probably also push companies to better design their software.
In the end, I think the best way is for such features to be the default setup. But those OSs need to have an "escape hatch" for someone who actually wants those features disabled and actually understands the risks of disabling them. While macOS does (for the moment) have this hatch, it looks maybe /too/ complex. But then I think the difficulty of the exercise is in setting the "correct" level of complexity for this operation.
Well said. And frankly, this is true even of FOSS -- or why are there so many flavors of Linux?
Even technical users are going to differ in the sets of opinions they hold and are qualified to hold. I care about which Python I have installed. The virtual memory manager? Not so much. Someone else might, though.
> Given the choice between (a) a corporate OS that requires me to perform some amount of work to "turn off" some "features" the corporation has enabled and (b) a non-corporate OS that requires me to perform some amount of work to "turn on" the "features" that I want to use, I prefer (b).
actually default on, is not a problem if it is easy to turn it off in that case.
if apple would have had a button to turn it off, we would be fine.
Defaults are opinionated per definition. You might agree or disagree with them.
I don't believe the defaults related to this issue are a problem; its the lack of transparency about this, coupled with it being difficult to change this. Probably every update you gotta fix that. That's akin to running a Hackintosh. And we all know macOS is moving towards iOS; not Hackintosh/PC.
The problem is not the defaults. The problem is choice. When the motto is "just works", the system needs defaults that works. But savvy user needs to be able to change these things.
A more common use case for this kind of choice is corporate laptops. They usually set up their own policy on the laptop before handing it to employees for good reason. Firewalls are especially necessary to avoid leaking confidential information.
Why? As long as you're not getting the ARM ones, you can stick on 10.15 - which is something many will do anyway for at least a year until Apple irons out the worst bugs of BS.
Only thing I'm still pissed about 10.15 is that Wine still can't run 32-bit apps.
You can stay on an older version for a little while, maybe a year at most until it stops getting patches. Then you get to make the choice of using an OS that's vulnerable to exploits and an OS with a gigantic backdoor in it.
Ah excuse me for that. 2 years of additional lifespan is still painfully short for a deprecated OS. Even free OSes like Ubuntu LTS get more years of support than versions of macOS (Ubuntu LTS release cycle of 2 years minus 5 years of support = 3 years of additional support after deprecation).
Thinkpad T460p on arch linux for me (after getting macbook pro 2017 15 inch keyboard issues followed with cablegate immediately afterwards).
The T460p is a 2016/17 secondhand machine which cost USD235 which I then added a ram upgrade and a new 72Wh battery to. I don't miss the mbp at all and prefer the linux OS anyway.
It probably took me until this moment to realise I was largely falling for marketing in thinking only the best specs would do ...
I have gotten rid of almost any Apple only tools (OmniGraffle to Figma; OmniFocus, Things3, iA Writer, Ulysses, Alfred App to Emacs+Org, and some more), but there is only only a few left that I can‘t find a replacement for in Linux-land: DEVONthink for managing my thousands of documents (actually I just keep my files in DEVONthink and use the search feature, could end up using just file system), ScanSnap Manager (a driver for my Fujitsu Scanner plus a desktop app for scannning the documents, and Spotlight search that works from within every other app for instantly finding any document.
I guess I need to get a Thinkpad running Linux for slowly finding replacments for my tools, and migrate not within weeks, but spreading my migration process over months.
My most essential tool is Emacs / Org and Lisp, Python plus the terminal with some shell scripting for automating all my workflows.
Yes, I will miss the smoothness that comes from very tight integration of hardware and services, but I absolutely hate the path that Apple is on, slowly taking all freedom from its users, until macOS is as closed as iOS. This is against every conviction I have as a citizen for whose freedom it is essential to have control over the machine that enables me to connect to the world and do my work. We are no toddlers, Apple does not need to put us in a walled garden, a promised land without any malware and danger (that‘s the promise, but in reality they want to control every aspect of their ecosystem, like an emperor that wants to tax every aspect of acting and movement in his land).
Emacs + Org-mode (once mastered) are excellent for both writing structured text (in org-mode‘s markup instead of markdown), and for managing tasks and projects.
With org-mode I have dozens of files for managing my projects and tasks. And I can mix notes with tasks. This is a feature that makes it exceptional. When I was using Things3 I liked the tiny section beneath the task description where I could type some notes about the task. With orgmode I can write a full outline beneath the task description.
Emacs is extremely flexible as it can be extended with packages written in Lisp. There are packages that allow me to navigate to any outline node in my ~ 200 org files within a second (ivy + counsel + ripgrep-integration, also org-ql which allows me to query my org files).
Also, I write large amounts of text with org-mode (it’s an excellent outliner too; been previously using OmniOutline) and convert to markdown or any other format via pandoc.
Emacs, once mastered is an application framework that allows me automate any workflow for which I previously used AppleScript, DEVONthink, Python, Bash.
> OmniFocus, Things3, iA Writer, Ulysses, Alfred App to Emacs+Org, and some more
All of these were replaced with org-mode and Emacs (and likely some other Linux features for Alfred). Doom Emacs is a good framework to explore Emacs as it supports both vim and Emacs bindings (there’s also cua-mode).
> I guess I need to get a Thinkpad running Linux for slowly finding replacments for my tools, and migrate not within weeks, but spreading my migration process over months.
Well, if you actually like to tinker from time to time just for tinkering's sake, this is a great approach I inadvertently took.
My daily driver for 7 years had been a late 2013 mbp, which still works and is plenty powerful for most of what I do. Then during the shelter in place period I installed a Arch on my desktop (which normally runs Windows for Photoshop, etc) just to experiment a little with ZFS on Linux, etc. Then I started using it more and more and now I rarely use my mac again. (note that I'm not new to linux, had been using it both on the desktop and the server for a very long time and my work laptop runs linux).
However, unlike you, I don't use many Apple-only tools mostly just Things and Bear. I haven't found replacements for those, but as they never were a critical part of what I do, it wasn't that big of a deal to just drop them.
If you don't mind, could you elaborate a bit on how you've replaced Alfred?
I use it heavily for:
* snippets (mostly for terminal so Termius might be an option but I also use it for non-terminal things)
* clipboard history (are there up to par alternatives?)
* workflows - mostly launching various websites, like Jira tickets with "<board> <ticket #>" or "c suponer" to conjugate Spanish verbs), but also for launching various shell scripts (like changing nameservers with "ns <provider>"), or keyboard shortcuts for playing specific sounds (for fun)
> I guess I need to get a Thinkpad running Linux for slowly finding replacments for my tools, and migrate not within weeks, but spreading my migration process over months.
I'm in the same boat. I've been eyeballing a Tuxedo Pulse 14, but have been thinking of getting a regular PC keyboard in the meantime for the Mac and play around with Linux in Virtualbox.
Does it look like the software part of Apple has been consistently grappled with controversial decisions?
I heard Apple has been very secretive in its development. Maybe it works for hardware, but software is an area where collaboration across teams are very important, isolated bubble breeds incompetence and politics.
I don’t think there’s any secrecy left nowadays with Apple’s hardware, just a theatre. Their presentations are the least surprising of all tech firms - partly due leaks part due to super conservative feature development (if any).
Yeah, I remember when their hardware announcements were pretty much airtight. Up to Apple black-balling Gizmodo from all events after Gizmodo got ahold of an unreleased iPhone an employee had lost. Even then the phone was disguised inside the shell of an older model. [0]
The person that found the phone only poked around after he was confused when it went bricked a few hours later (remotely done by Apple). Then they actually tried to get it back to Apple, and got blown off. That's when they contacted Gizmodo. I think Apple was pissed that Gizmodo paid $5,000 to get it from the finder and didn't return it immediately to Apple without question or inspection.
Classic projection. Say one thing do another. If that is not an example of hostile company then I don't know what is. At least they don't yet harvest your DNA, make a clone of you and force him or her to work in their factories.
This reminds me of the old saying that it's impossible to work within an infected system to clean it --- and now that corporations have been "infecting" systems with such telemetry/spyware by default, that's even more true.
I believe Win10 was the first to do something like this --- it ignores the hosts files and firewall for certain hardcoded domain names and IPs.
I built something similar to this[1] for when I'm dealing with hosts I don't have complete control of -- to block outgoing connections. Now it seems there might be a more widespread use case.
Even an external firewall can't easily block everything. Just send telemetry over port 443 to an AWS server and most can't block it. You can't trust a device that need an outgoing firewall.
I’ve used both windows and Apple developed operating systems for a long time, generally I agree with you - Microsoft is the trailblazer in user-hostile self interested decisions.
This however is something that Microsoft has absolutely dreamed about doing, but never had the power to actually make it happen. Apple wants to have the same power on the desktop that they have on iOS - no code not blessed (and taxed) by Apple run. This is what Apple wants, total control of everything executed by the cpu.
You can get a lot more done today without Microsoft than you could 20 years ago, but it is very hard to not have an accessible copy of Word if you interact with lawyers (where formatting and change tracking matters, and mostly compatible like libreoffice or google docs is not sufficient.
Also, if you take remote tests for school (which was almost mandatory for some, and now for almost all), many places require you install some windows only rootkit so they could claim to have monitored you.
My children’s remote school mostly works without any MS stuff, but every now and then it doesn’t and I have to fire up a VM.
Monopoly is still there, even if it is not as tight as it once was.
This seems so negligent it's difficult for me to believe this was a mistake. Perhaps it could be argued that Apple doesn't want applications blocking the network traffic of trusted applications because there is limited upside to doing so and doing so may restrict core functionality such as system updates, etc. But surely the most reasonable explanation here is that Apple wants a back door to guarantee they can monitor your activity / allow intelligence agencies a way to access to your system?
No, that is not the most reasonable expectation. Fails both Occam's Razor and the laugh test.
To believe this, one has to believe that a $2 trillion company did this on purpose, knowing it would be revealed within hours and that it would take a major hit on the very reputation for user privacy and security that they have spent years building.
There are a lot of better explanations available than "Apple decided user security can fuck off and that clumsily collaborating with the bad guys in trivially-detectable ways was a way better plan".
Maybe you're right – I am quite a paranoid person.
I guess I just don't understand how this wasn't flagged as a concern when the feature was being worked on? How is it possible that Apple's engineering team built a backdoor like this without it raising serious security concerns? And if concerns were raised why was this not adequately pen tested prior to release?
I'm not sure what's worse from a reputational perspective... A company that prides itself on privacy but can't get something as basic as a firewall right, or a company that knows how to write secure software but occasionally puts backdoors in them for intelligence agencies?
I'd posit that if that were true, they'd probably never have made it to even a $2bn company, never mind $2tn. HN is - for Apple's intents and purposes - an insignificantly tiny bunch of people they're 95% not really interested in as customers.
Ultimately, there's little difference between incompetence and malevolence when acting in this level. Incompetence might actually be slightly worse.
The malevolent act on their best interest which is often predictable and limited. The incompetent simply give away data to every random badguy under the sun.
In fact, it was so negligent because Apple is actually secretly rebelling against the Illuminati, who forced them to do this, by making such a deliberate cock-up of it that it was discovered within hours of release.
Democrats are probably involved. I also read that the upcoming vaccination from Pfizer actually contains miniature versions of Apple's new M1 chip. We'll all be iCyborgs next year.
Of course when this possibility was raised 25 days ago on HN [1] there was a swarm of apologists who figured the superior Apple services needed no firewall interception (and just 2 days ago we learned that hell yes, they do!) and that this was all by design and impervious to abuse by other apps.
Turns out, no, macOS is still written by the same old skeleton crew at Apple and they still introduce trivial problems in most things they do.
In the Vault 7 leaks, Little Snitch was mentioned as something three letter people had problems with circumventing. I think it's worth considering whether this new attack surface is there by design:
I didn't follow up on the Reuters news piece from January titled "Exclusive: Apple dropped plan for encrypting backups after FBI complained - sources". Has it been confirmed? If yes, then your assertion is most probably correct.
That Reuter's piece is original reporting that Apple never responded to, so I would say that it's all but confirmed that they did in fact do this at the FBI's request.
GP is saying that the same teams have been working on macOS as before, implying they are just as fallible as previous iterations of macOS authors were by "same old", and implying that they are understaffed for the task by calling them a "skeleton crew"[0]
I try to forget those in between years of of System 7 / OS8 / OS9. They all gave me deep scars through countless hours spent troubleshooting extension conflicts. All while seeing the unhelpful, literal bomb icon dozens of times in a row [0]. The windows BSOD was bad, but at least it never mocked you about the OS blowing up.
More details: In theory, extension troubleshooting should have been easy. 1) Boot with them off. If it boots, it's the extensions. 2) Turn half off. If it boots, you know it's the other half. 3) Repeat step #2 with the remaining extensions until you find the offending one.
Except it wasn't always a single one. It could be a problem that only occurred when a combination were active. So you'd go through the much higher # of combinations of turning certain groups on together... the first 5 & third 5 extensions, etc... Sometimes even that wouldn't work, and you'd be stuck opening programs you knew used certain extensions to force them into activity. Eventually, if you were lucky, you'd find the one corrupt extension and reinstall it. But if all else failed, you backed up the data with all extensions disabled, blew out the OS with a clean install and reinstall all the programs & restore the backup.
I have no idea how they ever expected this to work. Seems it would be trivial to proxy a c&c through apps with access. All you need is a signal, any signal, to the outside world. If air gaps can be beat, this concept was doomed from the start, unless I'm missing something.
I hope this proof-of-concept is the last straw that gets Apple to walk this design decision back. Because if it doesn’t, I'm not looking forward to whatever it is that does.
I expect Apple to take the opposite path, not immediately, but eventually: disable sideloading and enforce a Mac App Store only policy on macOS, similar to iOS. After all, if all apps are reviewed and approved by Apple, there is no malware that can use this weakness or the future ones.
And I am sure the 30% cut and $100 annual fee has nothing to do with the decision either. Apple only cares about customers, not money. /s
> I expect Apple to take the opposite path, not immediately, but eventually: disable sideloading and enforce a Mac App Store only policy on macOS, similar to iOS
Yep. And when Apple does it, HN will celebrate. There's a certain type of person who's terrified by independence and freedom and who craves the comforting safety of rules and control. macOS will be the OS for that kind of person.
Apple has all but guaranteed that my current Mac will be my last. I have been using Macs since the Mac IIx, and my first Mac laptop was the Powerbook 190.
The only reason that I have my Mid 2018 Macbook Pro, is that I bought it in Budapest after my previous machine died, and the reseller Apple store was the only one that stocked English keycaps for the keyboard (they did have to unbox and change the keycaps).
My technology choices are starting to feel frustratingly niche. I am using Apple over Linux because I tired of having to mess around with the systems constantly to get things working. ItJustWorks™ is a powerful driver.
If I'm being honest with myself, it's also a question of access to paid apps. If I list all the apps I use on a daily basis, a bunch of them are Mac only, and an even smaller set run on Linux (even if they have a Windows version as well).
There are numerous excellent reasons why that will never happen. And why it’s not in Apple’s interest to do so.
The most obvious reason is that it would utterly destroy the Mac among influencer communities and developers.
But perhaps the most underrated reason is that Apple already has a managed computing platform in the iPad. Rather than the Mac becoming more locked down, I expect the iPad will become ever-more desktop-like and take over more and more market share from traditional computers.
I’d contend that an iMac-like desktop iPad is a more likely future product than a fully locked down Mac.
Developers on the Apple that matter to Apple are those using Objective-C and Swift, everything else was a nice thing back in the dark days of almost closing shop.
disable sideloading and enforce a Mac App Store only policy on macOS
People have been repeating that for years, since the Mac App Store was announced. It’s not in Apple’s interest to do it. There is a ton of software, open source in particular, that Apple benefits tremendously by. It costs Apple nothing to maintain the status quo.
Going Mac App Store only would drive tons of developers off the platform and do absolutely nothing to increase sales on the Store anyway. It would be widely panned as a ham-fisted move.
Apple single-handedly killed off the Safari extensions ecosystem for extremely dubious reasons. It would be inaccurate to say that they have locked down macOS to Mac App Store-only apps, but even if you ignore the embedded platforms the concerns about locking down macOS are extremely founded even as Apple repeatedly says they aren't trying to do this.
Apple developers would stay on the platform, regardless.
The GNU/Linux developers that have been giving money to Apple for a shinny UNIX, might go to Windows with WSL, which I doubt unless we are speaking about the crowd that only cares about POSIX and keeps calling that "Linux".
The GNU/Linux developers that have been giving money to Apple for a shiny UNIX instead of sponsoring OEMs, now they finally learn how Apple has always been, including before the days of almost getting to close shop.
In this context it can be a "power" move to push away developers who are unwilling to agree to further closing of the platform. As a result Apple will have only "the faithful ones" and will avoid reactions like recent Unreal fiasco ( in this case the faithful one is Unity). And as I see its working perfectly, most of tech you-tubers are in the bag by default, most of the designers and creative users are lazy (and technically challenged), corporate users, semi pros and regular iPhone crowd are already locked in and don't care. The only thing is someone to start legislative reaction, but this is hard and Apple has all the money. So this is the new norm. Machiavellian move with global impact:)
Game developers are more than happy to deal with such platforms, and I confess it was more fun to target the Amiga, knowing what to count on, than the mess that the PC has been since forever.
That crowd can turn on to their Pandora, GPX, Arduino, Raspberry, whatever SOC is going trendy.
As for Unreal I wish they learn their lesson, or be honest and create a lawsuit against Sony, Nintendo and Microsoft.
I think an argument can be construed that (one of) Apple's interests is to control what and how users can do on Apple devices. iOS-like lockdown seems entirely in line with that.
> Going Mac App Store only would drive tons of developers off the platform and do absolutely nothing to increase sales on the Store anyway.
And others would fill in the gap. The Store sales would inevitably have to go up – it would become the only way to get software on the device. Not like every user would immediately drop the Mac. I can imagine a non-trivial fraction of users wouldn't even notice that something has changed.
It wouldn't happen right next year, or in one go, but the more I think, the more I am growing convinced that it's sneaking up.
> It would be widely panned as a ham-fisted move.
If it doesn't affect the bottom line, it doesn't really matter. They got away with 4 years of perhaps the worst laptop keyboard of the decade; are getting away with inflicting the TouchBar price tag on tens of thousands of users(1), making devices unserviceable, and even with the matter in question.
Given Apple's size and user base, I'm afraid that outside of straight-up illegal activity, there's little Apple can't get away with. Especially if the janky move is factored into small, cruddy steps.
(1) I realize it's a lame point, but it annoys me personally
I could really use a "special edition" of MacOS - sort of like what happened with XP in the later days. Strip out all the Apple stuff, privacy failures, and excessive gatekeeping [$] and just leave the raw OS.
What UNIX are you thinking of? Even the Berkeley distribution appeared to require a license from AT&T to use, for V7 UNIX. Anything with AT&T's code was litigiously protected, culminating in a law suit in the 90s against 4.4BSD Lite, which was the first to claim to be rid of all AT&T code. Are you saying most installations were just unlicensed copies?
https://imgur.com/a/y0NPJ2o - DNS activity of my Mac PRO + Big Sur during the last 30 mins. This is a filter on `apple` domain so I'm not sure if I'm seeing everything since they might use other domains but heh - for the curious.
I'm done with Apple. It's incredibly restrictive for no real gain at this point. I have a really old MB Air I only ever use to compile apps for the App Store for clients, but otherwise there's no clear path towards improvement from them, so I'm voting with my wallet for the foreseeable future.
I commented on your Twitter post already, but I'll reiterate here. This is not a vulnerability, it is as intended. By default, you can only install Applications via the App Store on Big Sur, and AppProxyProvider only affects Applications installed via this method.
This has the dual-benefit of protecting casual users, and allowing power-users flexibility with any binaries that aren't sandboxed. From what I understand of your example, you used the bundled python installation to make the connection, the python binary is not sandboxed and is not affected by AppProxyProvider. This will be the case with any other binaries as well -- ping, ssh, etc...
Ugh. I'd love to switch to Linux, but as a designer, I'm stuck. It's not a lack of understanding of how it works— Before I was a designer I was a developer, worked in IT for a while, worked in upper-level support for a while, and Linux was my primary personal and professional OS from the late 90s to like 2010.
Why don't I just run a closed-source OS in a VM? They are fussy. Having some weird graphics tablet driver problem or something can really kill the creative connection between me and my work, and if I'm coming down to the wire on a deadline, it can cost me a contract.
What about tools that work natively on Linux? They generally just don't work for professional design use. Whenever I say that, a billion people always jump in and say "Gimp and VivaDesigner and Natron and XYZ and PDQ" work fine for me," and to my astonishment, they always seem surprised that the same just isn't true in most (any?) professional workflows. Sure, with varying amounts (usually non-trivial) of extra effort I can cobble together a disparate set of tools that might sometimes yield similar results to professional design programs, but it's going to take significantly more work to produce possibly lower-quality results, and that's just not an option for a pro. If you were hiring someone to craft the image of your company in a crowded, competitive marketplace, would you pay them more to take longer and potentially end up with a suboptimal product just because they were only using OSS to do it?
A software developer could feasibly use something like windows notepad or pine to achieve the same results as an IDE, or even a more powerful text editor like SublimeText. For many non-professionals, people just editing a config file, or people making the occasional shell script, it does work fine. Better even, considering that the extra baggage of complex tools would actually slow them down rather than speed them up.
I'm assuming your use case doesn't require that much compute power so maybe you could use an old Mac just for work stuff and a Linux machine for everything else?
get 2 machines then. Who says you need to have a single machine for everything? Get a Mac for your design work, treat it like an appliance, and use Linux for everything else on another machine. Problem solved.
While I like your solution in principle, I can imagine it complicating life awfully...
People email you assets/images for use in your production work: are you going to get that on your 'designer' machine or on your Linux box? Most likely the latter, now you have to transfer it over to the 'work' box. Not technically difficult, but a definite speed-bump in your workflow. Awkward.
Your online document-sharing/demos (say Dropbox, whatever): is that from the work box? the utility box? both? Again, not technically a train-smash, but... awkward. A discontinuity that you'll have to deal with multiple times a day, a detour in your flow.
I can see why many would consider it too much of a hassle.
At least you’re stuck on a Mac. I do motion design and I’m stuck on windows because of stupid Apple vs nvidia beef and apple only allowing you to have a good gpu if you pay for Mac Pro with Xeon you don’t need and expensive memory you don’t need.
Some things changed for the good the last couple of years.
I am programming on Ubuntu (C#, PHP, Javascript) with Jetbrains software. This works absolutely great.
For 3D work I use Blender.
But for graphical work I agree that there are still alternatives missing.
Figma is a very good alternative for Sketch. Scribus is a good alternative for Indesign. Krita is very good for concept art. But that's about it.
Inscape is a good alternative for Illustrator, but only if you work in RGB.
Gimp can do what Photoshop can but it will take you 3 times as long.
But for me the trade-offs work. I want to own my computer so I choose to work in Gimp instead of Photoshop. I also started to design websites directly with CSS. And I switched from 3DsMax to Blender (which isn't a trade-off anymore).
It's like 75% as good as Photoshop, which is pretty amazing for a JS app. I've found things like quality of masking refinement tools— an absolute must in my workflows— to be lacking.
I have tried in 2008 with Ubuntu Studio, after spilling coffee on my Powerbook G4, to work in Linux as a UI designer full time and people don't realised the power of Inkscape at the time. 2017 I have used only Ubuntu LTS with Gnome and Affinity Designer in Win VM, full year.
This time around I think that is possible, and economically solid, the move from Apple to ARM and closed walls of App Store to create conditions for real Linux Desktop Revolution.
Yeah, Inkscape is great. Maybe Linux works for working exclusively with on-screen assets? Not there if you do a lot of print work/layout. It's not that there aren't any tools for it, it's just that the tools aren't even close to as smooth or productive.
I think Blender and Figma are good, professional tools. For the rest of them, I'm sure they work fine if you don't need to produce extremely polished stuff at volume— but they're not even close to good for that use case. (which is what my comment was about) I could see a UX Designer who works primarily in wireframes and such things getting by fine with linux, but not someone who works primarily in visuals.
As you can read in my comment I agree with you. For example working with text in Gimp is just horrible. And Inkscape is very good untill you need it for CMYK.
But this thread is about owning your PC. And then I think all those trade-offs can be overcome. Sometimes this means thinking in other directions. For example the choice to design in CSS instead of Photoshop.
I don't think you can say: 'I cannot get away from Apple'.
But you can say: 'I choose to stay at Apple because I think it is more convenient'.
Freedom is hard, and thingsbcosts money if you're not willing to put willpower - more news at 11
Jokes aside you don't have to do it if you're scared, and if you want to try you can always switch back and forth between machines / OSs so you use the most suited environment according to the limits of context and the job you need to do.
Much like you can aim at 0% environment pollution by gradually removing excess stuff instead of going full off the grid, you don't have to do a radical move. Use the tools you need for the job, aiming at result production while keeping a liquid approach.
Depending on your skills, willpower, effort, and willingness to abandon uninventive corporations you can be faster and more efficient. You're just not feeling comfortable investing time and effort, which is a sacred choice.
Please consider that things have changed since 2019, VMs support of tablets and color grading tools are a breeze and using tools that your competitors are scared to use will make you innovative. Godspeed~
Why professional users don't complain? I unfortunately need to keep Windows machine for pro tools I use and it took me some time to remove any telemetry plus I can still see with Glasswire some apps are sending traffic. Usually I send an email to the software provider and ask what they send. Unfortunately some don't even reply and there is no OSS alternative, so there you go. I wish pirates went a step further and instead of hacking DRM also removed calls home and telemetry. Should mods should be legal if you have a full version and I would pay for such mods.
I agree that Gimp et al are terrible, but why not use Figma? It’s a great design tool, and thanks to it being browser-based you can use it on any platform, including Linux.
250 comments
[ 3.2 ms ] story [ 521 ms ] threadSame thing will happen with an encryption backdoor like the EU is now thinking of forcing down our throats...
The previous discussion was about how Big Sur has some built-in exceptions for Apple software.
The current discussion is about the discovery that these built-in exceptions can also be abused by non-Apple software, rendering the firewall completely ineffective.
I wonder why they still thought it was a great idea to go ahead.
https://tinyapps.org/blog/202010210700_whose_computer_is_it....
And a humorous guide on disabling protections like code signing and notarization:
https://www.naut.ca/blog/2020/11/13/forbidden-commands-to-li...
On the server, there’s a reason Amazon built Firecracker and Google built gVisor instead of just using the Linux sandboxing primitives. I think calling them “industrial grade” is pushing it when they’re rarely used as the first line of defense against code that is expected to be actively hostile.
If an application uses Gtk+3 or Qt5 then portals will be used automatically for Open/Save dialogs:
https://docs.flatpak.org/en/latest/sandbox-permissions.html#...
I agree with the thrust of you comment though, outside the webbrowser, proper sandboxing a barely used outside web browsers. However, I think the problem is as much social as technical. Every time Flatpak comes up, it mostly gets hostile reactions.
The situation is rather unfortunate. A lot of people believe that Linux is more secure than other operating systems, but in practice the Linux desktop is far less secure than e.g. macOS, iOS/iPadOS, or Android.
And no, you aren't safe because it is open source software. Sandboxing also protects against unknown vulnerabilities in open source software.
actually firecracker is not a sandbox. it's basically qemu/libvirt and a minimal implementation of devices. it's qemu-kvm with a http interface and way less devices.
the reason why they rewritten qemu-kvm is because qemu-kvm contains a lot of code that is not needed and is way more bug prone. and also loading a kernel is way faster in firecracker since they optimized the kernel loading code.
The reason is that Firecracker is a virtual machine, and Linux containers and sandboxing primitives are not meant to be used for virtual machines.
Pointing at Snap and Flatpak's "sandboxes" is disingenuous when they're notorious for having sandboxing as an after thought to app distribution.
When I say industrial grade, I mean that the sandboxing and isolation primitives that are used in industry are those that are either provided in the kernel, or are deployed as part of a standard Linux server deployment.
I point to snap and flatpak because outside of browsers they are AFAICT the only attempts to sandbox user applications on Linux. It would be disingenuous if there were some other apps or distribution channels doing a better job that I hadn’t mentioned, I’d love to hear of some.
My point: opting out should be much, much easier.
What could be easier?
Most consumers don't care about security, making it easy to disable just opens the floodgates of their systems.
EDIT: clarity
[1]: https://github.com/coreutils/coreutils/commit/34e3ea055721ec...
"How do I do X? Just run this as root." Sometimes slightly disguised, but more often not.
Fighting the OS you are running is an uphill battle that gets tiresome real quick.
Most users will say yes.
Technical ones at least can say no.
Easier than setting up bluetoooth.
@grishka Edit because I'm rate limited:
I've not seen anything that does executable validation for linux and actually works. Needs lots of kernel support. See the response from the old DigSig author: https://stackoverflow.com/questions/1732927/signed-executabl...
You can check binary signatures on disk (tripwire) but that is extremely tiresome to maintain and does not prevent straight loading of shellcode into memory.
More recently: https://lwn.net/Articles/733431/
Signed kernel modules is on its way though: https://www.kernel.org/doc/html/latest/admin-guide/module-si...
I guess that would be a place to start for implementing SIP...
/usr/bin/vim was installed by my package manager, but there's no guarentee the version I'm running matches the version that was installed. Now in debian there is a file which has a checksum of the version the package installed, but that's not checked on execution, nor is it itself signed (so the process that replaced vim could just as easilly replace the checksum, or the process that checks the checksum)
ChromeOS uses dm-verity to verify the root partition at runtime, similar to Mac OS's signed system volume.
I won't disable SIP and I'll avoid installing Google Chrome on my new Macs, if possible.
[1] https://support.google.com/chrome/thread/15235262?hl=en
Given the choice between (a) a corporate OS that requires me to perform some amount of work to "turn off" some "features" the corporation has enabled and (b) a non-corporate OS that requires me to perform some amount of work to "turn on" the "features" that I want to use, I prefer (b).
Most of them won't even care about sending too much data to a company if that's the price to have the same device everyone else is using in their industry...
Came here to say that.
> Most of them won't even care about sending too much data to a company if that's the price to have the same device everyone else is using in their industry...
I do, I truly do care. So much that I'm looking at open-source/Linux options, at least for my home projects. Doesn't look very bright on the video side, but DaVinci Resolve is at least available for Linux. Rawtherapee is getting there with local adjustments as we speak. Darktable has lots of power but terrible UX.
People today, even more so than in the 2000's, have multiple computers. Would it still be feasible to have a Mac used for {music, cinema, graphics} that is not connected to the internet. Certainly one would have other computers that were connected to the internet and moving files between computers on the local network, preferably via Ethernet, is much faster.
But the point of me telling personal stories is not to suggest anyone could/should do the same things; on the contrary, it is to illustrate that "one size does not fit all". Today's Apple chooses for the user, rather than letting the user choose.
While most of Linux's audience (and probably practically all of NetBSD's) is rather technically inclined and could possibly be expected to turn on the security features as they need them, most of Windows' and macOS's audience will very likely have no idea that there is even an option to do this.
Also, software companies would probably take the easy route and just assume that since those features aren't enable by default, most people don't enable them and develop their software in a way which could be incompatible with them.
So I think that for an OS like macOS, where most people flock "because it just works and has no viruses", strict defaults are a sane choice. Having people go through hoops and click through warning messages would probably also push companies to better design their software.
In the end, I think the best way is for such features to be the default setup. But those OSs need to have an "escape hatch" for someone who actually wants those features disabled and actually understands the risks of disabling them. While macOS does (for the moment) have this hatch, it looks maybe /too/ complex. But then I think the difficulty of the exercise is in setting the "correct" level of complexity for this operation.
So the right path for consumer OS is ‘sound opinions, easily changed’.
Even technical users are going to differ in the sets of opinions they hold and are qualified to hold. I care about which Python I have installed. The virtual memory manager? Not so much. Someone else might, though.
The list is really disappointing.
actually default on, is not a problem if it is easy to turn it off in that case. if apple would have had a button to turn it off, we would be fine.
I don't believe the defaults related to this issue are a problem; its the lack of transparency about this, coupled with it being difficult to change this. Probably every update you gotta fix that. That's akin to running a Hackintosh. And we all know macOS is moving towards iOS; not Hackintosh/PC.
A more common use case for this kind of choice is corporate laptops. They usually set up their own policy on the laptop before handing it to employees for good reason. Firewalls are especially necessary to avoid leaking confidential information.
Only thing I'm still pissed about 10.15 is that Wine still can't run 32-bit apps.
Catalina should be supported for two more years:
https://computing.cs.cmu.edu/desktop/os-lifecycle
https://www.csun.edu/it/supported-operating-systems
https://www.reddit.com/r/sysadmin/comments/imdzv4/endoflife_...
I am feeling pretty heavily smug that I got rid of my Apple kit earlier this year because I wasn't happy with the direction of the platform.
Thinkpad running Manjaro GNOME
Works fine, haven't looked back.
Have not found a good successor to Devonthink Pro though.
The T460p is a 2016/17 secondhand machine which cost USD235 which I then added a ram upgrade and a new 72Wh battery to. I don't miss the mbp at all and prefer the linux OS anyway.
It probably took me until this moment to realise I was largely falling for marketing in thinking only the best specs would do ...
Couldn't be happier.
I guess I need to get a Thinkpad running Linux for slowly finding replacments for my tools, and migrate not within weeks, but spreading my migration process over months.
My most essential tool is Emacs / Org and Lisp, Python plus the terminal with some shell scripting for automating all my workflows.
Yes, I will miss the smoothness that comes from very tight integration of hardware and services, but I absolutely hate the path that Apple is on, slowly taking all freedom from its users, until macOS is as closed as iOS. This is against every conviction I have as a citizen for whose freedom it is essential to have control over the machine that enables me to connect to the world and do my work. We are no toddlers, Apple does not need to put us in a walled garden, a promised land without any malware and danger (that‘s the promise, but in reality they want to control every aspect of their ecosystem, like an emperor that wants to tax every aspect of acting and movement in his land).
With org-mode I have dozens of files for managing my projects and tasks. And I can mix notes with tasks. This is a feature that makes it exceptional. When I was using Things3 I liked the tiny section beneath the task description where I could type some notes about the task. With orgmode I can write a full outline beneath the task description.
Emacs is extremely flexible as it can be extended with packages written in Lisp. There are packages that allow me to navigate to any outline node in my ~ 200 org files within a second (ivy + counsel + ripgrep-integration, also org-ql which allows me to query my org files).
Also, I write large amounts of text with org-mode (it’s an excellent outliner too; been previously using OmniOutline) and convert to markdown or any other format via pandoc.
Emacs, once mastered is an application framework that allows me automate any workflow for which I previously used AppleScript, DEVONthink, Python, Bash.
All of these were replaced with org-mode and Emacs (and likely some other Linux features for Alfred). Doom Emacs is a good framework to explore Emacs as it supports both vim and Emacs bindings (there’s also cua-mode).
https://orgmode.org https://github.com/hlissner/doom-emacs
Well, if you actually like to tinker from time to time just for tinkering's sake, this is a great approach I inadvertently took.
My daily driver for 7 years had been a late 2013 mbp, which still works and is plenty powerful for most of what I do. Then during the shelter in place period I installed a Arch on my desktop (which normally runs Windows for Photoshop, etc) just to experiment a little with ZFS on Linux, etc. Then I started using it more and more and now I rarely use my mac again. (note that I'm not new to linux, had been using it both on the desktop and the server for a very long time and my work laptop runs linux).
However, unlike you, I don't use many Apple-only tools mostly just Things and Bear. I haven't found replacements for those, but as they never were a critical part of what I do, it wasn't that big of a deal to just drop them.
iA Writer is available on Windows and Android.
I use it heavily for:
* snippets (mostly for terminal so Termius might be an option but I also use it for non-terminal things)
* clipboard history (are there up to par alternatives?)
* workflows - mostly launching various websites, like Jira tickets with "<board> <ticket #>" or "c suponer" to conjugate Spanish verbs), but also for launching various shell scripts (like changing nameservers with "ns <provider>"), or keyboard shortcuts for playing specific sounds (for fun)
> I guess I need to get a Thinkpad running Linux for slowly finding replacments for my tools, and migrate not within weeks, but spreading my migration process over months.
I'm in the same boat. I've been eyeballing a Tuxedo Pulse 14, but have been thinking of getting a regular PC keyboard in the meantime for the Mac and play around with Linux in Virtualbox.
Edit: Found this, seems like there's hope: https://medium.com/curiouscaloo/macos-to-ubuntu-part1-alfred...
There are also Linux "commodity" laptops from Linux-focused companies now. E.g.,
https://puri.sm/products/librem-14/
https://system76.com/laptops
I heard Apple has been very secretive in its development. Maybe it works for hardware, but software is an area where collaboration across teams are very important, isolated bubble breeds incompetence and politics.
The person that found the phone only poked around after he was confused when it went bricked a few hours later (remotely done by Apple). Then they actually tried to get it back to Apple, and got blown off. That's when they contacted Gizmodo. I think Apple was pissed that Gizmodo paid $5,000 to get it from the finder and didn't return it immediately to Apple without question or inspection.
[0] https://gizmodo.com/how-apple-lost-the-iphone-4-5520438
I believe Win10 was the first to do something like this --- it ignores the hosts files and firewall for certain hardcoded domain names and IPs.
[1] https://www.badllama.com/content/portable-raspberry-pi-firew...
If you want to block something use a firewall.
:c
The government has its work cut out.
This however is something that Microsoft has absolutely dreamed about doing, but never had the power to actually make it happen. Apple wants to have the same power on the desktop that they have on iOS - no code not blessed (and taxed) by Apple run. This is what Apple wants, total control of everything executed by the cpu.
You can get a lot more done today without Microsoft than you could 20 years ago, but it is very hard to not have an accessible copy of Word if you interact with lawyers (where formatting and change tracking matters, and mostly compatible like libreoffice or google docs is not sufficient.
Also, if you take remote tests for school (which was almost mandatory for some, and now for almost all), many places require you install some windows only rootkit so they could claim to have monitored you.
My children’s remote school mostly works without any MS stuff, but every now and then it doesn’t and I have to fire up a VM.
Monopoly is still there, even if it is not as tight as it once was.
Guess I won't be upgrading from Catalina for a long time.
To believe this, one has to believe that a $2 trillion company did this on purpose, knowing it would be revealed within hours and that it would take a major hit on the very reputation for user privacy and security that they have spent years building.
There are a lot of better explanations available than "Apple decided user security can fuck off and that clumsily collaborating with the bad guys in trivially-detectable ways was a way better plan".
I guess I just don't understand how this wasn't flagged as a concern when the feature was being worked on? How is it possible that Apple's engineering team built a backdoor like this without it raising serious security concerns? And if concerns were raised why was this not adequately pen tested prior to release?
I'm not sure what's worse from a reputational perspective... A company that prides itself on privacy but can't get something as basic as a firewall right, or a company that knows how to write secure software but occasionally puts backdoors in them for intelligence agencies?
This seems a little rudely dismissive. GP's skepticism sounds totally reasonable and healthy to me.
The malevolent act on their best interest which is often predictable and limited. The incompetent simply give away data to every random badguy under the sun.
We need to go deeper.
I mean, it is the result of deliberate architecture and design changes to security and networking on macOS.
Turns out, no, macOS is still written by the same old skeleton crew at Apple and they still introduce trivial problems in most things they do.
1: https://news.ycombinator.com/item?id=24839086
https://blog.obdev.at/little-snitch-on-vault-7/
https://www.reuters.com/article/us-apple-fbi-icloud-exclusiv...
(I hate the term “all but”. I find it often hard to tell what people actually want to say when using it.)
I didn't understand this reference. Who is the "same old skeleton crew"?
[0] https://en.m.wiktionary.org/wiki/skeleton_crew#:~:text=skele....
I try to forget those in between years of of System 7 / OS8 / OS9. They all gave me deep scars through countless hours spent troubleshooting extension conflicts. All while seeing the unhelpful, literal bomb icon dozens of times in a row [0]. The windows BSOD was bad, but at least it never mocked you about the OS blowing up.
[0]https://www.versionmuseum.com/images/operating-systems/class...
More details: In theory, extension troubleshooting should have been easy. 1) Boot with them off. If it boots, it's the extensions. 2) Turn half off. If it boots, you know it's the other half. 3) Repeat step #2 with the remaining extensions until you find the offending one.
Except it wasn't always a single one. It could be a problem that only occurred when a combination were active. So you'd go through the much higher # of combinations of turning certain groups on together... the first 5 & third 5 extensions, etc... Sometimes even that wouldn't work, and you'd be stuck opening programs you knew used certain extensions to force them into activity. Eventually, if you were lucky, you'd find the one corrupt extension and reinstall it. But if all else failed, you backed up the data with all extensions disabled, blew out the OS with a clean install and reinstall all the programs & restore the backup.
And I am sure the 30% cut and $100 annual fee has nothing to do with the decision either. Apple only cares about customers, not money. /s
Apple - "we want to keep it simple to our users"
Google - "AI doesn't have any control over data we've collected"
Facebook - "Every company is spying on their users"
Amazon - "we control mere 10% of global economy"
Salesforce - "you can ‘easily’ export your data from our completely proprietary platform"
Yep. And when Apple does it, HN will celebrate. There's a certain type of person who's terrified by independence and freedom and who craves the comforting safety of rules and control. macOS will be the OS for that kind of person.
Apple has all but guaranteed that my current Mac will be my last. I have been using Macs since the Mac IIx, and my first Mac laptop was the Powerbook 190.
The only reason that I have my Mid 2018 Macbook Pro, is that I bought it in Budapest after my previous machine died, and the reseller Apple store was the only one that stocked English keycaps for the keyboard (they did have to unbox and change the keycaps).
My technology choices are starting to feel frustratingly niche. I am using Apple over Linux because I tired of having to mess around with the systems constantly to get things working. ItJustWorks™ is a powerful driver.
If I'm being honest with myself, it's also a question of access to paid apps. If I list all the apps I use on a daily basis, a bunch of them are Mac only, and an even smaller set run on Linux (even if they have a Windows version as well).
The most obvious reason is that it would utterly destroy the Mac among influencer communities and developers.
But perhaps the most underrated reason is that Apple already has a managed computing platform in the iPad. Rather than the Mac becoming more locked down, I expect the iPad will become ever-more desktop-like and take over more and more market share from traditional computers.
I’d contend that an iMac-like desktop iPad is a more likely future product than a fully locked down Mac.
People have been repeating that for years, since the Mac App Store was announced. It’s not in Apple’s interest to do it. There is a ton of software, open source in particular, that Apple benefits tremendously by. It costs Apple nothing to maintain the status quo.
Going Mac App Store only would drive tons of developers off the platform and do absolutely nothing to increase sales on the Store anyway. It would be widely panned as a ham-fisted move.
The GNU/Linux developers that have been giving money to Apple for a shinny UNIX, might go to Windows with WSL, which I doubt unless we are speaking about the crowd that only cares about POSIX and keeps calling that "Linux".
The GNU/Linux developers that have been giving money to Apple for a shiny UNIX instead of sponsoring OEMs, now they finally learn how Apple has always been, including before the days of almost getting to close shop.
That crowd can turn on to their Pandora, GPX, Arduino, Raspberry, whatever SOC is going trendy.
As for Unreal I wish they learn their lesson, or be honest and create a lawsuit against Sony, Nintendo and Microsoft.
I think an argument can be construed that (one of) Apple's interests is to control what and how users can do on Apple devices. iOS-like lockdown seems entirely in line with that.
> Going Mac App Store only would drive tons of developers off the platform and do absolutely nothing to increase sales on the Store anyway.
And others would fill in the gap. The Store sales would inevitably have to go up – it would become the only way to get software on the device. Not like every user would immediately drop the Mac. I can imagine a non-trivial fraction of users wouldn't even notice that something has changed.
It wouldn't happen right next year, or in one go, but the more I think, the more I am growing convinced that it's sneaking up.
> It would be widely panned as a ham-fisted move.
If it doesn't affect the bottom line, it doesn't really matter. They got away with 4 years of perhaps the worst laptop keyboard of the decade; are getting away with inflicting the TouchBar price tag on tens of thousands of users(1), making devices unserviceable, and even with the matter in question.
Given Apple's size and user base, I'm afraid that outside of straight-up illegal activity, there's little Apple can't get away with. Especially if the janky move is factored into small, cruddy steps.
(1) I realize it's a lame point, but it annoys me personally
[$] for me
We need to nuke the Apple bullshit from MacOS Catalina and convert it into people’s operating system. Ethics be damned.
I see a lot of iCloud and Software update stuff in there.
Nothing malicious from first glance.
This is impossible to read on a phone.
This has the dual-benefit of protecting casual users, and allowing power-users flexibility with any binaries that aren't sandboxed. From what I understand of your example, you used the bundled python installation to make the connection, the python binary is not sandboxed and is not affected by AppProxyProvider. This will be the case with any other binaries as well -- ping, ssh, etc...
The relevant documentation is at: https://developer.apple.com/documentation/networkextension/a...
Specifically the section I've highlighted here: https://share.getcloudapp.com/Z4uyONmJ
You can install notarized software, though.
Why don't I just run a closed-source OS in a VM? They are fussy. Having some weird graphics tablet driver problem or something can really kill the creative connection between me and my work, and if I'm coming down to the wire on a deadline, it can cost me a contract.
What about tools that work natively on Linux? They generally just don't work for professional design use. Whenever I say that, a billion people always jump in and say "Gimp and VivaDesigner and Natron and XYZ and PDQ" work fine for me," and to my astonishment, they always seem surprised that the same just isn't true in most (any?) professional workflows. Sure, with varying amounts (usually non-trivial) of extra effort I can cobble together a disparate set of tools that might sometimes yield similar results to professional design programs, but it's going to take significantly more work to produce possibly lower-quality results, and that's just not an option for a pro. If you were hiring someone to craft the image of your company in a crowded, competitive marketplace, would you pay them more to take longer and potentially end up with a suboptimal product just because they were only using OSS to do it?
A software developer could feasibly use something like windows notepad or pine to achieve the same results as an IDE, or even a more powerful text editor like SublimeText. For many non-professionals, people just editing a config file, or people making the occasional shell script, it does work fine. Better even, considering that the extra baggage of complex tools would actually slow them down rather than speed them up.
get 2 machines then. Who says you need to have a single machine for everything? Get a Mac for your design work, treat it like an appliance, and use Linux for everything else on another machine. Problem solved.
People email you assets/images for use in your production work: are you going to get that on your 'designer' machine or on your Linux box? Most likely the latter, now you have to transfer it over to the 'work' box. Not technically difficult, but a definite speed-bump in your workflow. Awkward.
Your online document-sharing/demos (say Dropbox, whatever): is that from the work box? the utility box? both? Again, not technically a train-smash, but... awkward. A discontinuity that you'll have to deal with multiple times a day, a detour in your flow.
I can see why many would consider it too much of a hassle.
I am programming on Ubuntu (C#, PHP, Javascript) with Jetbrains software. This works absolutely great.
For 3D work I use Blender.
But for graphical work I agree that there are still alternatives missing.
Figma is a very good alternative for Sketch. Scribus is a good alternative for Indesign. Krita is very good for concept art. But that's about it.
Inscape is a good alternative for Illustrator, but only if you work in RGB.
Gimp can do what Photoshop can but it will take you 3 times as long.
But for me the trade-offs work. I want to own my computer so I choose to work in Gimp instead of Photoshop. I also started to design websites directly with CSS. And I switched from 3DsMax to Blender (which isn't a trade-off anymore).
The choice is yours.
https://www.photopea.com/
This time around I think that is possible, and economically solid, the move from Apple to ARM and closed walls of App Store to create conditions for real Linux Desktop Revolution.
As you can read in my comment I agree with you. For example working with text in Gimp is just horrible. And Inkscape is very good untill you need it for CMYK.
But this thread is about owning your PC. And then I think all those trade-offs can be overcome. Sometimes this means thinking in other directions. For example the choice to design in CSS instead of Photoshop.
I don't think you can say: 'I cannot get away from Apple'.
But you can say: 'I choose to stay at Apple because I think it is more convenient'.
The choice is yours.
Jokes aside you don't have to do it if you're scared, and if you want to try you can always switch back and forth between machines / OSs so you use the most suited environment according to the limits of context and the job you need to do.
Much like you can aim at 0% environment pollution by gradually removing excess stuff instead of going full off the grid, you don't have to do a radical move. Use the tools you need for the job, aiming at result production while keeping a liquid approach.
Depending on your skills, willpower, effort, and willingness to abandon uninventive corporations you can be faster and more efficient. You're just not feeling comfortable investing time and effort, which is a sacred choice.
Please consider that things have changed since 2019, VMs support of tablets and color grading tools are a breeze and using tools that your competitors are scared to use will make you innovative. Godspeed~