MacOS Catalina: Slow by Design?


2030 points | by jrk 10 days ago


  • usmannk 10 days ago

    It seems like there is a lot of confusion here as to whether this is real or not. I've been able to confirm the behavior in the post by:

    - Using a new, random executable. Even echo $rand_int will work. Edit: What I mean here is generate your rand int beforehand and statically include it in your script.

    - Using a fresh filename too. Just throw a rand int at the end there. e.g. /tmp/

    I MITMd myself while recording the network traffic and, sure enough, there is a request to with a hash in the URL path and a bunch of binary data in the response body. Unsure what it is yet but the URL suggests it is generating a cert for the binary and checking it. See:

    Here's the URL I saw:

    Edit2: Anyone know what this hash format is? It's not quite base64, nor is it multiple base64 strings separated with '+'s but it seems similar...

    Edit3: Here is the exact filename and file I used:

    Edit4 (final one probably...): On subsequent attempts I'm only seeing a request to and not the OCSP one anymore. Curiously, there's no headers at all. It is just checking for connectivity.

    • varenc 10 days ago

      Here's some shell script to use a random file name and have friendlier output.

        time_helper() { /usr/bin/time $RAND_FILE 2>&1 | tail -1 | awk '{print $1}'; }  # this just returns the real run time
        echo $'#!/bin/sh\necho Hello' $RANDOM > $RAND_FILE && chmod a+x  $RAND_FILE;
        echo "Testing $RAND_FILE";
        echo "execution time #1: $(time_helper) seconds";
        echo "execution time #2: $(time_helper) seconds";
      Introducing a network delay makes the effect much more obvious. Normally I see a delay of about 0.1 seconds, but after using the XCode network link conditioner (pf rules) to add 500ms latency to everything the delay shoots way up to ~2 seconds.

      example output:

        Testing /tmp/
        execution time #1: 2.32 seconds
        execution time #2: 0.00 seconds
      with developer tools checked both executions report "0.0 seconds".
      • varenc 10 days ago

        I tried just blocking "" with /etc/hosts. This reduces the delay but doesn't eliminate it. A connection attempt is still made every time. (I don't recommend making this change permanent. Just give your terminal app the "Developers Tools" permission instead)

        After blocking that domain I can see that tccd and syspolicyd are logging some error messages to the console related to the failed connection. I don't recommend blocking because my guess is that'll put syspolicyd/tccd in some unexpected state and they'll repeatedly keep trying to make requests.

        Try this for watching security related console log messages:

          sudo log stream --debug --info --predicate "processImagePath contains 'tccd' OR processImagePath contains 'syspolicyd' OR processImagePath Contains[c] 'taskgated' OR processImagePath contains 'trustd' OR eventMessage Contains[c] 'malware' OR senderImagePath Contains[c] 'security' "
        syspolicyd explicitly logs when it makes the network request.

           syspolicyd: cloudkit record fetch:, 2/2/23de35......
        (you need to enable private logging to see that url)
        • saagarjha 10 days ago

          Enabling private logging is fairly annoying these days, unfortunately. (Interestingly, if macOS thinks you're AppleInternal, it will make it just as annoying to disable private logging…)

          • varenc 10 days ago

            wait a sec...I recognize that name. I only know how to enable private logging thanks to your detailed and informative blog post! Seriously, it's one of the favorite macOS things I've read in a while. I loved the step by step walk through using gdb you showed.

            Though just today I saw that apparently an enterprise policy config can enable private logging in 10.15.3+ without having to disable SIP.

            For reference for others: this is the blog post by OP on enabling private logging in Catalina. check it out!

            • saagarjha 9 days ago

              I’m glad you appreciated it, but I think it also happened to be some of the fastest-to-deteriorate advice I’ve given :) I should go back and revisit this, as on my system I have it currently stuck in a state where it unconditionally enables private data logging at boot (which mean my crash logs have personal information in them unless I remember to turn it off with the workaround I’ve been using until now…)

        • krferriter 10 days ago

          Huh this is crazy. 2 seconds is way slow and this shouldn't involve any network activity. Seems like a real problem.

          • Erlich_Bachman 10 days ago

            He/she added an artificial network latency/delay into the config, just like they describe. That is the reason for the delay. It is made artificially long on purpose.

            • maremp 10 days ago

              It’s not an unreasonable delay on a slow 3g hotspot. It’s problematic to have the performance tied to the network speed and suffer an overall slow performance because your network happens to be slow.

              • Erlich_Bachman 10 days ago

                Have I written anything that is contradicts that? I simply pointed out that in the example the delay was artificial, and it was definitely due to network, not due to something other than network, as the comment suggested.

        • rurban 10 days ago

          It's called lockdown for a reason. Apple was just the very first to implement centralized binary blacklisting, revocation. They call it notarization.

          Problem is, that they did it unannounced. There must be really some weird stuff going on in those managers heads. How can they possibly think to go away with that?

          • dagmx 10 days ago

            There were announcements about notarization around WWDC last year. They didn't seem to get a lot of media traction however, but there were specific pages detailing what's required from a developer and some basic details on how it would work

            From April 10, 2019:


            • rurban 10 days ago

              For each and every shell or perl script that I create and use privately? No, certainly not.

            • john_alan 10 days ago

              Command line apps aren't affected by Notarization.

              If you're compiling something yourself, the compiler won't put a quarantine bit on it and it will execute fine. Same with homebrew/friends.

              Scripts don't need to be signed. There is something else going on here.

              • john_alan 10 days ago

                Seems that in fact even though scripts aren't signed, IF YOU DONT have devTooling enabled for a given terminal, scripts are hashed and checked against bad known digests.

                not a big deal, assuming no data is kept.

                Also I wonder what it looks like if a script is deemed bad...

              • kevinh456 10 days ago

                There was nothing "unannounced" about it. Notarization was introduced at WWDC 2018 and announced as required at WWDC 2019. Every macOS developer should have been aware of this requirement. It was a special project for my apps.

                • ghayes 10 days ago

                  I believe the concern here is that this is affecting not just macOS developers, but all developers who use macOS. That's an important distinction.

                  • pjmlp 10 days ago

                    Developers who use macOS as shiny GNU/Linux replacement are only getting what they deserve, they should have supported Linux OEMs to start with.

                    Those that show up at FOSDEM, carrying their beloved macBooks and iPads while pretending to be into FOSS.

                    I use Apple devices knowingly what they are for, not as replacement for something else.

                    • nottorp 10 days ago

                      Sadly it's not the "shiny"... it's the fact that Mac OS has a GUI that works.

                      Been using linux since the days you installed Slackware from floppies and recompiled your kernel to get drivers. Command line has always been a bliss, but no one has managed to come up with an usable and consistent GUI yet.

                      Btw does sleep work on linux laptops these days? How's hi dpi support?

                      • green7ea 9 days ago

                        Sleep has been working on my last ~10 laptops and desktops, it's a non-issue at this point unless you have brand new exotic hardware. I did have a motherboard issue on a first-gen Ryzen that required a bios update to get it working.

                        hi-dpi works very nicely if you use GTK or Qt. For the other apps, it really depends how they are implemented. For me it has been working better than Windows.

                        These are strawman agruments. Give Ubuntu 20.04 a try an you'll see stuff pretty much just works on any common hardware. You can even use slackware and get everything working with a bit of fiddling.

                        MacOS is a very nice OS but it isn't FOSS and it isn't more capable at this point, it's just a personal preference. Pretending otherwise is disingenuous.

                        • moe 9 days ago

                          > you'll see stuff pretty much just works

                          The problem is the "pretty much" part.

                          We all know what that means in practice. That's why OSX is popular.

                          • fxtentacle 9 days ago

                            I switched my AI workstation to Ubuntu 20 last week, and the experience was fast and great. I can now run docker containers with cuda, use PyCharm to coordinate everything and have code completion as if the code was local, even if it's executing on a docker worker node in our data center.

                            200% scaling on my 4K screen looks great, wifi, network, sleep, gpu all worked out of the box. And the IDE behaves exactly like on OS X.

                            The only thing I disliked was the default Ubuntu color scheme, but that was easy enough to change.

                            • happymellon 8 days ago

                              Then you cannot possibly have used MacOS. There is plenty of flakey edges, that actually don't work very well.

                              Fucking multiple desktop shit.

                              My MacBook Pro can't even remember the order of my monitors when it goes to sleep, or between reboots. Even Linux can do that.

                              • bwat49 7 days ago

                                OSX can only guarantee that everything works because apple controls both the hardware and software.

                                Windows can only guarantee that everything works because they have a monopoly and therefore hardware vendors have to support windows.

                                Most laptops don't ship with linux/are never tested with linux, so it's never going to work flawlessly on all possible hardware configurations. It's just not possible.

                                It does however, 'pretty much' work on most hardware.

                                And if you buy a machine from a vendor that actually supports/pre-installs/tests linux, all of the hardware will work out of the box.

                                • runjake 6 days ago

                                  It's that "pretty much" that's the debate.

                                  I recently switched from macOS to Ubuntu 19.10 and then 20.04 as my daily driver and it's way flakier and has far more random app crashes than macOS.

                                  That said, the system is fast, the UX is way further along than I expected -- in some ways it's got a better UX than macOS. It's way, way faster at nearly everything.

                                  • bwat49 6 days ago

                                    my point is that if you want to do better than 'pretty much', you should buy a machine from an OEM that actually supports linux

                                    If you're installing it on a random windows laptop, you're never going to get better than 'pretty much', because the OEM doesn't support linux or test their hardware with linux.

                              • happymellon 8 days ago

                                Sway does HiDpi nicely as well, so you don't even have to use the Gnome/KDE pair.

                              • stilley2 9 days ago

                                When was the last time you gave KDE a try? I just switched from using a tiling window manager and was impressed by how much stuff "just works" and the degree of customizability.

                                • konart 9 days ago

                                  >the degree of customizability.

                                  That's part of the problem. Customizability is good, but in return you get inconsistency that you can't fix. And even if all system default apps looks the same (they still look horrible in my opinion), 90% of 3rd party apps look and feel different. You can hardly name a linux (qt or gtk) app that can be name elegant or at least thought through (UI wise). Almost all applications still look like they were build to be used on some factory terminal.

                                  • nottorp 9 days ago

                                    Last time i used KDE for a significant amount of time, something was distracting. Then i realized what it was: the "system tray" icons were erasing themselves and then got redrawn one by one and readjusted their position with each redraw. Distracting as hell when you're trying to concentrate on the code in a nearby window.

                                    Mind, that was in 2013, and hopefully KDE has improved since then. Perhaps it has even reached the level KDE 3 was at? It's been downhill from there.

                                    Btw, I switched to Macs from running Linux with KDE as my desktop of choice full time.

                                  • Filligree 9 days ago

                                    Sleep usually works, assuming you get a laptop that's known to with with Linux. The arch wiki is good for this.

                                    HiDPI is hit and miss. Some applications work, some (especially Java) break badly. Expect to need manual, fragile configuration. You also cannot set scaling per-screen, so you're SOL if you have heterogenous monitors.

                                    Personally I use Windows. I check back in Linux every few months, but WSL seems to be improving far faster than native Linux is, so there's not much reason to use it anymore.

                                    Even once HiDPI works, assuming that happens, by that point I'll have HDR and VRR as requirements... and I have no confidence that those will work anytime soon.

                                    • cutemonster 9 days ago

                                      Sleep works fine, since many years, but the Hibernate button should get renamed to "Crash now please and Again on the next restart"

                                      • IshKebab 9 days ago

                                        Some people at my work use Linux laptops. Judging by the Linux slack channel, no sleep doesn't work reliably yet, external monitor support is terrible and touchpads still suck. No idea about HiDPI but I doubt it works reliably.

                                        Whenever you bring anything like this up though you'll just get a load of "When was the last time you tried it? It works perfectly for me" replies. Linux users don't want to admit its flaws.

                                        • brmgb 8 days ago

                                          It's pretty difficult to acknowledge a supposed flaw pointed by a guy who knows a guy who uses Linux when you have never had it yourself.

                                          I used Linux at work for years. Sleep just works, external monitor also just works. HiDPI was rough at the start but works fine now.

                                          Touchpads do kind of suck. I generally really dislike the default mouse acceleration. Font rendering is still so so if you don't have a HiDPI screen and the most popular desktop environments are still kind of terrible.

                                          But sleep definitely does work.

                                          • bwat49 7 days ago

                                            > Whenever you bring anything like this up though you'll just get a load of "When was the last time you tried it? It works perfectly for me" replies. Linux users don't want to admit its flaws.

                                            Are you implying that those users are lying?

                                            I'm sure sleep does work reliably for them.

                                            'Does sleep work on linux' is a fallacious question to begin with, because sleep working/not working depends on the hardware.

                                            On some configurations it works flawlessly, on others it doesn't. Therefore you will always have some people saying it works, and others saying it doesn't. FWIW, my current laptop is a machine that ships with linux (system76 darter pro) and sleep works 100% reliably.

                                            In my experience, when sleep doesn't work reliably, it's usually due to buggy firmware behaviour because most vendors don't care about supporting anything other than windows.

                                            Along those lines, since most OEMs don't ship/test linux, it's simply not possible for every single hardware configuration to work flawlessly with linux.

                                          • vetinari 9 days ago

                                            You know, many things changed since time Slackware was installed from floppies. Even Macs got working virtual memory meanwhile.

                                            • pjmlp 9 days ago

                                              It is hard to improve things when everyone is on other platforms.

                                              I am mostly on Windows devices, and use a GNU/Linux aging netbook for travelling.

                                              In what concerns this Asus 1215B, everything works, with the exception that the open source AMD drivers were a downgrade from the binary blobs (OpenGL 4.1 => OpenGL 3.3 without video hardware decoding).

                                              However I still kept it around, because although I don't target GNU/Linux as part of my work, I wanted to give Asus the message that selling GNU/Linux laptops might be a relevant business.

                                              Eventually when it dies, I will be Windows/Android and occasionally macOS only user/developer, but I am not using any of these platforms to emulate GNU/Linux, I use them for their own value.

                                              • vinceguidry 9 days ago

                                                If you want a good experience with Linux on an ultra book, you need to buy hardware designed for Linux. System76 or Purism are my recommendations. I don’t trust Dell.

                                                • phatfish 8 days ago

                                                  This is the only way to do it.

                                                  The kernel devs or distros can't possibly support every hardware combination and BIOS bug for each hardware manufacturer.

                                                  For Windows the hardware manufactures have a reason to make the drivers bug free, its where they make most of their money, and Microsoft has the capacity to help them get it fixed if needed.

                                                  This doesn't exist for Linux unfortunately, unless you buy a laptop where Linux is fully supported (and you use the supported distro and kernel version most likely).

                                                  I have to say the main culprit for issues is usually power saving. I assume that's because ACPI is often badly implemented and power saving requires a lot of separate components to function together, to specification. Likely one doesn't, and the laptop comes out of sleep with the touchpad not working, or something worse.

                                                • komali2 9 days ago

                                                  > Btw does sleep work on linux laptops these days? How's hi dpi support?

                                                  Both work out of the box with Ubuntu 18.04 running Gnome on a Thinkpad x1 carbon.

                                                  But having to flip a few switches is a funny excuse to handcuff yourself to OSX and the hardware required to run it.

                                                • fluffything 10 days ago

                                                  I've partially switched from MacOS X to Linux now that wayland pipewire is reaching a mostly functional state and am quite happy with it.

                                                  It took me maybe 150 hours to do the switch though during quarantine, and I still haven't managed to be able to properly connect to SMB at work...

                                                  • vetinari 9 days ago

                                                    What problem do you have connecting to SMB?

                                                    It's one of the things that work better for me on Linux than on MacOS (no problem with browsing shares, no disappearing shares, no problem with non-normalized unicode filenames).

                                                    • fluffything 8 days ago

                                                      It just doesn't connect / mount at all. Last time I tried to debug it, this was caused due to a too old samba protocol version being used on the Windows side.

                                                      On MacOSX, I just click on connect to server, and it works for me "as is".

                                                      • vetinari 8 days ago

                                                        On MacOS, I get randomly appearing and disappearing servers in the sidebar (they disappear usually when I need them) and "cannot be opened because the original item cannot be found" for already mounted shares. It also keeps permanently mounted "photos" share on my home NAS and bad things happen when I try force unmounting it (but if it disappears because I'm not connected to my home network, that's ok for some reason). This got especially bad in Mojave and Catalina; there was a period of time (10.15.0 - 10.15.2) when I had to restart Finder if I wanted to mount share that was previously unmounted.

                                                        Never happened that with Linux. What did happen that there was a period of time on some distributions (circa Fedora 28-30?), when SMB1 discovery didn't work because entire SMB1 was disabled. This was security migitation (EternalBlue/WannaCry/NotPetya) and Microsoft is doing the same in Windows 2016/2019/10[1][2]. In general, using SMB2/3 is good idea anyway, Linux distributions/Samba eventually enabled SMB1 only for client-side discovery, and you can still enable entire SMB1 if you need it for some reason - do you still have Windows 2003 someplace?

                                                        [1] [2]

                                                        • bwat49 7 days ago

                                                          > Last time I tried to debug it, this was caused due to a too old samba protocol version being used on the Windows side

                                                          IIRC, the only smb version that would be considered too old is smbv1 (which I'd hope they are not using on the windows side... its quite insecure and is deprecated by microsoft).

                                                      • uep 9 days ago

                                                        I'm on Linux now, very interested in using Wayland+Pipewire, but still stuck on Xorg. What distro are you using?

                                                        I was considering building a Wayland/Pipewire Desktop software stack from scratch since my distro doesn't support them yet. I have become partial to experimenting with new software this way because it allows me to switch back to my known-good distro software without rebooting (most things I care about preserving the state of exist in the console anyway).

                                                        If it is relatively supported in a specific distro, I'm sort of interested in trying it.

                                                    • saagarjha 10 days ago

                                                      What if using macOS enables me to be a more effective FOSS contributor? What if I think that FOSDEM is actually has many participants who aren't really into free software?

                                                      • pjmlp 10 days ago

                                                        Then they are on the wrong spot to start with, and really didn't got the message what FOSDEM is all about.

                                                        It is a bit hard to be an aspiring FOSS contributor given the foundations those contributions are built upon.

                                                        Those same Apple loving users would be laugh upon at FOSDEM if they demoed any of their stuff on Windows instead.

                                                        Yet, there is hardly any difference between those corporations going all the way back to their origins.

                                                        Somehow after NeXTSTEP's adoption as OS X, NeXT and Apple's proprietary behaviour was forgotten and everything excused, because "hey they are shipping an UNIX clone"!

                                                        • Yetanfou 10 days ago

                                                          > What if using macOS enables me to be a more effective FOSS contributor?

                                                          How would that work? When you build a house on rented ground the house may seem to be yours but it can always be taken away from you.

                                                          • saagarjha 10 days ago

                                                            I’m familiar with macOS and contribute to a number of FOSS projects from it. I’m less productive on other platforms.

                                                            • Yetanfou 10 days ago

                                                              In that case you'd do both yourself and those who depend on you for your contributions a favour by taking some of that time to get acquainted with alternative platforms seeing as how Apple seems to be on a course which will make it harder and harder to use their platform for this purpose. Like the Boy Scouts (used to) say, "Be Prepared!". Install a (few) Linux/BSD distribution(s) in a VM and try using those for a while to get a feel of the platform and its strengths/weaknesses so you have somewhere to land when the time comes.

                                                              • saagarjha 9 days ago

                                                                I do use Linux for some of my work, especially when I’m working with ELF binaries. Just not a comfortable with it.

                                                            • ecnahc515 8 days ago

                                                              Your analogy isn't the best. This is like someone renting construction equipment to build a house on land they own, and finding out that the construction equipment phones home to the owners about how it's being used.

                                                      • make3 9 days ago

                                                        developer who uses MacOS != MacOS developer. I couldn't care less about what is announced at WWDC

                                                      • la_oveja 10 days ago

                                                        First? Windows SmartScreen has checked for malicious binaries since Windows 8.

                                                        • yariik 9 days ago

                                                          > Problem is, that they did it unannounced.

                                                          No, the entire thing is the problem. Windows 10 can still open applications that were compiled in 1994, and it doesn't make it less secure.

                                                          • m463 10 days ago

                                                            Once you start something, it's hard to stop it.

                                                            Every software place I've worked gives a special urgency to security stuff.

                                                            And even if features don't come out regularly, security updates do. This is more of that.

                                                            • jules 10 days ago

                                                              Isn't this what bloom filters are for?

                                                              • ComodoHacker 10 days ago

                                                                >Apple was just the very first to implement centralized binary blacklisting

                                                                No, AV vendors did it for decades. In a more efficient way though.

                                                                • andy_ppp 10 days ago

                                                                  Not sure it’s more efficient given how sluggish most AV software used to make my machine...

                                                            • kccqzy 10 days ago

                                                              OCSP is Online Certificate Status Protocol, generally used for checking the revocation status of certificates. You used to be able to turn it off in keychain access, but that ability went away in recent macOS releases.

                                                              • VonGuard 10 days ago

                                                                Ah, Apple. When you can no longer innovate, just start removing features and call it simplicity...

                                                                • throwaway851 10 days ago

                                                                  Another way to look at it is that Apple is making it harder to run the system in an insecure fashion. You may not agree with that decision, but I certainly appreciate how Apple is looking out for the safety and security of the user.

                                                                  Tangent: as much as some developers hate that the only way to distribute apps for the iPhone is through the App Store, as a user I consider that walled garden of apps to be a real security benefit. When John Gruber says “If you must use Zoom or simply want to use it, I highly recommend using it on your iPad and iPhone only. The iOS version is sandboxed and reviewed by the App Store.” There’s a reason why he can say things like that and it’s because Apple draws a hard line in the sand that not everyone will be happy with.

                                                                  • userbinator 10 days ago

                                                                    Another way to look at it is that Apple is making it harder to run the system in an insecure fashion. You may not agree with that decision, but I certainly appreciate how Apple is looking out for the safety and security of the user.

                                                                    "Those who give up freedom for security deserve neither."

                                                                    (Yes, I know the original intent was slightly different, but that old saying has gotten a lot more vivid recently, as companies are increasingly using the excuse of security to further their own interests and control over their users.)

                                                                    The ability to control exactly what millions of people can or cannot run on "their" computers is an authoritarian wet dream. People may think Apple's interests aligns with theirs --- but that is not a certainty. How many times have you been stopped from doing what you wanted to because of Apple? It might not be a lot so far, but can you break free from that relationship when/if it does turn against you?

                                                                    • roenxi 10 days ago

                                                                      The quote isn't at all relevant to technical decisions though. Eg, there is enforcement that a program can't arbitrarily access any RAM it likes on the same machine. That is trading freedom for security and it is a good trade. And there isn't really an argument against gatekeeping software - users as a body don't have time to verify that the software they use is secure. I'd be shocked if the median web developer even reads up on all the CVEs for their preferred libraries. Gatekeepers are an overwhelmingly good idea for typical don't-care everyday users.

                                                                      The issue is if it becomes practically impossible to move away from Apple to an alternative. Given that they have a pretty typical market share in absolute terms that doesn't seem like a risk right now. They don't even hold an absolute majority in what I assume is their strongest market, the US, let alone globally.

                                                                      • Wowfunhappy 10 days ago

                                                                        Of course it's relevant! Software is a form of expression. Apple controls what types of expression are allowed on your phone.

                                                                        A developer made a game depicting bad practices at FoxConn. Apple removed it for "Objectionable Content"[1]. How is this inherently different from Apple saying you can't use your iPhone to read a certain book?

                                                                        Apple's restrictions also make it easy for authoritarian governments to ban software they dislike:


                                                                        • roenxi 10 days ago

                                                                          It is identical, and if I considered my phone to be primarily a research platform I'd be really upset. I got really upset with YouTube mucking around curating what videos they allow on their platform because I want to choose my own videos.

                                                                          But ultimately I own an iPhone because I need a GPS map, SIM card and web browser on the go. Apple doesn't exercise any creative control over those things. Apart from that they explicitly sell a highly curated platform. I expect them to make decisions I don't agree with; that is what curators do. That is the service they sell so I'm not going to complain.

                                                                          If someone used that walled garden approach on my PC I'd be furious. On my phone, I give them hundreds of dollars for the privilege. If I were going to get upset about freedom and phones, which is reasonable, I have a loooong list of problems before I get to Apple's security model - starting with government interception of messages and moving down to having my name attached to my SIM card. Apple's activities don't really rate, and they have better incentives than Google.

                                                                          PS. I'm not arguing against phones being scary. Look at the COVID tracking apps that some companies and governments are bringing out that might become mandatory one day. Or the way the US is known to use phone GPS to target drone strikes. Phones are terrifying. Apple's curating/censorship/what have you really doesn't rate on my threat model when dealing with a phone.

                                                                          • userbinator 10 days ago

                                                                            If someone used that walled garden approach on my PC I'd be furious.

                                                                            As this article shows, Apple is slowly moving in that direction for their PCs. They aren't going to be satisfied with locking down their phones only.

                                                                            • kiawe_fire 9 days ago

                                                                              Are they really moving in that direction, though?

                                                                              An App Store from which you can download software with confidence is a pretty sensible first step for most users.

                                                                              Complementing that with a Notarization service for apps that can't live in the App Store, while still giving both users and developers confidence that the user is installing the "real" app, and not something malicious, seems like a pretty sensible way to protect most users outside the App Store.

                                                                              And if all else fails, there are ways to allow running that un-Notarized, non-App Store app that you're sure you trust.

                                                                              None of that seems like something that inherently means to take away your ability to run what you want on your PC, it just sounds like a common sense approach to giving your users confidence in what they run, and guiding them to do so safely by default, while allowing overrides as needed.

                                                                              Are these ALSO things that Apple could use to lock down your PC completely?

                                                                              Sure... but then, why bother with any of it if that was the intent?

                                                                              They already have Mac App Store, and they already have the infrastructure to deal with a "whitelist only" approach, so why bother with this Notarization and Gatekeeper stuff at all?

                                                                              Don't get me wrong, there's plenty of room to criticize Apple for their implementation. They are clearly figuring out some of this as they go, and trying to find a proper balance. That isn't easy, despite how many people make it out like it is.

                                                                              Give the average user too many prompts or chances to override security, and they will do that, every time, without thinking it through.

                                                                              On the other hand, bury the overrides too deeply, and risk making things miserable for the developers and power users who need to use your platform freely.

                                                                              So far, I see only evidence that Apple is trying to find that balance, but no evidence that they intend to lock the entire platform down entirely.

                                                                              Are they doing it perfectly? Clearly not. But I think if we're being honest, no other platform has either. I appreciate Apple's approach the most so far, but time will tell if they are able to figure this balance out or if another platform will at some point.

                                                                              • vetinari 9 days ago

                                                                                > They already have Mac App Store, and they already have the infrastructure to deal with a "whitelist only" approach, so why bother with this Notarization and Gatekeeper stuff at all?

                                                                                Change management. For the same reason why Ebay had to backtrack changing their background color and do it again, slowly.

                                                                                • kiawe_fire 8 days ago

                                                                                  That's certainly possible.

                                                                                  But as someone who has been using Macs on and off for about 10 years now, I've heard people shout that Apple was locking down Macs from the moment the App Store was created on iOS (and long before it came to MacOS). So far, that hasn't happened.

                                                                                  Is it possible this is the next step in a 10+ years plan to "boil the frog slowly"? Of course! Not sure how they would accomplish this without also losing the developers they need to continue making both MacOS and iOS viable platforms for users, but I guess if they just don't care and want to lock everything down, this could certainly be one more step towards their long term nefarious goal.

                                                                                  But it also still seems like a reasonable step towards making their platform more trusted and secure for the average user while continuing to give devs and power users control.

                                                                                  So far, I see no evidence for the former, and enough evidence for the later, that I'm not too worried.

                                                                            • davrosthedalek 10 days ago

                                                                              Last time I checked, they force you to use the safari engine for your web browser on IOS. Also having a curated app store doesn't mean they have to disallow any other means of installing software. It's even ok if they say: You installed other software, no support for you. But making it not possible is a money grab.

                                                                            • pjmlp 10 days ago

                                                                              Not at all, you are always free to buy computers, phones and tablets from other vendor.

                                                                              Don't go buy Apple and then cry in the corner that you aren't getting the right set of toys to play with.

                                                                              I use Apple devices and fully support don't having random app uploading my stuff into the world.

                                                                              • pinopinopino 10 days ago

                                                                                Sure, you can buy whatever you want, you aren't living in a dictatorial country. Sadly enough, most people can't say this. Therefore it is important for you to fight decisions like this. If something doesn't exist, it cannot be abused by some regime.

                                                                                I am going to say something very cynical now, if the reader doesn't like that, he should tune out now. But I guess Apple can't wait to have that special China deal. ^_^

                                                                                • pjmlp 10 days ago

                                                                                  Except Apple isn't a dictatorial country, and there are other computer vendors to choose from.

                                                                                  Apple isn't Mafia, doing personal visits while giving advices to buy Apple computers otherwise accidents do happen.

                                                                                  Buying an Apple computer is a conscious decision.

                                                                                  I love how many around here make their decisions, and then feel entitled to complain and point the finger to big corporations, as if these corporations are the only ones to blame and they poor souls were mislead.

                                                                                  • pinopinopino 10 days ago

                                                                                    Multinationals are not countries, but they are operating in multiple countries and there actions can have influence on the people in those countries. If Apple makes it possible to stop certain software to be installed then China can abuse the mechanism.

                                                                                    And I am entitled to complain about big corporations. That is the beauty if you life in a free country and even if it wasn't free to complain about them, I still would do it.

                                                                                    I rather see them all burn today than tomorrow.

                                                                                    • pg-gadfly 10 days ago

                                                                                      Buying a house and suddenly getting your water cut off because the county"doesent feel like it" is also similarily a "conscious" decision, and similarily bites you only a time after you bought something.

                                                                                      You might say that's illegal, and I'd recommend thinking about why that has become the way it is. Things are deemed important to everyday life, and suddenly they aren't free game.

                                                                                      • pjmlp 10 days ago

                                                                                        Which fails again as an example, because legally is not the same thing.

                                                                                        • pg-gadfly 10 days ago

                                                                                          It's can vs. can't, which is perfectly comparable, in both cases you cant know what you get until afterwards, which is not acceptable. When the freedom to use the your own devices is in question, it needs to be addressed.

                                                                                          Shifting the blame onto the victims by saying they should have known the county can do that, is just sheltering yourself from the uncomfortable truth.

                                                                                          I don't want to feel like I'm being taken advatage of either, believe me. It's just better to fight back than let it roll over you.

                                                                                  • userbinator 9 days ago

                                                                                    When they force their proprietary standards on everyone else...

                                                                              • ecnahc515 8 days ago

                                                                                I agree. I'd take your point on gatekeepers being a good idea further.

                                                                                Gatekeepers are a good idea for even experts. There's a reason it's still in your best interest to use battle tested crypto libraries instead of writing your own, even if you're a security expert. The reason stands that it's possible for experts to make mistakes, which is why auditing is so important.

                                                                                Now for this to hold, we need to assume Apple has done a good job with their notarization system, and that it's regularly audited to ensure it's not causing too many issues.

                                                                                In this case, I trust Apple isn't doing these things to make developers life harder. They're doing it because it's incredibly difficult to make something both ergonomic for experts (developers) and secure/safe for non-experts (average end-users), and they would rather ship something less-than-perfect for developers if it's going to help non-developers.

                                                                              • kevinh456 10 days ago

                                                                                So keep a Linux box if you want. Don't shit on people for using a mac.

                                                                                I can use macOS, Windows 10, and any distribution Linux I want without having to pick one. That's freedom. I have choices. I choose all of the above in my personal setup. I'll fight to keep my free software but, at the same time, you can pry logic on the mac from my cold dead hands. I've been using it for 15 years and I am not going to stop now. Use the best/preferred tool for the job you have to do.

                                                                                • VonGuard 9 days ago

                                                                                  I expelled Apple from my life 5 years ago and couldn't be happier. Before that, I'd been using their stuff for longer than you. I was quite close to the company for a time, covering them as a journalist full time. I have 3 Linux boxes and a Windows box. I shit on Apple from great height. Their entire ethos has been lost, and they don't make anything easier. My folks continue to use them, and my father's business life has been nearly ruined by their CONSTANT updating of the OS and ending of support. He's almost 80, he's not going to learn anything new, but he hit one button accidentally when it prompted him, and now he's been updated to god knows what newer-yet-still-unsupported version of their OS and his email client stopped working and his legitimately paid-for iTunes music stopped working. Apple has not only contempt for its users, it has contempt for its developers and fans. It treats them all like morons.

                                                                                  I thought this was computing for the masses.

                                                                                • austincheney 10 days ago

                                                                                  The original quote from Franklin was about liberty not freedom. A suttle but vitally important distinction as freedom requires security where liberty does not. If you sacrifice freedom for security you still at least have security, as in a despotism, but if you sacrifice security for freedom you have neither. Conversely if you sacrifice liberty for security you have less liberty without any increase in security just resulting in a net loss.

                                                                                  • austincheney 9 days ago

                                                                                    This is perhaps, strangely enough, the most contentious comment I have placed on HN. Last night when the comment was fresh it was quickly up voted at least 7 times. This morning I awoke to the comment down voted back to it’s original 1 karma. I am unclear as to how this comment is so polarized.

                                                                                    Here is the Franklin quote (I encourage you to read the whole article):

                                                                                    • yesenadam 9 days ago

                                                                                      I always thought the two words are synonyms. (That belief somehow survived decades of philosophical reading, media, and more than a few moral/political philosophy courses.) Here in Australia, liberty sounds like a USA word. We talk of civil liberties etc, but not liberty on its own like that. That sounds 18th C and/or estadounidense.

                                                                                      Your distinction sounds like (what I learnt as) Berlin's negative and positive liberty:

                                                                                      "Negative liberty is the absence of obstacles, barriers or constraints. One has negative liberty to the extent that actions are available to one in this negative sense. Positive liberty is the possibility of acting — or the fact of acting — in such a way as to take control of one's life and realize one's fundamental purposes. While negative liberty is usually attributed to individual agents, positive liberty is sometimes attributed to collectivities, or to individuals considered primarily as members of given collectivities."

                                                                                      "The idea of distinguishing between a negative and a positive sense of the term ‘liberty’ goes back at least to Kant, and was examined and defended in depth by Isaiah Berlin in the 1950s and ’60s."


                                                                                      That article goes on:

                                                                                      "Many authors prefer to talk of positive and negative freedom. This is only a difference of style, and the terms ‘liberty’ and ‘freedom’ are normally used interchangeably by political and social philosophers. Although some attempts have been made to distinguish between liberty and freedom (Pitkin 1988; Williams 2001; Dworkin 2011), generally speaking these have not caught on."

                                                                                      Ah that's what I thought!

                                                                                      Also, referring to your other comment, if a "despot can do whatever he wants to you or to your family", like disappear you in the night, and it's not a loss of security, I'm not sure what you mean by 'security'.

                                                                                    • delian66 10 days ago

                                                                                      In despotism, you do not have security either - the despot can do whatever he wants to you or to your family.

                                                                                      • austincheney 10 days ago

                                                                                        That is a loss of freedom, not security. Compare that to living entirely on your own in the wilderness where you will enjoy maximal freedom with no security from people or nature or starvation.

                                                                                        That distinction is why, in history, non-civilized people find civilization abhorrent and why other people would choose to live under a despot opposed to living on their own. In the ancient world people were not friendly to the idea of abandoning freedoms for class distinctions but once they had it they were not willing to sacrifice personal security or quality of life increases for risk of death and starvation.

                                                                                        That is why people claim freedom isn’t free, because many people, even now, are frequently ready to abandon freedoms for increased security opposed to the extra effort required to increase both.

                                                                                    • gowld 10 days ago

                                                                                      That’s not close to the original quote. And it was just Ben Franklin politicking, not the word of god.

                                                                                      • deathgrips 10 days ago

                                                                                        No one cares, it's the concept that matters. This is on the same tier as saying "haha hey buddy looks like you typed 'there' instead of 'their' haha #rekt".

                                                                                        • mikeyjk 10 days ago

                                                                                          > No one cares, it's the concept that matters. This is on the same tier as saying "haha hey buddy looks like you typed 'there' instead of 'their' haha #rekt".

                                                                                          While the content / concept is the main point, facts matter. Even if it is ancillary to the intended message. Why suffer misinformation no matter how small?

                                                                                    • zanethomas 10 days ago

                                                                                      Another way to look at it is that Apple is moving towards a future where all software for the mac must be purchased from the app store.

                                                                                      Bubye Apple, my next machine will likely be a Dell Ubuntu.

                                                                                      • amatecha 10 days ago

                                                                                        Yeah, this is the future I've been foreseeing for years. Every new OS update just ever so slightly decreases your ability to control what software is on your device, and how you can use it.

                                                                                        For example, you used to be able to back up your purchased iOS apps to your computer, and restore them from your computer. In one iOS update (9 IIRC?), they removed the ability to back up the apps from your phone. In a later iOS/iTunes update, they removed the ability to restore backed up apps from your computer, making your existing backed-up apps useless, if you still had them.

                                                                                        Now, the only way to keep your software on your iPhone indefinitely is to never delete it, and never reformat your phone. Ohh and never update iOS because they will break backwards compatibility with apps you already have. For any app that is no longer supported by the developer, you're just out of luck (and I have purchased MANY such apps, being an iPhone user since 2009).

                                                                                        • hoppeilene49 10 days ago

                                                                                          > making your existing backed-up apps useless, if you still had them.

                                                                                          This isn't true. You can still install existing IPAs you have saved in the past by syncing it with Finder. You can also just AirDrop an IPA to your iOS device to install it.

                                                                                          > Now, the only way to keep your software on your iPhone indefinitely is to never delete it, and never reformat your phone.

                                                                                          You can still back up IPA installers by downloading them with Apple Configurator 2.

                                                                                          • amatecha 10 days ago

                                                                                            I can't seem to find documentation about AirDrop installation of .ipa backups I have. Also that Apple Configurator 2 process appears to force me to update the apps before they are backed up (I have automatic updates turned off because of how often app updates tend to be regressions rather than improvements)... Also, how do I "sync it with Finder"? (what is "it"?)

                                                                                          • pietrovismara 10 days ago

                                                                                            If I may ask, why do you still persist with apple products then? Sounds like masochism from here...

                                                                                            • amatecha 10 days ago

                                                                                              I have no intention of buying more at this point. The last was the iPhone 8 in 2017. No clue yet what I'll do in the future for a smartphone, because I don't see Android as an option at all. Hopefully this iPhone 8 lasts forever :)

                                                                                              • pietrovismara 10 days ago

                                                                                                Personally I find smartphones less and less useful. I use them mostly to stay in touch with people or to read articles online, and I do all my work from a laptop anyway. I used to buy flagship Android phones but I realized that it's wasted money. Now I have a 200€ Samsung phone, it works fine, yesterday it fell and the screen glass broke a bit, I couldn't care less.

                                                                                                If I keep going at this rate, I think I will quit smartphones within a few years.

                                                                                                • Yetanfou 10 days ago

                                                                                                  Get a server or some hosting, load it with whatever you need - mail, web, cloudy things, media, communications etc - and use a portable terminal to access it when on the move. That portable terminal can be a phone with a browser or some future device which is more tailored to this type of application. With the current generation of SoC, Wasm and a capable browser (Firefox Nightly Preview is shaping up nicely) this setup is a viable replacement for most 'apps'. One of the advantages of such a setup is that those 'apps' do no get to track your every move - that is, as long as that capability is not built into the browser at some stage (persistent web workers etc).

                                                                                                • vbezhenar 10 days ago

                                                                                                  iPhone SE is iPhone 8 on steroids.

                                                                                                • m463 10 days ago

                                                                                                  this is sort of an ecosystem pattern.

                                                                                                  First xbox was offline, subsequent xboxes were more intrusive

                                                                                                  first windows pcs were offline, now they have become spy ("telemetry") machines

                                                                                                  Apple has reigned itself in (a bit), but they just as stubbornly put business decisions above user wants.

                                                                                              • pmarreck 10 days ago

                                                                                                Mine is already about to be a Linux workstation since, in addition to all the developer hostility the past few years, Catalina essentially killed off Mac gaming (something like 75% of Mac games are 32 bit? or something?). Prior to that it was merely a joke, but it was nice to have an occasional game to play. Now? Nope, Apple Store and recently updated game code or GTFO

                                                                                                • cjohansson 10 days ago

                                                                                                  Dell Ubuntu is not a good choice, they don’t provide proper drivers and their support has zero knowledge about Linux

                                                                                                  • m463 10 days ago

                                                                                                    Ubuntu phones home a lot too.

                                                                                                    motd-news, apport, snaps, whoopsie, kerneloops, ubuntu-report, unattended-upgrades, ...

                                                                                                    • cookiengineer 10 days ago

                                                                                                      > Dell Ubuntu

                                                                                                      Casual Manjaro and Arch rolling distro with AUR is better drop.

                                                                                                    • api 10 days ago

                                                                                                      The problem is that there is more than one market here. There is a general market where people love the vendor looking after their security and doing things for them, and there is a pro/hacker market where people want to control things themselves and dont want a lot of this stuff.

                                                                                                      • rsj_hn 10 days ago

                                                                                                        This. Yes the option of a walled garden is a great thing and I wouldn't recommend anything but an Apple device to my non-technical relatives. But if Apple also wants to make the $$ that comes from selling "pro" gear, they need to stop relentlessly consumerizing and turning OS X into iOS. I don't think they realize the level of ill will they are engendering in the developer/pro market.

                                                                                                        Perhaps it's time for a "Pro" and "Home" Mac OS.

                                                                                                        • saila 10 days ago

                                                                                                          I've been doing software development on macOS/OS X for quite some time now and the consumerization aspects don't bother me. I install almost everything I need via Homebrew, from software libraries to desktops apps, and the fact that there's an App Store isn't particularly relevant (although I do use it for consumer apps now and then).

                                                                                                          I'm trying to think of how macOS is so different from 10/20 years ago. What's missing? What can I not do now? Maybe my brain has just been consumerized and I forgot something important.

                                                                                                          I was going to switch to Linux 10 years ago when people were talking about the iOSification of OS X back then, but that never happened.

                                                                                                          • nrclark 10 days ago

                                                                                                            Do you write much system-level software? I feel like Apple's changes don't affect the XCode crowd much - but under the hood, things are slowly getting worse for command-line developers.

                                                                                                            How about when Apple removed /usr/include in its entirety from Mojave? Or when they decided to make the root filesystem read-only? Or when they removed the ability to permanently disable the "only run verified apps" option? Or when they even made that the default in the first place?

                                                                                                            How about when they stopped supporting or updating the MacOS X11 server, which doesn't have proper GPU support and probably never will?

                                                                                                            How about when Apple replaced gcc with a thin wrapper around clang, so that /usr/bin/gcc generates identical code to /usr/bin/clang? Or how they froze all GNU tools (including bash) at the last-released GPLv2 version, just so that they could retain the option to lock you out from modifying your OS install?

                                                                                                            How about the fact that Apple has officially deprecated Python on MacOS?

                                                                                                            How about the increasingly slow filesystem access? Not a big deal for app users, but terrible for shell-scripts and system software kind of generally.

                                                                                                            How about when Apple removed the ESC key from two generations of Macbook Pro? And also how they replaced the function keys with a touchbar?

                                                                                                            Did you know that Apple will soon be using zsh for /bin/sh? Without much regard to how many shell scripts have a #!/bin/sh hashbang and some bashisms in them? You can call those scripts buggy or poorly designed if you want - but they're plentiful and widespread, and will be broken so that Apple can steer clear of GPLv3 code. All so that they can block you from modifying your OS installation.

                                                                                                            MacOS was a Unix nerd's dream 10 years ago. It was fast, reliable, and it had a good terminal paired with amazing hardware and software that "just worked". Over time, everything that attracted me to the platform has slowly eroded. I stopped buying or recommending Macbooks in 2016, and only use one now because my employer is an Apple shop.

                                                                                                            • oarsinsync 10 days ago

                                                                                                              > Did you know that Apple will soon be using zsh for /bin/sh? Without much regard to how many shell scripts have a #!/bin/sh hashbang and some bashisms in them? You can call those scripts buggy or poorly designed if you want - but they're plentiful and widespread, and will be broken so that Apple can steer clear of GPLv3 code. All so that they can block you from modifying your OS installation. MacOS was a Unix nerd's dream 10 years ago

                                                                                                              Yep. Sorry. I’m struggling to connect “Unix nerd” to “thinks /bin/sh and /bin/bash are the same”, especially as that’s very much a Linux distro created problem, and (the clue’s in the name) Linux Is Not UNix.

                                                                                                              • john_alan 10 days ago

                                                                                                                Interesting analysis, thanks for sharing.

                                                                                                                command line apps installed via home-brew don't have gate-keeper/notarization though.

                                                                                                                I don't know why ppl seem to think they do...

                                                                                                                What am I missing? I'm on the latest Catalina and, for me, anything installed via home-brew / scripts/c++/python/rust I write and run/compile myself, just run.

                                                                                                                I also don't see any time different between my apps on linux and macOS.

                                                                                                                I use itemr2, with Fulldisk access and it's specified as a devtool in privacy.

                                                                                                                What am I missing that's a big problem here?

                                                                                                                • Yetanfou 10 days ago

                                                                                                                  Maybe you're missing to foresee the future step in Apple's strategy which will make it harder if not impossible to run something like Homebrew? As far as I know there is no such thing on (non-jailbroken) iOS. Apple seems be be steering macOS in that direction, a curated platform instead of a general-purpose computing device.

                                                                                                                  • ecnahc515 8 days ago

                                                                                                                    You realize Apple employs engineers right? The same engineers who use homebrew for their own job? If they go down that route, it's likely they'll need to support something like homebrew or similar.

                                                                                                                    Honestly, it wouldn't surprise me if it just meant distributing package via homebrew means signing the package, much like any other package manager. Yes, you can get something similar with checksums, but it doesn't provide any method of authenticity of the distributor.

                                                                                                                    Is it friction? Hell yeah. A pain? Yes. Is it purely bad? No. Does it have positives? Some. It's not black and white.

                                                                                                                    • api 9 days ago

                                                                                                                      If they do that, I am gone. Parent mentioned that they feared that though 10 years ago and it never really happened.

                                                                                                                      Apple seems to be trying to walk a line with MacOS and keep all of its user bases happy, but it's a hard line to walk.

                                                                                                                    • john_alan 9 days ago

                                                                                                                      I would move to Arch or Debian.

                                                                                                                      That said, how can they lock it down? You need macOS open to develop apps for their other devices.

                                                                                                                      They can’t get rid of homebrew et al, as they’d lose their iOS developers! Don’t you agree?

                                                                                                                      The fact they explicitly have a “Dev tool” category you can use here says a lot about their approach being open for power users.

                                                                                                                  • pjmlp 10 days ago

                                                                                                                    By writing system level macOS software, although I think you mean old style POSIX UNIX stuff.

                                                                                                                    Here is a thing, already with NeXTSTEP, UNIX support wasn't never something worthwhile looking for, NeXTSTEP was used for its Objective-C tooling and frameworks, like Renderman and Improv.

                                                                                                                    The UNIX stuff was just a solution for having a quick ramp up for their OS development, and just like Microsoft with Windows 3.1 NT, to have a tick in the box when selling to the government,

                                                                                                                    Their famous commercial against Sun, hardly touches on UNIX like development.


                                                                                                                    You aren't going to see a CLI on that NeXTSTEP screen.

                                                                                                                    Just like the SDK is all about Objective-C related stuff, even the device drivers were written in Objective-C.


                                                                                                                    The only fouls here are those that keep giving their money to corporations instead of supporting Linux OEMs, as Microsoft cleverly discovered.

                                                                                                                    In fact, had either A/UX not been discontinued or Microsoft seriously supported their POSIX personality, Linux would never taken off, as the same crowd would be happily using these systems.

                                                                                                                    • sooheon 10 days ago

                                                                                                                      I feel everything you say, and still don't see a better alternative. They're just too good at the hardware and integration.

                                                                                                                  • warrenm 10 days ago

                                                                                                                    Methinks you don't grok how Apple uses the term ”Pro”

                                                                                                                    • saagarjha 10 days ago

                                                                                                                      It comes in Space Gray?

                                                                                                                      • warrenm 8 days ago


                                                                                                                        No - it's for people who want to Get Stuff Done™ and not worry about all the crap under the hood.

                                                                                                                • ibeckermayer 10 days ago

                                                                                                                  Why can’t they have their walled garden App Store and also allow me to install other app stores?

                                                                                                                  It’s an authoritarian usurpation of the spirit of property rights. I should be able to decide for myself what software to run on my hardware, Apple HQ’s opinion should be irrelevant.

                                                                                                                  • jerryzh 10 days ago

                                                                                                                    Why would any developer even want to release their app in walled garden when they can do whatever they want by releasing elsewhere?

                                                                                                                    • pinopinopino 10 days ago

                                                                                                                      Analogue question in the linux world: Why would anyone get something in the debian package repository, when they can just release their package on their website? Because it gets added support, a bigger reach and a safer and easier installation for users?

                                                                                                                      • vbezhenar 10 days ago

                                                                                                                        There are special people: maintainers. They collect software from the world and package them for Debian. They often are different from original developers. Original developers might not even know that their software was repackaged. It's possible because of free software licenses. Apple can't do that even if they would want: proprietary software typically does not allow redistribution.

                                                                                                                        • pinopinopino 10 days ago

                                                                                                                          Good point, it wouldn't work that way with proprietary software.

                                                                                                                      • pjmlp 10 days ago

                                                                                                                        Usually on the walled garden they get paid.

                                                                                                                      • colejohnson66 10 days ago

                                                                                                                        On macOS, they do. On a phone, if you want to side load, there’s the option of Android.

                                                                                                                      • 43920 10 days ago

                                                                                                                        Wouldn't a sandboxed Zoom downloaded directly from them be equally secure?

                                                                                                                        • zrm 10 days ago

                                                                                                                          > Wouldn't a sandboxed Zoom downloaded directly from them be equally secure?

                                                                                                                          More relevantly, wouldn't a sandboxed Zoom downloaded from Apple's store be equally secure even if you could install different apps from developers you trust more outside of the store?

                                                                                                                          • Retric 10 days ago

                                                                                                                            Apple’s rejected a huge number of App updates for security reasons. It’s not a huge benefit, but it does exist.

                                                                                                                            • cliffsteele 10 days ago

                                                                                                                              And also allowed a jailbreak app in the iOS App Store. Yes, it only happened once (that I know of), but it still shows you can't really be oblivious to their practices.

                                                                                                                              • colejohnson66 10 days ago

                                                                                                                                So out of the millions of apps on the App Store, they slipped up once? Sounds like a really good success rate.

                                                                                                                                • saagarjha 10 days ago

                                                                                                                                  That's just the one jailbreak that ended up in the news. There's been many other of bad things that have been pulled.

                                                                                                                                  • cmdshiftf4 10 days ago

                                                                                                                                    >been many other of bad things that have been pulled

                                                                                                                                    A jailbreak app making it to the app store being bad, and "apple's walled gardens are bad", are fundamentally incompatible.

                                                                                                                                    • saagarjha 10 days ago

                                                                                                                                      Apple can be bad at doing what they claim to be doing and also be doing the wrong things. The nice way this works is that Apple curates a bunch of software they think is safe, and I can run whatever I want on my device. The worst of both worlds is that I can't run what I want, but sometimes malicious things get through Apple's checks.

                                                                                                                                      • jasonlotito 10 days ago

                                                                                                                                        Jailbreak apps are bad for Apple. Walled gardens are bad for users. It's not complicated.

                                                                                                                                        • neotek 10 days ago

                                                                                                                                          I, a user, am extremely appreciative of Apple's walled garden. I've never once had to worry that the app I'm downloading is crammed full of malware because I trust that Apple's processes are robust and will work well in 99.999% of all circumstances.

                                                                                                                                          • davrosthedalek 10 days ago

                                                                                                                                            A walled garden is not the same as a curated app store. You could have the same benefit if apple would allow non-app-store apps to be installed after flipping a switch, tethering with a Mac or some other voodoo.

                                                                                                                                            • neotek 10 days ago

                                                                                                                                              Apple does give you the ability to install non-app-store apps (some without tethering), e.g. sideloading or enterprise certificates, although I agree it's not as easy as flipping a switch.

                                                                                                                                              They should also provide a way to downgrade iOS via Xcode for those with a dev account, but that's another story.

                                                                                                                                            • friendlybus 10 days ago

                                                                                                                                              People who are precious about security never obtain apps that aren't generally approved and vetted by professionals anyway. Forcing this deciscion onto everybody is just going to push the people who want a free and open platform into places you dont want them. The benefits of openness don't go away just because apple said so.

                                                                                                                                              • LaGrange 10 days ago

                                                                                                                                                We get Zoom, we used to install Java (remember when it was bundled with crapware in hope you'll forget to uncheck a checkbox?). Companies routinely strong-armed users into getting malware. And I doubt popular game mods are all that strongly reviewed by security experts, but are quite popular with tech people.

                                                                                                                                                App Store policies are a poor replacement for collective action, of course, but let's not pretend we can just become immune to hostile by sheer force of will.

                                                                                                                                                • neotek 10 days ago

                                                                                                                                                  I care about security, but that doesn't preclude me from jailbreaking my iphone and running dozens of tweaks that haven't been "vetted by professionals", along with sideloaded apps that haven't been through Apple's vetting process either.

                                                                                                                                                  My MacBook runs homebrew which currently lists 84 packages installed plus their dependencies, very few of which will have been professionally vetted, and of the 127 apps in my /Applications folder only a third of them came from the Mac App Store, and I would estimate that a quarter of the others aren't even signed with a paid developer certificate.

                                                                                                                                                  I want the apps that I get from Apple directly to be safe. I want to know that when I put my faith in the App Store that I'm not lulling myself into a false sense of security. I want my parents and girlfriend, who are not technical people, to have that same sense of security without them having to learn entire programming languages to vet source code themselves.

                                                                                                                                                  The benefits of closed systems don't go away just because you say so.

                                                                                                                                  • throwaway851 10 days ago

                                                                                                                                    Yes, but would a typical user know or care if the app they downloaded from a web site was sandboxed and would otherwise have been approved by the App Store if it was submitted there? And if not, how could someone like John Gruber make that claim of safety on anything other than iPhone and iPad? Taking the Zoom example on a parent thread above, look at what happens when you’re installing a Zoom client on the Mac without the strict enforcements of the iOS App Store:

                                                                                                                                    • ken 10 days ago

                                                                                                                                      This just doesn't seem like a terribly difficult problem. Web browsers have figured it out. Any webpage that isn't served over SSL says "Not Secure" right at the top.

                                                                                                                                      I can think of a dozen ways which the OS could prominently display "Not Secure" for non-sandboxed applications, in a way that wouldn't preclude or hinder users from using such applications if they really wanted to.

                                                                                                                                      • ithkuil 10 days ago

                                                                                                                                        I wonder what's a decent way to do this with a CLI app

                                                                                                                                  • beowulfey 10 days ago

                                                                                                                                    I don’t really understand this argument. Apple has long been heralded for its safety and security. It’s why in three decades of owning macs we’ve never installed antivirus software.

                                                                                                                                    What is the point of all this security these days? What are they protecting us from?

                                                                                                                                    • markdown 10 days ago

                                                                                                                                      Who is this Gruber person you quote and why is he relevant here?

                                                                                                                                      • AlchemistCamp 10 days ago

                                                                                                                                        He's the person who made the markdown format, which you've used as your username.

                                                                                                                                        Other than that, he's mostly known for writing and talking about Apple.

                                                                                                                                        • markdown 10 days ago

                                                                                                                                          > He's the person who made the markdown format, which you've used as your username.

                                                                                                                                          That's news to me. My username is my name plus down (I use up for work-related accounts, and down for leisure).

                                                                                                                                          > Other than that, he's mostly known for writing and talking about Apple.

                                                                                                                                          Ahh, ok thanks.

                                                                                                                                      • gameswithgo 10 days ago

                                                                                                                                        if gruber wants to dictate what i run on my computer maybe he can pay for my computer instead of me.

                                                                                                                                      • monadic2 10 days ago

                                                                                                                                        Honestly I'm trying to think of a reason you would WANT to disable OCSP, I'm having enough problems thinking of more than 2 developers I know who can actually articulate how it works enough to evaluate this. Not that it's complicated—it's just mostly invisible.

                                                                                                                                        Even when OCSP is a problem, generally you're more worried about issuing a new certificate than an immediate workaround. What are you going to do, ask all your customers to go into keychain access to work around your problem?

                                                                                                                                        This behavior of slowing down appears to be because apple is making HTTPS connections apparently synchronously (probably unnecessarily) and you'd only be potentially harming yourself by disable OCSP.

                                                                                                                                        Though, I am often frustrated FLOSS desktops and Windows don't allow the behavior I want—maybe this is just cultural.

                                                                                                                                        • feross 10 days ago

                                                                                                                                          How about it's totally ineffective? OCSP is pointless if you "soft fail" when the OCSP server can't be reached. [1]

                                                                                                                                          This is why Chrome disabled OSCP by default all the way back in 2012-2013 era. Not to mention the performance cost of making all HTTPS connections wait for an OCSP lookup. [2]



                                                                                                                                          • johnp_ 10 days ago

                                                                                                                                            That's why there's OCSP stapling and OCSP must staple. Ever seen an nginx server fail HTTPS connection exactly once after rotating the certificate? That's nginx lazily fetching the OCSP response from upstream for stapling purposes.

                                                                                                                                            • saagarjha 10 days ago

                                                                                                                                              Notarization has a similar "stapling" workflow as well.

                                                                                                                                          • cliffsteele 10 days ago

                                                                                                                                            Well, security starts from the user. If you're not mindful of what websites you visit, or what files/apps you download and run, there's no OCSP or anything else there to save you.

                                                                                                                                            OCSP enabled or not, you're still one website click away from being pwned to oblivion, giving full control to the hacker – which, of course, is inevitable to an extent, since bugs always find their way into software.

                                                                                                                                            So why not make it easy to disable?

                                                                                                                                            • monadic2 10 days ago

                                                                                                                                              Well, are you going to manually look up certificate revocations yourself? This necessarily requires a network lookup—you can't just glance at the certificate. What's the benefit of disabling this functionality that actively alerts you to revocations?

                                                                                                                                              > Well, security starts from the user. If you're not mindful of what websites you visit, or what files/apps you download and run, there's no OCSP or anything else there to save you.

                                                                                                                                              Sure, but we're discussing good-faith security here. Presumably if people complain about a missing feature they can envision using it. The scenario here is not visiting a shady website and doing something stupid, the scenario here is something like a man-in-the middle attack using a revoked certificate, which would by definition by difficult for the end-user to detect.

                                                                                                                                              > So why not make it easy to disable?

                                                                                                                                              Because then people would disable it for no discernable good effect.

                                                                                                                                              I mean let me be clear, if you're a security researcher you can just modify your own HTTP stack, run a VM, control the hardware, whatever. This isn't a blocker to investigating HTTPS reactions sans OCSP—this is about denying secure connections when they've publicly revoked the cert used to sign the connection. The only reason this is even considered a discrete feature is that most people have never written an OCSP request in order to then trust an HTTPS server—you're just opening yourself up to be misled without even realizing this (and this goes for most of my very network-stack-aware coworkers).

                                                                                                                                              If you're in a browser, you want the browser to be using best practice security, which necessarily includes OCSP. If you know what you're doing this is trivial to bypass.

                                                                                                                                          • D-Coder 10 days ago

                                                                                                                                            Feature-removal has been the most aggravating part of my Mac life for the past several years. Admittedly I tend to use unusual features, but it's just another PITA when they go away.

                                                                                                                                            • ngcc_hk 10 days ago

                                                                                                                                              Not sure they have removed anything, but add something.

                                                                                                                                          • torstenvl 10 days ago

                                                                                                                                            What happens if you edit /private/etc/hosts to point to and flush the DNS cache?

                                                                                                                                            • Myrmornis 10 days ago

                                                                                                                                              This seems like an interesting line of inquiry.

                                                                                                                                              AIUI doing what you said would permit the network request to proceed, and it would fail because nothing is listening on port 80 [1] We already know that the phone-home bails out when there's no network connection, so perhaps that code also bails out on connection failure?

                                                                                                                                              Alternatively, is there some way to make DNS lookup itself fail for

                                                                                                                                              Last resort, if we know how to fake the response, running a dummy server listening on localhost would be faster than allowing the request to go over the internet.

                                                                                                                                              [1] Empirically, `curl` yields a connection failure. I think I know that is used in a listening context to mean "listen on all interfaces" but tbh I don't really know what it means in a sending context. Maybe someone can educate me?

                                                                                                                                              • IncRnd 10 days ago

                                                                                                                                                Sending to will fail immediately. This differs from sending to that may connect to a server on the local machine.

                                                                                                                                                • Myrmornis 10 days ago

                                                                                                                                                  > Sending to will fail immediately.

                                                                                                                                                  Right, and as far as we know that exception might be caught in the same way as "your computer doesn't have any network connection at all" is caught. Or would those be likely to generate the same exception? Either way, there's a chance that it would result in exec gracefully and quickly not doing the blocking phone-home isn't there?

                                                                                                                                                • usmannk 10 days ago

                                                                                                                                         is non-routable and generally only valid as a src not a dest

                                                                                                                                                • saagarjha 10 days ago

                                                                                                                                                  I think it is fairly likely that your system would not work at all.

                                                                                                                                                • saagarjha 10 days ago

                                                                                                                                                  I believe it's just Base64 encoded DER information, based on the code that seems to be similar:

                                                                                                                                                  • caf 10 days ago

                                                                                                                                                    Yes, that base64 decodes to:

                                                                                                                                                      OCSP Request Data:
                                                                                                                                                        Version: 1 (0x0)
                                                                                                                                                        Requestor List:
                                                                                                                                                            Certificate ID:
                                                                                                                                                              Hash Algorithm: sha1
                                                                                                                                                              Issuer Name Hash: 3381D1EFDB68B085214D2EEFAF8C4A69643C2A6C
                                                                                                                                                              Issuer Key Hash: 5717EDA2CFDC7C98A110E0FCBE872D2CF2E31754
                                                                                                                                                              Serial Number: 7D86ED91E10A66C2
                                                                                                                                                  • usmannk 10 days ago

                                                                                                                                                    I can't edit anymore but it seems like the OCSP link could potentially be a red herring just checking the cert for the next request to It's worth looking further!

                                                                                                                                                    • Darkstryder 9 days ago

                                                                                                                                                      I'm surprised nobody mentioned that Windows Defender does something very similar (checking for never-seen-before binaries at runtime, uploading them to Microsoft servers, then running them there) :

                                                                                                                                                      • pinopinopino 10 days ago

                                                                                                                                                        God, this shit makes me laugh. Why are they doing this.

                                                                                                                                                        But from Edit2: Your hash is some sort of base64

                                                                                                                                                             let str = 

                                                                                                                                                        Then we see weird random gaps in the alphabet used, not so weird, because not every character will be used in every string:

                                                                                                                                                             Prelude Data.List> map head $  group $ sort $ str
                                                                                                                                                        If we fill these up then:

                                                                                                                                                              Prelude Data.List> let xs = "+0123456789=ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz"
                                                                                                                                                              Prelude Data.List> length xs
                                                                                                                                                        So base64 with some non standard symbols. I don't know what standard base64 is supposed to look to be honest, so perhaps it is standard base64. The = is definitely padding.
                                                                                                                                                      • ignoranceprior 10 days ago

                                                                                                                                                        Does this mean you can't run a custom shell script without an internet connection?

                                                                                                                                                        • usmannk 10 days ago

                                                                                                                                                          If the connection fails it goes ahead and grants permission.

                                                                                                                                                        • markandrewj 10 days ago

                                                                                                                                                          The isn't specific to the article, but another place that can be interesting to look at system activity on Mac OS is the console.


                                                                                                                                                          • moyix 10 days ago

                                                                                                                                                            Were you able to MITM the connection? I tried with MITMProxy but ran into a client error, which made me think they were doing cert pinning.

                                                                                                                                                            If you did get it to work could you paste the logs somewhere?

                                                                                                                                                            • usmannk 10 days ago

                                                                                                                                                              Yes but it looks like there is no actual session, at least for shell scripts that don't have an app bundle ID. There is just an HTTP CONNECT, TLS negotiation, then nothing.

                                                                                                                                                          • davidvartan 10 days ago

                                                                                                                                                            > a degraded user experience, as the first time a user runs a new executable, Apple delays execution while waiting for a reply from their server.

                                                                                                                                                            The way to avoid this behavior is to staple the notarization ticket to your bundle (or dmg/pkg), i.e. "/usr/bin/stapler staple <path>." Otherwise, Gatekeeper will fetch the ticket and staple it for the user on the first run.

                                                                                                                                                            (I'm the author of xcnotary [1], a tool to make notarization way less painful, including uploading to Apple/polling for completion/stapling/troubleshooting various code signing issues.)


                                                                                                                                                            • xenadu02 10 days ago

                                                                                                                                                              Xcode (the UI) is able to bypass GateKeeper checks for things it builds.

                                                                                                                                                              The "Developer Tool" pane in System Prefs, Security, Privacy is the same power. Drag anything into that list you'd like to grant the same privilege (such as xcodebuild). This is inherited by child processes as well.

                                                                                                                                                              The point of this is to avoid malware packing bits of Xcode with itself and silently compiling itself on the target machine, thus bypassing system security policy.

                                                                                                                                                              • indemnity 10 days ago

                                                                                                                                                                Reminds me of the AV exception folder our corporate IT created for developers. Soon absolutely everything developers needed or created was installed into that folder. Applications, IDEs, you name it.

                                                                                                                                                                • kunday 9 days ago

                                                                                                                                                                  Guilty as accused. I try to keep to an absolute minimum. Like docker data-dir and IDE. With that i can atleast use my machine.

                                                                                                                                                                  otherwise this macos notarisation, along with a possibly of cpu heating issues with left thunderbolt usage and corporate av scanning, makes my machine, next to useless

                                                                                                                                                                • LeoPanthera 10 days ago

                                                                                                                                                                  Putting Terminal (and your favorite text editor) in this category and in "Full Disk Access" will change your life.

                                                                                                                                                                  • MrBuddyCasino 10 days ago

                                                                                                                                                                    How does "Full Disk Access" help?

                                                                                                                                                                    • lloeki 10 days ago

                                                                                                                                                                      You can browse Time Machine backup directory trees from the CLI again.

                                                                                                                                                                    • sneak 10 days ago

                                                                                                                                                                      Yes, falling victim to ransomware is definitely lifechanging if you don’t have good backups.

                                                                                                                                                                      • LeoPanthera 10 days ago

                                                                                                                                                                        That is a non-sequitur.

                                                                                                                                                                        • mperham 10 days ago

                                                                                                                                                                          It's not; they are stating that if you bypass these security checks, you open the machine up to ransomware.

                                                                                                                                                                  • grishka 10 days ago

                                                                                                                                                                    So since these permissions apply to process trees, what happens if you put launchd in there?

                                                                                                                                                                    • aasasd 10 days ago

                                                                                                                                                                      The computer will probably hang while it tries to solve the chicken-egg problem.

                                                                                                                                                                      Isn't launchd Mac's ‘init’? I.e. run before anything else.

                                                                                                                                                                      • grishka 10 days ago

                                                                                                                                                                        Yes, and that's the point — everything you run will theoretically inherit the permission from it.

                                                                                                                                                                    • acecilia 9 days ago

                                                                                                                                                                      Can you advise on how to make the "Developer Tool" panel in "System Prefs, Security, Privacy" appear if it is not present? Cant find a way:

                                                                                                                                                                    • wila 10 days ago

                                                                                                                                                                      GateKeeper only triggers the check for things downloaded from the internet. IOW, it checks if your binary has a quarantine flag attached via an extended attribute.

                                                                                                                                                                      • xenadu02 10 days ago

                                                                                                                                                                        That is not correct starting with Catalina.

                                                                                                                                                                      • make3 9 days ago

                                                                                                                                                                        How do I get a "Developer Tool" pane in System Prefs? Do I have to install X-Code? I would really rather not

                                                                                                                                                                      • closeparen 10 days ago

                                                                                                                                                                        This is life-changing. Thank you!

                                                                                                                                                                    • scottlamb 10 days ago

                                                                                                                                                                      > The way to avoid this behavior is to staple the notarization ticket to your bundle (or dmg/pkg)

                                                                                                                                                                      Maybe in some cases, but the article says "even if you write a one line shell script and run it in a terminal, you will get a delay!"

                                                                                                                                                                      Shell scripts don't come in bundles. I don't think this kind of stapling is possible for them? I don't think it'd be reasonable to expect users to do this anyway.

                                                                                                                                                                      • davidvartan 10 days ago

                                                                                                                                                                        The Gatekeeper behavior is specific to running things from Finder (not Terminal), and only if you downloaded it via a browser that sets the xattr.

                                                                                                                                                                        Two posts from Apple dev support (Cmd+F "eskimo") describe this in more detail.



                                                                                                                                                                        • nemosaltat 10 days ago

                                                                                                                                                                          I recently learned that `xattr -cr path/to/` solves the “this App is damaged would you like to move it to the trash” you get when you copy an app from one Mac to another.

                                                                                                                                                                          • rhizome 10 days ago

                                                                                                                                                                            That might be the Windows-iest feature of OSX I've ever heard of.

                                                                                                                                                                            • cosmojg 10 days ago

                                                                                                                                                                              It seems macOS is going downhill fast these days.

                                                                                                                                                                              • withinboredom 10 days ago

                                                                                                                                                                                No, it’s just that they’re becoming more popular. When you become a popular desktop OS, governments and militaries want to start using it which comes with some strange requirements. It also means that you can’t rely on “obscurity” to provide any sort of security, where before you could overlook some things.

                                                                                                                                                                                • catalogia 10 days ago

                                                                                                                                                                                  Can you cite any sources for your claim that these things are being implemented to satisfy government/military requirements?

                                                                                                                                                                                  • o-__-o 10 days ago


                                                                                                                                                                                    I don’t know why grand op is downvoted. DoD requirements literally require a timeout setting for screensavers to begin locking. This has caught systems which have a race condition where you can move your mouse quickly and gain desktop access before it locks.

                                                                                                                                                                                    The long term effects come from the required changes to the development security model to remain productive and profitable (took MSFT a few OOB hotfixes and service packs to fix that example above, look when gnome kde xscreensaver etc introduced that feature etc)

                                                                                                                                                                                    • saagarjha 10 days ago

                                                                                                                                                                                      > This has caught systems which have a race condition where you can move your mouse quickly and gain desktop access before it locks.

                                                                                                                                                                                      I fail to see how this is a race condition rather than how a screensaver is supposed to work?

                                                                                                                                                                                      • o-__-o 10 days ago

                                                                                                                                                                                        Because it’s not, that’s why I pointed to xscreensaver feature implementation. Lock time is separate from screensaver activation time which is separate from energy saving activation time.

                                                                                                                                                                                        What defines when a locking screen saver is “locked”? 10m? Or 10m1s? You are making assumptions and that is what DISA spells out. Which forces the OS design to change in subtle ways. Like xattrs on files as great grand op was alluding to.

                                                                                                                                                                                        Does that provide clarity into how development security models evolve over the lifetime of an application?

                                                                                                                                                                              • noisem4ker 10 days ago

                                                                                                                                                                                What would that mean?

                                                                                                                                                                                • bobbylarrybobby 10 days ago

                                                                                                                                                                                  It would appear to mean it's a hacky, over-technical solution to a problem that shouldn't exist in the first place, as copying things from one computer to another should just work™. This is one place where macOS used to shine and seems to be increasingly falling behind in.

                                                                                                                                                                            • JadeNB 10 days ago

                                                                                                                                                                              > The Gatekeeper behavior is specific to running things from Finder (not Terminal), and only if you downloaded it via a browser that sets the xattr.

                                                                                                                                                                              The article says the described problem isn't limited in this way:

                                                                                                                                                                              > This is not just for files downloaded from the internet, nor is it only when you launch them via Finder, this is everything. So even if you write a one line shell script and run it in a terminal, you will get a delay!

                                                                                                                                                                              • staticfloat 10 days ago

                                                                                                                                                                                If you read the comments of the article and do your own testing, you will find that reality appears to be more complicated than the article suggests. Users have shown using both timing and wireshark that the shell scripts do not appear to be triggering notarization checks.

                                                                                                                                                                              • reuben_scratton 10 days ago

                                                                                                                                                                                Quinn The Eskimo at Apple's forums is a 10x support engineer, his posts have helped me fix dozens of problems.

                                                                                                                                                                              • xenadu02 10 days ago

                                                                                                                                                                                This is the way things worked prior to Catalina but is no longer the case.

                                                                                                                                                                            • oefrha 10 days ago

                                                                                                                                                                              I mean, when I’m developing in a compiled language with the workflow edit code -> compile -> run (with forced stapling), changing it to edit code -> compile -> staple -> run doesn’t make it any less slow...

                                                                                                                                                                              • oefrha 10 days ago

                                                                                                                                                                                An update: flat out denying network access to syspolicyd using Little Snitch could cut down on the delay. (Yes, syspolicyd does send a network request to for every single new executable. Denying its access to only isn't sufficient either since it falls back to IP address directly.) Note that this might not be a great idea, and it still has nonzero cost — a network request has to be made and denied by Little Snitch.

                                                                                                                                                                                Here's my benchmarking script:

                                                                                                                                                                                  cat >$tmpfile <<EOF
                                                                                                                                                                                  echo $RANDOM  # Use a different script each time in case it makes a difference.
                                                                                                                                                                                  chmod +x $tmpfile
                                                                                                                                                                                  setopt xtrace
                                                                                                                                                                                  time ( $tmpfile )
                                                                                                                                                                                  time ( $tmpfile )
                                                                                                                                                                                  unsetopt xtrace
                                                                                                                                                                                  rm -f $tmpfile
                                                                                                                                                                                If your local terminal emulator is immune with "Developer Tools" access (interestingly, toggling it off doesn't bring back the delay for some reason), you should be able to reproduce the delay over ssh.
                                                                                                                                                                                • davidvartan 10 days ago

                                                                                                                                                                                  I can repro this locally as well. Interesting if it's inconsistent with Apple docs and when Gatekeeper should be firing, as running stuff locally without distributing/downloading is somewhat out of scope for notarization.

                                                                                                                                                                                  Reached out about this to Apple dev support, hope to get more insight.

                                                                                                                                                                                  • abathur 8 days ago

                                                                                                                                                                                    > interestingly, toggling it off doesn't bring back the delay for some reason

                                                                                                                                                                                    Noticed the same; it should come back if you disable it and reboot.

                                                                                                                                                                                  • davidvartan 10 days ago

                                                                                                                                                                                    Notarization/stapling/etc. is for distribution only, not generally part of your dev workflow.

                                                                                                                                                                                    • oefrha 10 days ago

                                                                                                                                                                                      But TFA and my personal experience do point to a noticeable delay after each recompile in dev workflows, and TFA claims this is due to notarization checks... So I guess I’m confused and you’re talking about something else?

                                                                                                                                                                                      • rgrs 10 days ago

                                                                                                                                                                                        How does mac identify a dev workflow and normal workflow?

                                                                                                                                                                                        • jmercouris 10 days ago

                                                                                                                                                                                          When you use XCode you have different compilation options.

                                                                                                                                                                                    • ihiulll 10 days ago

                                                                                                                                                                                      I'm confused. does macbook send executable to apple servers or just the hash?

                                                                                                                                                                                    • dahfizz 10 days ago

                                                                                                                                                                                      The way to avoid this behavior is to not buy a machine from a company that actively hates it's users.

                                                                                                                                                                                    • jaimehrubiks 10 days ago

                                                                                                                                                                                      In our company many of us have similar issues. I have always loved OSX but this time it is driving me crazy. I though the issue was some sort of company antivirus/firewall, or it could even be a combination of that and this issue (maybe my vpn + path to company firewall is what magnifies the issue in this post). The thing is that some commands take 1 second, some others take 2 minutes or even more. Actually, some commands slow down the computer until they are finished (more likely, until they just decide to start).

                                                                                                                                                                                      For example, I can run "terraform apply" and it could take up to 5 minutes to start, leaving my computer almost unusable until it runs. The weird thing is that this only happens sometimes. In some cases, I restart the laptop and it starts working a little bit faster, but the issue comes back after some time.

                                                                                                                                                                                      It's already been a few months since I try to run every command from a VM in a remote location, since I am tired of waiting for my commands to start.

                                                                                                                                                                                      I have a macbook air from 2013 which never had this issue.

                                                                                                                                                                                      Any easy fix that I could test? Disconnecting from the internet is not an option. Disabling SIP could be tried, but I think I already did and didn't seem to fix it, plus it is not a good idea for a company laptop.

                                                                                                                                                                                      Don't we have some sort of hosts file or firewall that we can use to block or fake the connectivity to apple servers?

                                                                                                                                                                                      • derefr 10 days ago

                                                                                                                                                                                        IIRC the big thing that changed with 10.15 for CLI applications is that BSD-userland processes (i.e. ones that don't go through all the macOS Frameworks, but just call libc syscall wrappers like fopen(2)) now also deal with sandboxing, since the BSD syscall ABI is now reimplemented in terms of macOS security capabilities.

                                                                                                                                                                                        Certain BSD-syscall-ABI operations like fopen(2) and readdir(2) are now not-so-fast by default, because the OS has to do a synchronous check of the individual process binary's capabilities before letting the syscall through. But POSIX utilities were written to assume that these operations were fast-ish, and therefore they do tons of them, rather than doing any sort of batching.

                                                                                                                                                                                        That means that any CLI process that "walks" the filesystem is going to generate huge amounts of security-subsystem request traffic; which seemingly bottlenecks the security subsystem (OS-wide!); and so slows down the caller process and any other concurrent processes/threads that need capabilities-grants of their own.

                                                                                                                                                                                        To find a fix, it's important to understand the problem in fine detail. So: the CLI process has a set of process-local capabilities (kernel tokens/handles); and whenever it tries to do something, it first tries to use these. If it turns out none of those existing capabilities let it perform the operation, then it has to request the kernel look at it, build a firewall-like "capabilities-rules program" from the collected information, and run it, to determine whether it should grant the process that capability. (This means that anything that already has capabilities granted from its code-signed capabilities manifest doesn't need to sit around waiting for this capabilities-ruleset program to be built and run. Unless the app's capabilities manifest didn't grant the specific capability it's trying to use.)

                                                                                                                                                                                        Unlike macOS app-bundles, regular (i.e. freshly-compiled) BSD-userland executable binaries don't have a capabilities manifest of their own, so they don't start with any process-local capabilities. (You can embed one into them, but the process has to be "capabilities-aware" to actually make use of it, so e.g. GNU coreutils from Homebrew isn't gonna be helped by this. Oh, and it won't kick in if the program isn't also code-signed, IIRC.)

                                                                                                                                                                                        But all processes inherit their capabilities from their runtime ancestors, so there's a simple fix, for the case of running CLI software interactively: grant your terminal emulator the capabilities you need through Preferences. In this case, the "Full Disk Access" capability. Then, since all your all CLI processes have your terminal emulator as a runtime ancestor-process, all your CLI processes will inherit that capability, and thus not need to spend time requesting it from the security subsystem.

                                                                                                                                                                                        Note that this doesn't apply to BSD-userland executable binaries which run as LaunchDaemons, since those aren't being spawned by your terminal emulator. Those either need to learn to use capabilities for real; or, at least, they need to get exec(2)ed by a shim binary that knows how.


                                                                                                                                                                                        tl;dr: I had this problem (slowness in numerous CLI apps, most obvious as `brew upgrade` suddenly taking forever) after upgrading to 10.15 as well. Granting "Full Disk Access" to iTerm fixed it for me.

                                                                                                                                                                                        • saagarjha 10 days ago

                                                                                                                                                                                          > IIRC the big thing that changed with 10.15 for CLI applications is that BSD-userland processes (i.e. ones that don't go through all the macOS Frameworks, but just call libc syscall wrappers like fopen(2)) now also deal with sandboxing, since the BSD syscall ABI is now reimplemented in terms of macOS security capabilities.

                                                                                                                                                                                          Is this actually new in macOS 10.15? I seem to recall this being a thing ever since sandboxing was a thing, even all the way back to when it was called Seatbelt.

                                                                                                                                                                                          > That means that any CLI process that "walks" the filesystem is going to generate huge amounts of sandboxd traffic, which bottlenecks sandboxd and so slows down the caller process.

                                                                                                                                                                                          Is this not implemented in the kernel as an extension? I thought the checks went through MAC framework hooks. Doesn't sandboxd just log access violations when told to do so by the Sandbox kernel extension?

                                                                                                                                                                                          > Unlike macOS app-bundles, regular BSD-userland executable binaries don't have a capabilities manifest of their own, so they don't start with any process-local capabilities (with some interesting exceptions, that I think involve the binary being embedded in the directory-structure of a system framework, where the binary inherits its capabilities from the enclosing framework.)

                                                                                                                                                                                          I am fairly sure you can just embed a profile in a section of your app's binary and call the sandboxing Mach call with that…

                                                                                                                                                                                          • derefr 10 days ago

                                                                                                                                                                                            > I seem to recall this being a thing ever since sandboxing was a thing, even all the way back to when it was called Seatbelt.

                                                                                                                                                                                            Maybe you're right; I'm not sure when they actually put the Seatbelt/TrustedBSD interpreter inline in the BSD syscall code-path. What I do know is that, until 10.15, Apple tried to ensure that the BSD-userland libc-syscall codepath retained mostly the same behavioral guarantees as it did before they updated it, in terms of worst-case time-complexities of syscalls. Not sure whether that was using a short-circuit path that went around Seatbelt or used a "mini-Seatbelt" fast path; or whether it was by hard-coding a pre-compiled MAC ruleset for libc calls that only relied upon the filesystem flag-bits, and so never had to do anything blocking during evaluation.

                                                                                                                                                                                            Certainly, even as of 10.12, BSD-userland processes weren't immune to being exec(2)-blocked by the quarantine xattr. But that may have been a partial implementation (e.g. exec(2) going through the MAC system while other syscalls don't.) It's kind of opaque from the outside. It was at least "more than nothing", though I'm not sure if it was "everything."

                                                                                                                                                                                            One thing that is clear is that, until 10.15, BSD processes with no capabilities manifest, still had the pretty much exactly the same default set of privileges that they had before capabilities, which means "almost everything" (and therefore they almost never needed to actually hit up the security system for more grants.) I guess all Apple really needed to have done in 10.15 to "break BSD", was to introduce some more capabilities, and then not put them in the default/implicit manifest.

                                                                                                                                                                                            I suppose what actually happened in 10.15 can be determined easily-enough from the OSS code that's been released. :)

                                                                                                                                                                                            > Is this not implemented in the kernel as an extension? // I am fairly sure you can just embed a profile in a section of your app's binary and call the sandboxing Mach call with that…

                                                                                                                                                                                            Yeah, sorry, you're right; updated my assertions above. I'm not a kernel dev; I've just picked up my understanding of this stuff from running head-first into it while trying to do other things!

                                                                                                                                                                                            • danudey 10 days ago

                                                                                                                                                                                              It's a new behavior that doing 'find ~' will trigger a MacOS (GUI) permissions warning dialog when `find` tries to access your photos directory, contacts file, etc.

                                                                                                                                                                                              • saagarjha 10 days ago

                                                                                                                                                                                                That is new, but I believe the groundwork for that was mostly laid in 10.14 and is also mostly in the kernel.

                                                                                                                                                                                            • jfkebwjsbx 10 days ago

                                                                                                                                                                                              Why would sandboxing be slower?

                                                                                                                                                                                              They are definitely doing something way too slow.

                                                                                                                                                                                              • derefr 10 days ago

                                                                                                                                                                                                Apple replaced the very simple (i.e. function fits in a cache line; inputs fit in a single dword) BSD user/group/other filesystem privileges system, with a Lisp interpreter (or maybe compiler? not sure) executing some security DSL[1][2].



                                                                                                                                                                                                This capabilities-ruleset interpreter is what Apple uses the term "Gatekeeper" to refer to, mostly. It had already been put in charge of authorizing most Cocoa-land system interactions as of 10.12. But the capabilities-ruleset interpreter wasn't in the code-path for any BSD-land code until 10.15.

                                                                                                                                                                                                A capabilities-ruleset "program" for this interpreter can be very simple (and thus quick to execute), or arbitrarily complex. In terms of how complex a ruleset can get—i.e. what the interpreter's runtime allows it to take into consideration in a single grant evaluation—it knows about all the filesystem bitflags BSD used to, plus Gatekeeper-level grants (e.g. the things you do in Preferences; the "" xattr), plus external system-level capabilities "hotfixes" (i.e. the same sort of "rewrite the deployed code after the fact" fixes that GPU makers deploy to make games run better, but for security instead of performance), plus some stuff (that I don't honestly know too much about) that can require it to contact Apple's servers during the ruleset execution. Much of this stuff can be cached between grant requests, but some of it will inevitably have to hit the disk (or the network!) for a lookup—in the middle of a blocking syscall.

                                                                                                                                                                                                I'm not sure whether it's the implementation (an in-kernel VM doesn't imply slowness; see eBPF) or the particular checks that need to be done, but either way, it adds up to a bit of synchronous slowness per call.

                                                                                                                                                                                                The real killer that makes you notice the problem, though, isn't the per-call overhead, but rather that the whole security subsystem seems to now have an OS-wide concurrency bottleneck in it for some reason. I'm not sure where it is, exactly; the "happy path" for capabilities-grants shouldn't make any Mach IPC calls at all. But it's bottlenecked anyway. (Maybe there's Mach IPC for audit logging?)

                                                                                                                                                                                                The security framework was pretty obviously structured to expect that applications would only send it O(1) capability-grant requests, since the idiomatic thing to do when writing a macOS Cocoa-userland application, if you want to work with a directory's contents, is to get a capability on a whole directory-tree from a folder-picker, and then use that capability to interact with the files.

                                                                                                                                                                                                Under such an approach, the sandbox system would never be asked too many questions at a time, and so you'd never really end up in a situation where the security system is going to be bottlenecked for very long. You'd mostly notice it as increased post-reboot startup latency, not as latency under regular steady-state use.

                                                                                                                                                                                                Under an approach where you've got many concurrent BSD "filesystem walker" processes, each spamming individual fopen(2)-triggered capability requests into the security system, though, a failure-to-scale becomes very apparent. Individual capabilities-grant requests go from taking 0.1s to resolve, to sometimes over 30s. (It's very much like the kind of process-inbox bottlenecks you see in Erlang, that are solved by using process pools or ETS tables.)

                                                                                                                                                                                                Either Apple should have rethought the IPC architecture of sandboxing in 10.15, but forgot/deprioritized this; or they should have made their BSD libc transparently handle "push down" of capabilities to descendent requests, but forgot/deprioritized that.

                                                                                                                                                                                                • comex 10 days ago

                                                                                                                                                                                                  The Scheme interpreter only runs when compiling a sandbox. It's compiled into a simple non-Turing-complete bytecode, and that's what's consulted on every syscall. This has been the case since… 10.5 or something. It's always been on the path for BSD code. And Cocoa operations lower to BSD syscalls anyway. There's no system for them to get a "capability" for a directory tree; on the contrary, file descriptors ought to be able to serve as capabilities, but the Sandbox kext stupidly computes the full path for every file that's accessed before matching it against a bunch of regexes. This too has been the case as long as Sandbox has existed.

                                                                                                                                                                                                  There is a bunch of new stuff in 10.15, mostly involving binary execs (and I don't understand all of it), but I'm pretty sure it doesn't match what you're describing.

                                                                                                                                                                                                  • saagarjha 10 days ago

                                                                                                                                                                                                    > Lisp interpreter (or maybe compiler? not sure)

                                                                                                                                                                                                    I believe it is actually a Scheme dialect, and I would be very surprised if it is not compiled to some internal representation upon load.

                                                                                                                                                                                                    > This capabilities-ruleset interpreter is what Apple uses the term "Gatekeeper" to refer to, mostly.

                                                                                                                                                                                                    I am fairly sure Gatekeeper is mostly just Quarantine and other bits that prevent the execution of random things you download from the internet.

                                                                                                                                                                                                    • lioeters 10 days ago

                                                                                                                                                                                                      In the Apple Sandbox Guide v1.0 [1], it mentions Dionysus Blazakis' paper [2] presented at Blackhat DC 2011.

                                                                                                                                                                                                      In the latter, Apple's sandbox rule set (custom profiles) is called SBPL - Sandbox Profile Language - and is described as a "Scheme embedded domain specific language".

                                                                                                                                                                                                      It's evaluated by libSandbox, which contains TinyScheme! [3]

                                                                                                                                                                                                      From what I could understand, the Scheme interpreter generates a blob suitable for passing to the kernel.





                                                                                                                                                                                                      • saagarjha 10 days ago

                                                                                                                                                                                                        That sounds about right. I was doing some work in this area very recently, which found a couple of methods to bypass sandboxing entirely, but somewhat humorously the issues did not require me to have any understanding of how the lower levels of this worked ;)

                                                                                                                                                                                                        • lioeters 10 days ago

                                                                                                                                                                                                          Blazakis' paper is a fascinating investigative/exploratory work, delving deep into the sandbox mechanism. I learned more than I wanted to know!

                                                                                                                                                                                                          • saagarjha 10 days ago

                                                                                                                                                                                                            Yeah, it's on my reading list :)

                                                                                                                                                                                                    • jfkebwjsbx 10 days ago

                                                                                                                                                                                                      > Much of this stuff can be cached between grant requests, but some of it will inevitably have to hit the disk (or the network!) for a lookup—in the middle of a blocking syscall.

                                                                                                                                                                                                      Running any kind of I/O during a capability check is a broken design.

                                                                                                                                                                                                      There is no reason to hit the disk (it should be preloaded), much less the network (such a design will never work if offline).

                                                                                                                                                                                                • dcow 10 days ago

                                                                                                                                                                                                  A command like `terraform` shouldn't trigger the check because the quarantine system is bypassed altogether when you download and extract an archive. Maybe this is a red herring and your initial gut inkling is correct.

                                                                                                                                                                                                  • saagarjha 10 days ago

                                                                                                                                                                                                    Try sampling the process as it starts; I doubt your issue is the one shown here.

                                                                                                                                                                                                    • acdha 10 days ago

                                                                                                                                                                                                      > For example, I can run "terraform apply" and it could take up to 5 minutes to start, leaving my computer almost unusable until it runs.

                                                                                                                                                                                                      On a clean Catalina install this does not happen. Does “terraform version” have the same delay? If not, check your remote configuration - maybe run with TF_LOG=trace. Terraform Cloud will definitely highlight the inherent performance problems of using a VPN.

                                                                                                                                                                                                      • jen20 10 days ago

                                                                                                                                                                                                        It is worth noting that `terraform version` connects to HashiCorp’s own checkpoint service by default so this may not be the best test.

                                                                                                                                                                                                      • totetsu 10 days ago

                                                                                                                                                                                                        docker run -i -t -v "$(pwd)":/project hashicorp/terraform:light apply /project/ . Maybe(if your projects terraform version is the latest.)?

                                                                                                                                                                                                      • brendangregg 10 days ago

                                                                                                                                                                                                        Adding network calls to syscalls like exec() is utterly insane. This road can lead to bricked laptops where you can't run anything to fix it (imagine an unexpected network error that the code doesn't handle properly). And crackers will just use ways to overwrite running instruction text to avoid the exec().

                                                                                                                                                                                                        The comments on the article are annoying: it good that there's a mini way to reproduce, but please, use some further debugging like tcpdump (it still exists on osx, right?). Last time I summarized osx debugging was

                                                                                                                                                                                                        I'd also stress test it: generate scripts in a loop that include random numbers and execute them.

                                                                                                                                                                                                        • xvector 10 days ago

                                                                                                                                                                                                          There is no excuse for this except for sheer, utter incompetence. Everyone involved in writing and shipping this should be ashamed of themselves.

                                                                                                                                                                                                          • drvdevd 10 days ago

                                                                                                                                                                                                            This is what I scrolled all the way down this thread for - to see if anyone thinks this is a good design/security decision on Apples part. I’m trying to understand what the reasoning is for this particular decision and if it actually makes the OS more secure in any meaningful way? Or does it actually- just degrade performance with very limited benefits? Are there any real benefits to this VS current security design in popular Desktop Linux distros at this point?

                                                                                                                                                                                                            • HappyDreamer 10 days ago

                                                                                                                                                                                                              Couldn't this have been a business decision? Not about security? (just what they say?)

                                                                                                                                                                                                              To make non-App-store apps annoyingly unusable, so the App store will sell more apps, instead of people downloading in other ways?

                                                                                                                                                                                                              Just like Apple cripples the Safari browser and PWA apps.

                                                                                                                                                                                                              Long term, maybe Apple wants to be able to remote-forbid apps if Apple is developing their own competing app?

                                                                                                                                                                                                              Whilst most developers working at Apple understands this, and don't like it? Maybe the developers even feel happy about people here at HN being disappointed, and think that "now the business people here at Apple notice that this causes disappointment" ?

                                                                                                                                                                                                              • fluffything 10 days ago

                                                                                                                                                                                                                Most of the apps that sell well originate from a developer solving a need they had, on the system they were using.

                                                                                                                                                                                                                If this drives developers from OSX to other OSes, chances are they will develop apps for those OSes first.

                                                                                                                                                                                                                Apple is too big to fail at this point, but driving developers away from your platform isn't a very clever strategy. You never know when you are going to hit a tipping point, and after you notice and people stop using macosx for development its already too late.

                                                                                                                                                                                                                It took me ~150 hours to migrate to Linux, but my user and developer experience on Linux is much better than on MacOSX (emacs daemon "just works"!!!), so after all that work I wouldn't consider switching to OSX in the next 5 years at least. I had a Macbook air 2012, and because Apple still hasn't released a laptop that isn't a downgrade from that in some sense (keyboard, magsafe, ...) I've went with a think pad instead. Tiny details, like having a webcam that doesn't suck now prevent me from going back to OSX.

                                                                                                                                                                                                                • saagarjha 10 days ago

                                                                                                                                                                                                                  I don't think the people at Apple are actively trying to make non-App Store apps unusable because they want to make more money from the App Store or anything. It's just that they want code to pass through them, and as a by product making code that has been vetted less or does things that could potentially be abused is made more annoying to run. Such a change is divisive, as you may have guessed.

                                                                                                                                                                                                                  • michaelmrose 10 days ago

                                                                                                                                                                                                                    That vetting will come at the cost of 30% of money paid for your software and any money earned within the software.

                                                                                                                                                                                                              • saagarjha 10 days ago

                                                                                                                                                                                                                It checks that executables have been notarized by Apple? I can't say I really think notarization is great, but I think it's clear from their perspective how it would be beneficial?

                                                                                                                                                                                                                • drvdevd 10 days ago

                                                                                                                                                                                                                  Sure. But as Brendan Gregg pointed out in his comment - doing this at the level of exec() on a UNIX-like OS is ... a questionable technical choice to say the least.

                                                                                                                                                                                                                  What’s the Linux equivalent of “notarization”? I’m not sure. Of course there’s probably more than one answer to that - let’s just taking signing packages as an example.

                                                                                                                                                                                                                  In theory Apple could put their weight behind vetting some of the popular open source packages perhaps? Or delegate that to the maintainers of those repositories and make them trusted? Like homebrew, for example (maybe a poor example, but you see how I’m trying to compare this with Linux...)

                                                                                                                                                                                                                  This is after all, what actually makes macOS useful to people on the command line 99% of the time, anyway.

                                                                                                                                                                                                                  So anyway, I agree on the surface it seems like this might be beneficial to Apple, but it doesn’t appear to be well considered.

                                                                                                                                                                                                                  They could invest more time in better sandbox and/or container type features that let people define some of their own more granular security boundaries. But they aren’t I guess? What are they doing here?

                                                                                                                                                                                                                  • pjmlp 10 days ago

                                                                                                                                                                                                                    Apple OSes never were about CLI, pre-OS X you didn't have a CLI as standard OS feature.

                                                                                                                                                                                                                    Selling UNIX underpinning was just a marketing move for willing to betray GNU/Linux and BSD in name of a better laptop experience, instead of helping OEMs selling their stuff.

                                                                                                                                                                                                                    Something that NeXT also did against the Sun workstations market.

                                                                                                                                                                                                                    On Linux side of the this kind of security measures never work, because the moment someone introduces something like this, the distribution gets forked.

                                                                                                                                                                                                                    It works on ChromeOS and Android, because it hardly matters to userspace that Linux is the actual kernel, Google could embark (and it is actually) in a kernel replacement project and most stuff would just work.

                                                                                                                                                                                                                    • saagarjha 10 days ago

                                                                                                                                                                                                                      I'm not sure I particularly appreciate your use of the word "betray" for the BSDs. Sure, macOS is not really a great adherent to the GNU philosophy, but for the BSDs it actually did fairly well for a while. (It's still true UNIX, if barely.)

                                                                                                                                                                                                                      • pjmlp 10 days ago

                                                                                                                                                                                                                        Take as you wish, if those users were actually supportive of the BSDs, they would be giving their hard earned cash directly to OEMs selling proper FreeBSD, OpenBSD, NetBSD, DragonFly based devices.

                                                                                                                                                                                                                        One cannot give the money instead to Apple and then come back complain that they were mislead.

                                                                                                                                                                                                                        NeXTSTEP was also a true UNIX, that wasn't why most business bought it, rather Renderman and other graphical based tooling.

                                                                                                                                                                                                                        I have used Apple platforms on and off since the LC II days, their commercial view was always quite clear to me.

                                                                                                                                                                                                                  • john_alan 10 days ago

                                                                                                                                                                                                                    Watching the notarization video from WWDC last year they explicitly said it wouldn’t affect command line apps.

                                                                                                                                                                                                                    • saagarjha 10 days ago

                                                                                                                                                                                                                      I believe that some of the problems here have actually started affecting command line apps in Catalina.

                                                                                                                                                                                                                      • john_alan 10 days ago

                                                                                                                                                                                                                        Only if you don't specify your terminal as a dev tool

                                                                                                                                                                                                              • will_pseudonym 10 days ago

                                                                                                                                                                                                                Hey, malevolence can also play into this. Don't chalk everything up automatically to incompetence. /s

                                                                                                                                                                                                                • pmarreck 10 days ago

                                                                                                                                                                                                                  There’s going to be a big exodus of open source developers going to Linux-powered platforms instead of the standard Mac laptop because of this ridiculousness

                                                                                                                                                                                                                  • jfkebwjsbx 10 days ago

                                                                                                                                                                                                                    > the standard Mac laptop

                                                                                                                                                                                                                    There is nothing standard about a Mac laptop, both technically and in market share.

                                                                                                                                                                                                                    • pmarreck 9 days ago

                                                                                                                                                                                                                      Well, I'd say 90% of the computers I've seen at the last 10 confs I've attended were Macbook Pros


                                                                                                                                                                                                                    • saagarjha 10 days ago

                                                                                                                                                                                                                      At Silicon Valley technology companies? A Mac is generally the computer that you're likely to get.

                                                                                                                                                                                                                      • jfkebwjsbx 10 days ago

                                                                                                                                                                                                                        Silicon Valley is a very small dot in the global scale.

                                                                                                                                                                                                                        • IshKebab 9 days ago

                                                                                                                                                                                                                          It's not just Silicon Valley. In the last two companies I've worked in in the UK everyone had Macbooks.

                                                                                                                                                                                                                          • saagarjha 10 days ago

                                                                                                                                                                                                                            A fairly influential one, nonetheless.

                                                                                                                                                                                                                            • jfkebwjsbx 10 days ago

                                                                                                                                                                                                                              Influential in technology output? Yeah. Influential in Mac market share? Not in the slightest.

                                                                                                                                                                                                                              Companies around the globe don’t care one bit about which laptops SV companies are buying.

                                                                                                                                                                                                                      • cageface 10 days ago

                                                                                                                                                                                                                        This is happening at my company already because docker performance on Macs is terrible.

                                                                                                                                                                                                                        • millstone 10 days ago

                                                                                                                                                                                                                          On the one hand, of course it is, because Macs are slow at running Linux stuff in the same way that Linux is slow at running non-Linux stuff.

                                                                                                                                                                                                                          On the other hand, Apple should decide if they care about Docker performance. The answer seems to be "a little" (Hypervisor.framework) but much less than, say, Microsoft.

                                                                                                                                                                                                                          Apple doesn't talk about their future plans. Today we see stagnation, YET with spikes of exotic ideas (e.g. L4, which would permit efficient L4 Linux).

                                                                                                                                                                                                                          Per Apple's style, a big kernel change on the Mac side would absolutely be tied to a hardware change, to break things once and not twice. Build a new Mac with a Linux-friendly kernel (perhaps Linux, perhaps modified L4, or something new), put it on their beastly ARM CPUs, and I'm drooling.

                                                                                                                                                                                                                          Then again I don't work at Apple.

                                                                                                                                                                                                                          • pmarreck 9 days ago

                                                                                                                                                                                                                            Is that slowness possibly related to the OP's issue? And possibly might benefit from the same workarounds posted here?

                                                                                                                                                                                                                      • saagarjha 10 days ago

                                                                                                                                                                                                                        > And crackers will just use ways to overwrite running instruction text to avoid the exec().

                                                                                                                                                                                                                        This would require breaking your code signature and as such requires extra entitlements in the hardened runtime.

                                                                                                                                                                                                                        • xenadu02 7 days ago

                                                                                                                                                                                                                          That's not quite correct. If network access is unavailable or fails then the exec is allowed. The behavior has been improved over time, putting stricter limits on how long the check is allowed to take before giving up.

                                                                                                                                                                                                                          The Mac remains a Mac: if you turn off SIP it also disables this behavior. You are free to choose less security for more convenience if that is your preference.

                                                                                                                                                                                                                          • ridiculous_fish 10 days ago
                                                                                                                                                                                                                            • saagarjha 10 days ago

                                                                                                                                                                                                                              …with everything to do with the sandbox left out.

                                                                                                                                                                                                                              • ridiculous_fish 10 days ago

                                                                                                                                                                                                                                Fair point. These tarballs may be, err, editorialized.

                                                                                                                                                                                                                                If exec is blocking in the kernel on IPC to some daemon, that should be observable (e.g. Instruments with kernel traces enabled).

                                                                                                                                                                                                                                • saagarjha 10 days ago

                                                                                                                                                                                                                                  Yeah, I'm sure a good spindump would be able to find what the code is blocked on. Sadly I run with SIP disabled so I can attach to things, so I probably cannot reproduce the issue…

                                                                                                                                                                                                                              • m463 8 days ago

                                                                                                                                                                                                                                Most of the important parts are left out.

                                                                                                                                                                                                                                at this point opensource and apple are sort of on life support.

                                                                                                                                                                                                                              • millstone 10 days ago

                                                                                                                                                                                                                                Well NFS and SMB exist, you can exec() on such mounts.

                                                                                                                                                                                                                              • nromiun 10 days ago

                                                                                                                                                                                                                                > This is not just for files downloaded from the internet, nor is it only when you launch them via Finder, this is everything. So even if you write a one line shell script and run it in a terminal, you will get a delay!

                                                                                                                                                                                                                                > Apple’s most recent OS where it appears that low-level system API such as exec and getxattr now do synchronous network activity before returning to the caller.

                                                                                                                                                                                                                                Can anyone confirm this? Because honestly this is just terrifying. I don't think even Windows authorises every process from a server. This doesn't sound good for both privacy and speed.

                                                                                                                                                                                                                                • mbreese 10 days ago

                                                                                                                                                                                                                                  There are two new Security/Privacy Settings that I just noticed last night.

                                                                                                                                                                                                                                  "Full Disk Access" to allow a program to access any place on your computer without a warning. A few programs requested this, so it looks like it's been around for a while.

                                                                                                                                                                                                                                  The other one is "Developer Tools" and it looks pretty new. The only application requesting it is "Terminal". This "allows app to run software locally that do not meet the system's security policy". So, my reading of this is that in Terminal, you could run scripts that are unsigned and not be penalized speed-wise.

                                                                                                                                                                                                                                  • oefrha 10 days ago

                                                                                                                                                                                                                                    I don't see it on macOS 10.15.4 (19E287). The full list of categories on my Privacy tab:

                                                                                                                                                                                                                                      - Location Services
                                                                                                                                                                                                                                      - Contacts
                                                                                                                                                                                                                                      - Calendars
                                                                                                                                                                                                                                      - Reminders
                                                                                                                                                                                                                                      - Photos
                                                                                                                                                                                                                                      - Camera
                                                                                                                                                                                                                                      - Microphone
                                                                                                                                                                                                                                      - Speech Recognition
                                                                                                                                                                                                                                      - Accessibility
                                                                                                                                                                                                                                      - Input Monitoring
                                                                                                                                                                                                                                      - Full Disk Access
                                                                                                                                                                                                                                      - Files and Folders
                                                                                                                                                                                                                                      - Screen Recording
                                                                                                                                                                                                                                      - Automation
                                                                                                                                                                                                                                      - Advertising
                                                                                                                                                                                                                                      - Analytics & Improvements
                                                                                                                                                                                                                                    Granted I don't typically use (iTerm 2 user), so I launched terminal and did some privileged stuff. Had to grant Full Disk Access to, say, `ls ~/Library/Mail`, but "Developer Tools" never popped up.

                                                                                                                                                                                                                                    Are you running a beta build or something?


                                                                                                                                                                                                                                    Update: Okay, I checked on my other machine and that one does have it (Terminal is listed but disabled by default). What in the actual fuck?!?

                                                                                                                                                                                                                                    • xenadu02 10 days ago

                                                                                                                                                                                                                                      You can make the category appear and put Terminal in it with this command:

                                                                                                                                                                                                                                      sudo spctl developer-mode enable-terminal

                                                                                                                                                                                                                                      • saagarjha 10 days ago

                                                                                                                                                                                                                                        I'd be nice if this was documented somewhere :/

                                                                                                                                                                                                                                        • hanche 10 days ago

                                                                                                                                                                                                                                          I was going to be that guy and say “man spctl”, but that usage isn’t listed there. If you run spctl with no arguments, it will tell you, however. The man pages on macos really do leave something to be desired.

                                                                                                                                                                                                                                          • acecilia 9 days ago

                                                                                                                                                                                                                                            This does not make the "developer tools" panel show up in my machine :( tried everything already

                                                                                                                                                                                                                                      • saagarjha 10 days ago

                                                                                                                                                                                                                                        I don't see it on my machine. Do you happen to have System Integrity Protection disabled?

                                                                                                                                                                                                                                        • oefrha 10 days ago

                                                                                                                                                                                                                                          No, SIP is fully enabled on both the machine with the Developer Tools category and the one without.

                                                                                                                                                                                                                                          Interestingly, I rebooted the machine without after some benchmarking and experimentation with syspolicyd (see, and after the reboot the category has mysteriously surfaced... Not sure what triggered it. Launching Xcode? Xcode and CLT were both installed on the machine, but I'm not sure when I last launched Xcode on this machine. Another possible difference I can think of: the machine without was an in-place upgrade, while the other one IIRC was a clean install of 10.15.

                                                                                                                                                                                                                                          In the worst case scenario, you can probably insert into the TCC database (just a SQLite3 database, located at ~/Library/Application Support/ directly:

                                                                                                                                                                                                                                            INSERT INTO access VALUES('kTCCServiceDeveloperTool','',0,1,1,NULL,NULL,NULL,'UNUSED',NULL,0,1590165238);
                                                                                                                                                                                                                                            INSERT INTO access VALUES('kTCCServiceDeveloperTool','com.googlecode.iterm2',0,1,1,NULL,NULL,NULL,'UNUSED',NULL,0,1590168367);
                                                                                                                                                                                                                                          (Should be pretty self-explanatory. The first entry is for, the second entry is for iTerm 2.)

                                                                                                                                                                                                                                          Back up, obviously. I'm not on the hook for any data loss or system bricking.

                                                                                                                                                                                                                                          • saagarjha 10 days ago

                                                                                                                                                                                                                                            > In the worst case scenario, you can probably insert into the TCC database

                                                                                                                                                                                                                                            Does this not require disabling SIP?

                                                                                                                                                                                                                                            • oefrha 10 days ago

                                                                                                                                                                                                                                              Yes. I got mine to appear through mysterious yet fully SIP-enabled means, but if all else fails for you you can temporarily disable SIP to change this.

                                                                                                                                                                                                                                        • Sangeppato 10 days ago

                                                                                                                                                                                                                                          Maybe you need Xcode, try running "mkdir /Applications/"

                                                                                                                                                                                                                                          • oefrha 10 days ago

                                                                                                                                                                                                                                            As mentioned in a reply to a sibling, Xcode has been installed (for like five years) on this machine, and launching it doesn't help. The next step would be to compile and run an application with it, which I haven't bothered.

                                                                                                                                                                                                                                            • saagarjha 10 days ago

                                                                                                                                                                                                                                              I would expect checks for Xcode to go through xcselect rather than a simple directory check. Installing the command line tools (sudo xcode-select --install) might actually be a better idea to test this.

                                                                                                                                                                                                                                              • Sangeppato 10 days ago

                                                                                                                                                                                                                                                I thought the same, but actually this method worked for me when I wanted the the Spotlight "Developer" option to show up (the CLT were already installed). I have the Developer panel under "privacy" as well, even if I never installed Xcode on my machine

                                                                                                                                                                                                                                            • mbreese 10 days ago

                                                                                                                                                                                                                                              Maybe if you ran once it would work?

                                                                                                                                                                                                                                              (I'm also on 10.15.4 (19E287))

                                                                                                                                                                                                                                              • oefrha 10 days ago

                                                                                                                                                                                                                                                No, I played around with for quite a while already. Actually the category does show up on another machine of mine (see edit)... I suspected that maybe I never ran Xcode on the first machine since I upgraded to Catalina, so I launched Xcode, but again, no luck. I'm at a complete loss now.

                                                                                                                                                                                                                                                • asdff 10 days ago

                                                                                                                                                                                                                                                  Terminal actually gives an error if you poke into the top level library folder with full disk access disabled, no prompt to change without me looking on stack overflow for the solution.

                                                                                                                                                                                                                                              • 0x0 10 days ago

                                                                                                                                                                                                                                                I wonder what "Developer Tools" grants in practice. Clicking the (?) for viewing built-in help does not mention this particular setting, it skips right over it going from "Automation" above it to "Advertising" below it.

                                                                                                                                                                                                                                                • saagarjha 10 days ago

                                                                                                                                                                                                                                                  I believe it means the process will no longer check for the Quarantine xattr.

                                                                                                                                                                                                                                                  • 0x0 9 days ago

                                                                                                                                                                                                                                                    But the quarantine xattr has nothing to do with checking notarization?

                                                                                                                                                                                                                                                • ether_at_cpan 8 days ago

                                                                                                                                                                                                                                                  via, I've added an entry in my /etc/hosts to block requests to

                                                                                                                                                                                                                                                  • ken 10 days ago

                                                                                                                                                                                                                                                    Full Disk Access was added in 10.14 (2018), so it's relatively new.

                                                                                                                                                                                                                                                    • jhrmnn 10 days ago

                                                                                                                                                                                                                                                      I'm using the Kitty terminal, and observed the script launch delay described in the blog post. After adding Kitty to "Developer Tools", the delay disappeared. Thanks!

                                                                                                                                                                                                                                                    • dTal 10 days ago

                                                                                                                                                                                                                                                      Making this about speed is burying the lede. From a privacy and user-freedom perspective, it's horrifying.

                                                                                                                                                                                                                                                      Don't think so? Apple now theoretically has a centralized database of every Mac user who's ever used youtube-dl. Or Tor. Or TrueCrypt.

                                                                                                                                                                                                                                                      • gitgud 10 days ago

                                                                                                                                                                                                                                                        Richard Stallman's ideals have become a bit less crazy for me now...

                                                                                                                                                                                                                                                        Either you have the ability to control the software, or it controls you

                                                                                                                                                                                                                                                        • verytrivial 10 days ago

                                                                                                                                                                                                                                                          I think coming to this realisation about Stallman's ideas (not the man, mind) is something that most rational computer users are bound to do. It happens at different times for different people, but I think people very rarely go back after that "Hang on a second ....??" moment.

                                                                                                                                                                                                                                                          • m463 8 days ago

                                                                                                                                                                                                                                                            I remember once he said "proprietary software subjugates people" and I just sort of blinked a bit. It seemed sort of over the top. And over time I started to understand that the way things end up working out, it is very true.

                                                                                                                                                                                                                                                        • hexchain 8 days ago

                                                                                                                                                                                                                                                          I always wonder why people usually choose to neglect privacy issues about Apple.

                                                                                                                                                                                                                                                          First, there was Apple scanning photos to check for child abuse[0] (that obviously got no attention on this site), then there was this one - Apple uploading hashes of all unsigned executables you run.

                                                                                                                                                                                                                                                          Do people really accept that company's "privacy" selling point?


                                                                                                                                                                                                                                                          • acecilia 9 days ago

                                                                                                                                                                                                                                                            Is it even legal that Apple is retrieving this information?

                                                                                                                                                                                                                                                            • threeseed 10 days ago

                                                                                                                                                                                                                                                              Apple already has every iPhone user's photos, messages, browsing history, keychains etc.

                                                                                                                                                                                                                                                              Not sure how a list of installed apps is going to be worse than that.

                                                                                                                                                                                                                                                              • saagarjha 10 days ago

                                                                                                                                                                                                                                                                Not if you choose to not sync them.

                                                                                                                                                                                                                                                                • radicaldreamer 10 days ago

                                                                                                                                                                                                                                                                  Yup, you can choose to not use iCloud backup and back up offline in an encrypted way (even over wifi) if you’d like.

                                                                                                                                                                                                                                                            • ccmcarey 10 days ago

                                                                                                                                                                                                                                                              How could this possibly not be absolutely awful on projects that run hundreds of executables during their execution (e.g. some shell wrappers like oh-my-zsh call out to a large amount of different scripts every time they run).

                                                                                                                                                                                                                                                              • parhamn 10 days ago

                                                                                                                                                                                                                                                                It looks like it is done once by executable lifetime. Changing the content doesn't cause it to rerun.

                                                                                                                                                                                                                                                                • gowld 10 days ago

                                                                                                                                                                                                                                                                  If you don’t trust Apple, don’t run a multi Gigabyte closed source OS they provide.

                                                                                                                                                                                                                                                                • parhamn 10 days ago

                                                                                                                                                                                                                                                                  I can confirm that executing a trivial script takes 20-200ms longer on the first run. Using 10.15.

                                                                                                                                                                                                                                                                  • neurobashing 10 days ago

                                                                                                                                                                                                                                                                    not sure if I'm lucky or somehow I disabled something but the trivial script problem isn't affecting me on any of my machines. I am using Homebrew for a large % of command line/scripting so maybe that's why?

                                                                                                                                                                                                                                                                    • greatjack613 10 days ago

                                                                                                                                                                                                                                                                      Privacy it may be a plus since in theory notarization provides some protection.

                                                                                                                                                                                                                                                                      Speed, definitely not, this is going to make things slowwwww

                                                                                                                                                                                                                                                                      • tromp 10 days ago

                                                                                                                                                                                                                                                                        > provides some protection.

                                                                                                                                                                                                                                                                        That's security, not privacy...

                                                                                                                                                                                                                                                                        • sooheon 10 days ago

                                                                                                                                                                                                                                                                          Although insecurity leads to less privacy as well.

                                                                                                                                                                                                                                                                          • ashtonkem 10 days ago

                                                                                                                                                                                                                                                                            Insecurity leads to loss of privacy, but security does not lead to privacy. Things can be secure and non-private by design.

                                                                                                                                                                                                                                                                            • yjftsjthsd-h 10 days ago

                                                                                                                                                                                                                                                                              Sometimes, but sometimes security measures lead to less privacy. Say, if executing local programs sends information to a remote server.

                                                                                                                                                                                                                                                                              • Razengan 10 days ago

                                                                                                                                                                                                                                                                                If that information can’t be used to identify anyone then it retains privacy while being secure. Being slow would still be an issue.

                                                                                                                                                                                                                                                                                • simion314 10 days ago

                                                                                                                                                                                                                                                                                  But you can't be 100% sure that the server where the information is sent is not putting in a database your IP, the app you run and whatever else. As a power user I would prefer a prompt before anything is sent.

                                                                                                                                                                                                                                                                      • gouggoug 10 days ago

                                                                                                                                                                                                                                                                        I experienced this one day while tethering in the train. I was coding and running `go build` multiple times.

                                                                                                                                                                                                                                                                        I could not for the life of me understand why go build would take upwards to 30 seconds to run and sometimes 100ms. I finally realized it was related to my internet connection being extremely spotty. I went online and searched if anybody had the same experience with `go build` but couldn't find anything.

                                                                                                                                                                                                                                                                        I finally know what happened. This is a pretty intolerable "feature".

                                                                                                                                                                                                                                                                        • lallysingh 10 days ago

                                                                                                                                                                                                                                                                          Does it work at all when unconnected?

                                                                                                                                                                                                                                                                          • enriquto 10 days ago

                                                                                                                                                                                                                                                                            There seems to be a delay of about 5 seconds, then it "gives up" trying to notarize your program .

                                                                                                                                                                                                                                                                            • gouggoug 10 days ago

                                                                                                                                                                                                                                                                              I don't remember if it did or not, but I'm fairly certain it did. (otherwise I'd probably remember it, I think...)

                                                                                                                                                                                                                                                                          • unown 10 days ago

                                                                                                                                                                                                                                                                            As someone living in China, this is my result when I connected to my VPN (this is my normal life, thus I can visit sites like HN):

                                                                                                                                                                                                                                                                            > Hello

                                                                                                                                                                                                                                                                            > /tmp/ 0.00s user 0.00s system 0% cpu 5.746 total

                                                                                                                                                                                                                                                                            > Hello

                                                                                                                                                                                                                                                                            > /tmp/ 0.00s user 0.00s system 79% cpu 0.006 total

                                                                                                                                                                                                                                                                            And even if I didn't connect to my VPN:

                                                                                                                                                                                                                                                                            > Hello

                                                                                                                                                                                                                                                                            > /tmp/ 0.00s user 0.00s system 0% cpu 1.936 total

                                                                                                                                                                                                                                                                            > Hello

                                                                                                                                                                                                                                                                            > /tmp/ 0.00s user 0.00s system 78% cpu 0.005 total

                                                                                                                                                                                                                                                                            That's just ridiculous and unbearable.

                                                                                                                                                                                                                                                                            Apple should provide a way to disable this notarization thing, and the user should still be able to enable SIP while disabling it.

                                                                                                                                                                                                                                                                            additional information:

                                                                                                                                                                                                                                                                            - macOS version: 10.15.4

                                                                                                                                                                                                                                                                            - terminal: iTerm2 3.3.9

                                                                                                                                                                                                                                                                            - didn't install any "security" software

                                                                                                                                                                                                                                                                            • neonate 10 days ago

                                                                                                                                                                                                                                                                              Is HN blocked in China?

                                                                                                                                                                                                                                                                            • wux 10 days ago

                                                                                                                                                                                                                                                                              I'm curious what your results would be with the stock Terminal. Do you have the settings that others have talked about under "Security > Privacy > Developer Tools" with listed? If so, and the results are better with Terminal, then it'd be interesting to see if the issue is fixed when you add iTerm2 to the list of exempted apps as well.

                                                                                                                                                                                                                                                                              • unown 10 days ago

                                                                                                                                                                                                                                                                                I have tried what you suggested. Granting "Developer Tools" access definitely FIXED THIS ISSUE for the specific application.

                                                                                                                                                                                                                                                                                Here is the new result (I only run once for each case):

                                                                                                                                                                                                                                                                                    │          │             │ +"Developer Tools" access │
                                                                                                                                                                                                                                                                                    │ terminal │ 1.448/0.004 │ 0.016/0.004               │
                                                                                                                                                                                                                                                                                    │ iTerm2   │ 1.240/0.006 │ 0.024/0.007               │
                                                                                                                                                                                                                                                                                `1.448/0.004` means the first time it is `1.448 total`, and the second time it is `0.004 total`.

                                                                                                                                                                                                                                                                                (It seems I have "good" VPN/internet connection condition at this time)

                                                                                                                                                                                                                                                                            • ccmcarey 10 days ago

                                                                                                                                                                                                                                                                              It doesn't work when there's no network connection, wonder if it would be possible to filter out and automatically block notarization traffic, or if it's all encrypted with cert pinning to prevent this type of MITM+filter.

                                                                                                                                                                                                                                                                              • Karliss 10 days ago

                                                                                                                                                                                                                                                                                Dropping packets when there is an otherwise working connection could potentially make the delay even worse depending on timeout or retry strategy used by Apple code. I assume that in the fast case without network connection it checks the network status flag and doesn't try to do any network connection at all.

                                                                                                                                                                                                                                                                                • ttsda 10 days ago

                                                                                                                                                                                                                                                                                  I'm still on 10.14, but I guess it will show up on Little Snitch. Unless they bundle it with some other more essential traffic.

                                                                                                                                                                                                                                                                              • chipotle_coyote 10 days ago

                                                                                                                                                                                                                                                                                Okay, I've tried this test on my MacBook Air 2020 several times, first by saving the "echo Hello" shell script in an editor and then, because I wasn't getting the results the author experienced, trying again exactly as he wrote it. Essentially the same result:

                                                                                                                                                                                                                                                                                    airyote% echo $'#!/bin/sh\necho Hello' > /tmp/
                                                                                                                                                                                                                                                                                    airyote% chmod a+x /tmp/
                                                                                                                                                                                                                                                                                    airyote% time /tmp/ && time /tmp/
                                                                                                                                                                                                                                                                                    /tmp/  0.00s user 0.00s system 74% cpu 0.009 total
                                                                                                                                                                                                                                                                                    /tmp/  0.00s user 0.00s system 75% cpu 0.007 total
                                                                                                                                                                                                                                                                                Is it possible that Allan Odgaard, as good a programmer as he unquestionably is, has something configured suboptimally on his end? Because it just strikes me as super unlikely that Apple has modified all the Unix shells on macOS to send shell scripts off to be notarized. (From what I've read, while shell scripts can be signed, they can't be notarized, and Gatekeeper is not invoked when you run a shell script in Terminal -- although it is invoked if you launch a "quaurantined" shell script from Finder on the first run, but it treats the shell script as an "executable document." This is the way this has worked for years, as I can find references to it in books from 2014.)

                                                                                                                                                                                                                                                                                I have my complaints with macOS Catalina, and I know that Apple's "tighten all the screws" approach to security is anathema to a lot of developers (and if there was a big switch that I could click to disable it all, I probably would), but I'm using Macs running Catalina every day and I gotta admit, they just don't seem to be the dystopian, unlivable hellscape HN keeps telling me they are. At least off the top of my head, I can't think of anything I was doing on my Macs ten years ago that I can't do on my Macs today. ("Yes, but doing it today requires an extra step on the first run that it didn't used to" may be inconvenient, but that's not the same thing as an inability to perform a function -- and an awful lot of complaints about modern Macs seem to be "the security makes this less convenient." There's an argument to be had about whether Catalina's security model strikes the right balance, of course.)

                                                                                                                                                                                                                                                                                • Sangeppato 10 days ago

                                                                                                                                                                                                                                                                                  I don't experience a delay in either, but I've tried running the script with a fresh install of iTerm2 while capturing with Wireshark and it does look like the script triggers a connection to an Apple server

                                                                                                                                                                                                                                                                                  • varenc 10 days ago

                                                                                                                                                                                                                                                                                    I initially saw the delay in, but then it went away! I've made sure Terminal doesn't have the "Developers Tools" permission but the network request delay is still missing.

                                                                                                                                                                                                                                                                                    However, I was able to reproduce this by downloading a whole new terminal app, Alacritty. With the random script and file path I can always reproduce the delay in Alacritty. My guess is might have some special case behavior?

                                                                                                                                                                                                                                                                                    See my comment above on some shell script that does the random file name stuff for you.

                                                                                                                                                                                                                                                                                    • false_kermit 10 days ago

                                                                                                                                                                                                                                                                                      I just ran the same script on iTerm2 and had no delay.

                                                                                                                                                                                                                                                                                      • Sangeppato 10 days ago

                                                                                                                                                                                                                                                                                        I had no delay neither until I reinstalled iTerm2, I have no idea why

                                                                                                                                                                                                                                                                                      • chipotle_coyote 10 days ago

                                                                                                                                                                                                                                                                                        Obviously I can't say that's impossible, it would just be... very weird, and would seem to contradict what Apple Developer Relations was saying on Apple's devrel forums as recently as this year.

                                                                                                                                                                                                                                                                                        • defnotashton2 10 days ago

                                                                                                                                                                                                                                                                                          So its an actual fact documented that it happens. I agree that overall Mac os x still has a very nice ux and I'll never go back to windows.. But it's very clear apple is platforming their os to the degree they will ios. It's not weird it's happening, it's real life...

                                                                                                                                                                                                                                                                                      • grishka 10 days ago

                                                                                                                                                                                                                                                                                        > and if there was a big switch that I could click to disable it all, I probably would

                                                                                                                                                                                                                                                                                        First, disable SIP to allow yourself to modify the system. Then, disable AMFI, the component responsible for code signature checking, entitlement enforcement and all that very useful stuff, with a kernel argument:

                                                                                                                                                                                                                                                                                            nvram boot-args="amfi_get_out_of_my_way=0x1"
                                                                                                                                                                                                                                                                                        Then you should be done.
                                                                                                                                                                                                                                                                                        • nightowl_games 9 days ago

                                                                                                                                                                                                                                                                                          That argument reads to me like the implementer knew this stuff was obtrusive.

                                                                                                                                                                                                                                                                                        • jaykru 10 days ago

                                                                                                                                                                                                                                                                                          I might be wrong about this but if you're running a shebang'd script directly as an executable, they wouldn't need to modify the behavior of the shell itself but rather the executable loader. It would be interesting to see whether, e.g., `bash` doesn't phone home where "./" does.

                                                                                                                                                                                                                                                                                          • ehutch79 10 days ago

                                                                                                                                                                                                                                                                                            10 to one says this is because you've run something calling /bin/sh before.

                                                                                                                                                                                                                                                                                            if he switched the /bin/sh out to /bin/zsh or /bin/bash which ever his default shell was, he wouldn't have seen the first delay.

                                                                                                                                                                                                                                                                                            • chipotle_coyote 10 days ago

                                                                                                                                                                                                                                                                                              That's plausible -- but I'd be (mildly?) surprised if Apple hadn't pre-okayed binaries they supply with the OS. Even if you flip the Super Paranoia switches in privacy settings, you don't need to give macOS explicit permission to launch Apple-supplied binaries from the Finder.

                                                                                                                                                                                                                                                                                            • mrits 10 days ago

                                                                                                                                                                                                                                                                                              Most vendors have separate engines for detecting malicious scripts. I'd assume notarizing is more about executables, in which case it would be checking the signatures around the shell binary.

                                                                                                                                                                                                                                                                                              Also worth noting "echo" doesn't spawn a process but is a routine in the shell itself. If you replaced echo with something that does spawn a process "like scp" it would be interesting to see the results. And if that's doesn't introduce latency then I'd try it with some hello world programs with a UUIDv4 in the binary to ensure they haven't seen the hash before.

                                                                                                                                                                                                                                                                                              • saagarjha 10 days ago

                                                                                                                                                                                                                                                                                                > Also worth noting "echo" doesn't spawn a process but is a routine in the shell itself.

                                                                                                                                                                                                                                                                                                In Bash echo is a builtin but /bin/echo also exists if you do actually want to spawn a process.

                                                                                                                                                                                                                                                                                                • mrits 10 days ago

                                                                                                                                                                                                                                                                                                  Maybe OP edited a few times but it doesn't look like they are doing that to me

                                                                                                                                                                                                                                                                                            • fxtentacle 10 days ago

                                                                                                                                                                                                                                                                                              try again with a randomized filename

                                                                                                                                                                                                                                                                                            • saagarjha 10 days ago

                                                                                                                                                                                                                                                                                              There was a thread on the almost-forgotten Cocoa-dev list about this:

                                                                                                                                                                                                                                                                                              Catalina has a huge number of things that synchronously block application launch, and if any of them fail you get nothing but a hung app. A friend and I have a running discussion of the many ways where an application would just hang and we’d send samples and spindumps, to each other trying to figure out the right daemon or agent to kill to get the process to start responding again. It’s madness.

                                                                                                                                                                                                                                                                                              • twhb 10 days ago

                                                                                                                                                                                                                                                                                                I tested whether running a script you just wrote really contacts Apple to “notarize” it. It does.

                                                                                                                                                                                                                                                                                                I first used the author’s timing method. First runs are consistently about 300 ms, subsequent runs consistently about 3 ms. Something is happening at first run.

                                                                                                                                                                                                                                                                                                Some in the comments are saying it’s “local stuff”, so I tested timing again with internet off. First runs go to about 30 ms, subsequent remain the same. So there is “local stuff”, but it doesn’t explain the delay.

                                                                                                                                                                                                                                                                                                Just to be entirely sure, I installed Little Snitch and got clear confirmation: running a script you just wrote results in syspolicyd connecting to syspolicyd is the Gatekeeper daemon.

                                                                                                                                                                                                                                                                                                I don’t know what exactly is being sent. Maybe somebody else can do a proper packet analysis.

                                                                                                                                                                                                                                                                                                • mindfulhack 10 days ago

                                                                                                                                                                                                                                                                                                  I still love macOS, a lot. Since moving over after the disaster that was Windows 8 (and by then I was already using MacBook hardware), I've become a loving power user e.g. with AppleScript and setting up hotkeys or other ways to do absolutely anything I want on the screen. It really is still as powerfully customisable as Linux. Turn off SIP if need be.

                                                                                                                                                                                                                                                                                                  My only problem in moving to Linux software is that I prefer Apple's hardware. I'm on the 2019 16-inch MBP. Linux's compatibility with all the T2 and SSD hardware isn't there yet, but apparently it almost is.

                                                                                                                                                                                                                                                                                                  If Linux on the T2 MBP becomes solid and stable in the next 1-2 years, after extensive testing I may move over permanently. I already use Linux on secondary computers, and I love and value its privacy. Same with my phone. I just love my privacy.

                                                                                                                                                                                                                                                                                                  My needs are a high bar though. Productivity must be held back by nothing. I use macOS notes extensively and it syncs with my iPhone which is an extremely useful tool for me to note things down both in audio and. It needs to be reliable and - heh - 'just work'. I just discovered the cross-platform 'Standard Notes' app, with a bit more money paid out to Linux-compatible services like that, maybe it can all work. Casual photoshop can be taken care of via a VM.

                                                                                                                                                                                                                                                                                                  Surprisingly, macOS Catalina is itself a disrupter to my productivity. It seems buggy as hell - glitchy, and weirdly slow for many extremely basic things - all since Catalina. I just don't get it. Is it caused by this article's observation? Something's definitely going on.

                                                                                                                                                                                                                                                                                                  Maybe Apple will fix this in the next release? Like how they fixed the keyboard?

                                                                                                                                                                                                                                                                                                  Either way, I still want to move to Linux on this fabulous (fixed) hardware that is the 16-inch MBP. (T2 issues aside.)

                                                                                                                                                                                                                                                                                                  • fphhotchips 10 days ago

                                                                                                                                                                                                                                                                                                    I have a 2019 Macbook Pro 16in and I hate it. It runs exceptionally hot (leading to massive performance problems), doesn't get enough power from the adapter to start with no battery, doesn't play nicely with my display, needs restarting every couple of days so Chrome doesn't crash and takes forever to boot.

                                                                                                                                                                                                                                                                                                    That's just the technical problems. I'm willing to give the UI a break, since it's probably as much me adjusting as it being bad.

                                                                                                                                                                                                                                                                                                    This is my first Apple anything, and if this is what "just works" looks like, I don't want it. I could be more productive on an Android tablet at this point.

                                                                                                                                                                                                                                                                                                    • mindfulhack 10 days ago

                                                                                                                                                                                                                                                                                                      Actually, I do agree with you with some of those observations. Apple's been trying to fix their terrible T2 issue and I suspect some of the problems lately have been them trying to prevent the T2 reboot crash, while ruining other parts of the experience in the process as a necessary compromise. It may get worse (or better) as they move to all-Arm architecture.

                                                                                                                                                                                                                                                                                                      I also am sick of the touch bar now - after 2 years living with it. I have to press it twice to actually pause my media, because it's an LCD screen and it has to auto turn off to prevent burn-in. That's a regression from the old hard media button in the Fn row which was both instant and far easier to press. At least we got 'Esc' back.

                                                                                                                                                                                                                                                                                                      But man, their trackpad...nothing beats it. Still.

                                                                                                                                                                                                                                                                                                      • saagarjha 10 days ago

                                                                                                                                                                                                                                                                                                        > it's an LCD screen


                                                                                                                                                                                                                                                                                                        • mindfulhack 10 days ago

                                                                                                                                                                                                                                                                                                          I hear OLED can be just as bad if not worse. So same diff.

                                                                                                                                                                                                                                                                                                          • saagarjha 10 days ago

                                                                                                                                                                                                                                                                                                            Much worse. Just explaining why that would be a problem.

                                                                                                                                                                                                                                                                                                      • arkis22 10 days ago

                                                                                                                                                                                                                                                                                                        Mine starts spinning up the fan (theres kind of a pattern as to when), heating up the entire computer. The computer previously had been fine.

                                                                                                                                                                                                                                                                                                        I usually have to restart and reset the "SMC" to stop the fan from nuking the computer.

                                                                                                                                                                                                                                                                                                        I can let the computer drop to 5% battery life and the fan will turn off and the computer will cool down. Which is the opposite of what you want if it was actually overheating.

                                                                                                                                                                                                                                                                                                        • carnitas 10 days ago

                                                                                                                                                                                                                                                                                                          Counterpoint, I also have the 16 inch 2020 MBP as my first Mac work laptop and absolutely love it. No issues, it works perfectly, and I’m 2x as productive on it as I was on my previous Ubuntu setup.

                                                                                                                                                                                                                                                                                                        • ochoa 10 days ago

                                                                                                                                                                                                                                                                                                          Do you write anywhere online about your workflow setup using AppleScript? It sounds interesting. I’d like to configure my macOS experience more.

                                                                                                                                                                                                                                                                                                          • mindfulhack 10 days ago

                                                                                                                                                                                                                                                                                                            Oh it's not like I have a Cmd+<X> for every single possible task you can imagine, it's a very tailored and customised set of sometimes complicated scripts for my weird personal needs that I've built up over the years.

                                                                                                                                                                                                                                                                                                            Each time I want to do something, I goddamn will spend 8 hours figuring it out if have to. E.g. this: - one hotkey to change macOS Notes text into a specific hex colour (and/or bold etc). It took me a day but I worked it out. Where there's a will there's, 99 times out of 100, a way.

                                                                                                                                                                                                                                                                                                            You can seemingly do almost anything with AppleScript. Emphasis on almost.

                                                                                                                                                                                                                                                                                                            Here's another example: Right after I plug in my iPhone via USB, I have one hotkey to automate a little-known feature of macOS where you can turn your Mac into a speaker dock for the iPhone. Awesome thing when you have the dramatically improved 16-inch MBP speakers. Here's my applescipt for that, just customise according to your iPhone name near the bottom and try it out:

                                                                                                                                                                                                                                                                                                            YMMV, if you have additional audio devices in sound prefs so may need to change the code a bit.

                                                                                                                                                                                                                                                                                                            AppleScript also has the ability to perform unix bash scripting and commands, so with homebrew able to install most common Linux packages, you can go wild if you want.

                                                                                                                                                                                                                                                                                                            I'm definitely not 'advanced' applescript level, I'm intermediate. Hundreds of HN readers would know more than me. I just google and think until I find a way. I'm not a programmer.

                                                                                                                                                                                                                                                                                                            I have other shortcuts e.g. to control the MPV media player even if it's not the currently active window. Again, weird personal needs, but awesome. AppleScript to the rescue.

                                                                                                                                                                                                                                                                                                            FastScripts is how I assign universal hotkeys to any of my applescripts.

                                                                                                                                                                                                                                                                                                            • guildmaster 8 days ago

                                                                                                                                                                                                                                                                                                              Would be great if you could write about the scripts you hack to optimize your workflow

                                                                                                                                                                                                                                                                                                        • ronyfadel 10 days ago

                                                                                                                                                                                                                                                                                                          I hope Apple currently has a team focused on macOS perf.

                                                                                                                                                                                                                                                                                                          I worked on the team in charge of improving iOS (13) perf at Apple and IIRC there was no dedicated macOS “task force” like the one on iOS.

                                                                                                                                                                                                                                                                                                          Luckily some iOS changes permeated into macOS thanks to some shared codebases.

                                                                                                                                                                                                                                                                                                          • bentcorner 10 days ago

                                                                                                                                                                                                                                                                                                            I agree. This kind of behavior certainly smells like teams doing their development work on high-capacity low-latency networks without much performance oversight.

                                                                                                                                                                                                                                                                                                            • yariik 10 days ago

                                                                                                                                                                                                                                                                                                              > I hope Apple currently has a team focused on macOS perf.

                                                                                                                                                                                                                                                                                                              Apple doesn't give a fuck about macOS since 2015.

                                                                                                                                                                                                                                                                                                              • cjsawyer 10 days ago

                                                                                                                                                                                                                                                                                                                I wonder what % of their users are developers only begrudgingly sticking around for iOS builds.

                                                                                                                                                                                                                                                                                                              • pier25 10 days ago

                                                                                                                                                                                                                                                                                                                > IIRC there was no dedicated macOS “task force” like the one on iOS

                                                                                                                                                                                                                                                                                                                It's not surprising. Macs are less than 10% of Apple's revenue.


                                                                                                                                                                                                                                                                                                                • robenkleene 10 days ago

                                                                                                                                                                                                                                                                                                                  Except all of Apple's other devices are built on macOS. Apple's clear de-prioritization of macOS based on revenue numbers is so insane I can barely believe it's happening. If developers, who use Macs in large numbers today, go to another platform, there's very real risk that their entire empire starts to come apart at the seams. And, this may just be me being naive, but it doesn't seem like that much work to keep macOS going, all they have to do is stop trying to turn it into iOS. They are literally doing a tremendous amount of active engineering work that drives developers away from their platforms.

                                                                                                                                                                                                                                                                                                                  They are risking their entire empire because (apparently) someone at Apple has an axe to grind with macOS's Unix underpinnings. And until they start getting real consequences (developer's leaving in huge numbers), it doesn't seem like it's going to stop. The tragedy is, if they ever do reach that point, where developers are leaving in huge numbers, it'll be too late. Platforms are a momentum game, you're either going up, or you're going down. And once you're going down, you're as good as dead.

                                                                                                                                                                                                                                                                                                                  • fxtentacle 10 days ago

                                                                                                                                                                                                                                                                                                                    Agree. That's probably also one reason why more and more people want to use cross-platform app frameworks instead of developing for iOS natively. That way, you can do most of the dev work on Windows and Android, and you'll only need to use Mac & XCode for compiling the iOS binary.

                                                                                                                                                                                                                                                                                                                    And I'd wager that some iOS games are released without the developer ever touching XCode:

                                                                                                                                                                                                                                                                                                                    • saagarjha 10 days ago

                                                                                                                                                                                                                                                                                                                      Signing and submitting apps to Apple is fairly annoying to do without Xcode.

                                                                                                                                                                                                                                                                                                                      • fxtentacle 10 days ago

                                                                                                                                                                                                                                                                                                                        Unity has a service where they do it for you.

                                                                                                                                                                                                                                                                                                                        • saagarjha 10 days ago

                                                                                                                                                                                                                                                                                                                          Where you give them you key?

                                                                                                                                                                                                                                                                                                                          • fxtentacle 10 days ago

                                                                                                                                                                                                                                                                                                                            Yes. The procedure is explained in the link that I posted.

                                                                                                                                                                                                                                                                                                                            • saagarjha 10 days ago

                                                                                                                                                                                                                                                                                                                              I'm not sure I'd be entirely comfortable with that, to be honest.

                                                                                                                                                                                                                                                                                                                    • gubikmic 10 days ago

                                                                                                                                                                                                                                                                                                                      100% agree! If more people understood this, I hope this narrative would gain some traction and eventually reach Apple management.

                                                                                                                                                                                                                                                                                                                      To me, the idea that an OS is mostly finished is completely bananas. There's so much room for improvement and hardly any of that potential was tapped into in what's starting to feel like a decade.

                                                                                                                                                                                                                                                                                                                      And if Apple had invested into a successor for Cocoa, there might be a larger gap between native apps and (Electron) web apps, leading to some lock-in. Instead most new stuff is not native and for good reasons (and I do dislike the way they don't adhere to Mac conventions, but still).

                                                                                                                                                                                                                                                                                                                      I think ultimately the problem is Tim Cook. He's too attached to Apple's stock price. I think that's the one metric that he believes rates his performance. But inertia is a bitch. Like in politics, the effects might hit hard only once he's out and it could be too late to fix by then.

                                                                                                                                                                                                                                                                                                                      If I think about how much this impacts the economy overall (i.e. make millions of knowledge workers a little bit less efficient) then I can only hope that I'll see more sophisticated organizational structures in my lifetime that prevent such erosion.

                                                                                                                                                                                                                                                                                                                      • indemnity 10 days ago

                                                                                                                                                                                                                                                                                                                        Tim Cook is Apple’s Ballmer, who is their Nadella?

                                                                                                                                                                                                                                                                                                                      • plmu 10 days ago

                                                                                                                                                                                                                                                                                                                        I was thinking exactly this, 8 years ago. I moved from an imac + mbpro to linux only.

                                                                                                                                                                                                                                                                                                                        It took longer than expected. I even intended to buy put options, but someone I trust told me otherwise and to invest in equity instead, which I did, because I know that most buy decisions are not made rationally.

                                                                                                                                                                                                                                                                                                                        But it looks like the time has come now? On the other hand, I have been off by several years before. People are crazier than you think, especially when it comes to status and association with brands and self-confirmation of past decisions. They might well put up with Apples moves for a few more years.

                                                                                                                                                                                                                                                                                                                      • robotresearcher 10 days ago

                                                                                                                                                                                                                                                                                                                        But at Apple scale: 9% of $58 billion = $5.2 billion Mac revenue last quarter.

                                                                                                                                                                                                                                                                                                                        • ksec 10 days ago

                                                                                                                                                                                                                                                                                                                          Yes, that is what drives me crazy whenever people say Mac is only 9% of revenue and they dont care about it.

                                                                                                                                                                                                                                                                                                                          If the Mac revenue was separated out on its own, it would be about Fortune 120, that is higher than Kraft Heinz. With plenty more space for growth. Apple only has 100M Active Mac users. There are 1.4B Windows PC.

                                                                                                                                                                                                                                                                                                                          • pier25 10 days ago

                                                                                                                                                                                                                                                                                                                            OTOH when Apple was a much smaller company the mac was much more important to them and it showed.

                                                                                                                                                                                                                                                                                                                            Maybe it's not related to revenue per se, but clearly since iOS became their main thing the Mac has suffered tremendously.

                                                                                                                                                                                                                                                                                                                        • valuearb 10 days ago

                                                                                                                                                                                                                                                                                                                          Apples Macintosh division is the most profitable PC company in the world and has been for at least a decade. In fact, Macintosh is likely more profitable than all other PC companies combined.

                                                                                                                                                                                                                                                                                                                          Less than 10% is no excuse.

                                                                                                                                                                                                                                                                                                                          • pier25 10 days ago

                                                                                                                                                                                                                                                                                                                            Like I said in another comment, is not about the revenue per se, but it's undeniable that the more popular iOS is the less Apple cares about the Mac.

                                                                                                                                                                                                                                                                                                                            • _underfl0w_ 10 days ago

                                                                                                                                                                                                                                                                                                                              Do you have a source for that claim?

                                                                                                                                                                                                                                                                                                                            • goatinaboat 10 days ago

                                                                                                                                                                                                                                                                                                                              It's not surprising. Macs are less than 10% of Apple's revenue.

                                                                                                                                                                                                                                                                                                                              Without Macs for developers and other content creators that other 90% doesn’t exist.

                                                                                                                                                                                                                                                                                                                              • ARandomerDude 10 days ago

                                                                                                                                                                                                                                                                                                                                Exactly. Especially given the Xcode lock-in nonsense.

                                                                                                                                                                                                                                                                                                                              • codeisawesome 10 days ago

                                                                                                                                                                                                                                                                                                                                I find it funny how people are downvoting your innocent comment pointing out a fact... out of anger and hate for the actual fact :D

                                                                                                                                                                                                                                                                                                                              • markdog12 10 days ago

                                                                                                                                                                                                                                                                                                                                What changes permeated into macOS? What did your team do to improve iOS perf?

                                                                                                                                                                                                                                                                                                                                • ronyfadel 10 days ago

                                                                                                                                                                                                                                                                                                                                  So many of the frameworks have shared code between macOS and iOS (e.g. MapKit, Foundation, Contacts etc..), so a perf fix in iOS pays dividends on macOS too.

                                                                                                                                                                                                                                                                                                                                  Perf changes are too numerous to mention, I’d recommend watching last year’s WWDC keynote describing the iOS 12 v/s 13 perf advancements.

                                                                                                                                                                                                                                                                                                                                  • neuronic 10 days ago

                                                                                                                                                                                                                                                                                                                                    They set "fast = true" as a global constant variable.

                                                                                                                                                                                                                                                                                                                                • shripadk 10 days ago

                                                                                                                                                                                                                                                                                                                                  I would give anything to have my Mac be fast again. I have no idea what changed but even 10.14 feels a whole lot slower than it was earlier. Haven't upgraded to 10.15 seeing all the negative reviews it is getting when it comes to perf. Apple needs to seriously give perf a priority for Mac. Do they really expect developers to use a Mac to develop Apps when it is slow as molasses? I shudder to think what will happen to the Apple ecosystem if developers migrate to another OS for development. Apple will come crashing down. I don't wish for that to happen but looks like there is absolutely no one at Apple focused on making it better.

                                                                                                                                                                                                                                                                                                                                  • acdha 10 days ago

                                                                                                                                                                                                                                                                                                                                    Remember, people don’t write blog posts saying nothing changes. The negative reviews tend to be one of two things: spotlight reindexing shortly afterwards, or attribution error where every new thing is blamed on the OS upgrade and similar old behavior is mentally discounted. App development didn’t suddenly get “slow as molasses” and for most users the install was a reboot and back to work.

                                                                                                                                                                                                                                                                                                                                  • leephillips 10 days ago

                                                                                                                                                                                                                                                                                                                                    This is completely insane. I am so glad I decided years ago to leave closed operating systems behind.

                                                                                                                                                                                                                                                                                                                                    This design seems to cement the trend at Apple to position their products as consumer appliances, not platforms useful for development.

                                                                                                                                                                                                                                                                                                                                    • Nextgrid 10 days ago

                                                                                                                                                                                                                                                                                                                                      > I am so glad I decided years ago to leave closed operating systems behind.

                                                                                                                                                                                                                                                                                                                                      The problem is, there's nothing else out there. Everything is going to shit in one way or another. Windows is now a disaster, Linux was always a disaster in terms of user experience and isn't improving.

                                                                                                                                                                                                                                                                                                                                      Mac OS was the last bastion of somewhat good, thoughtful design, user experience and attention to detail and now they've gone to shit too.

                                                                                                                                                                                                                                                                                                                                      • oscribinn 10 days ago

                                                                                                                                                                                                                                                                                                                                        >Linux was always a disaster in terms of user experience and isn't improving

                                                                                                                                                                                                                                                                                                                                        I'm honestly pretty baffled as to what keeps this meme alive, as KDE and GNOME are both very popular and provide simple, intuitive interfaces for the typical user. Plasma is only complex if you're the type that really wants to customize, but there its complexity is (mostly) necessary for its wide range of possible configuration. People have this idea that desktop Linux users are all a bunch of dorks playing around with Arch and tiling window managers all day and then posting their anime wallpaper setups on /r/unixporn, but that hasn't actually been true for a long time.

                                                                                                                                                                                                                                                                                                                                        • nightowl_games 9 days ago

                                                                                                                                                                                                                                                                                                                                          Yeah Linux is awesome. I don't get the hate either. I have like 5 apps I use in Linux Mint, and they look exactly the same way they do in MacOS (Spotify, Discord, Firefox, Godot, Sublime, VSCodium, Terminal)...

                                                                                                                                                                                                                                                                                                                                          The settings UIs in Mint are easily way better than in Windows and Mac.

                                                                                                                                                                                                                                                                                                                                        • Yetanfou 10 days ago

                                                                                                                                                                                                                                                                                                                                          > Linux was always a disaster in terms of user experience and isn't improving.

                                                                                                                                                                                                                                                                                                                                          Nonsense, 'Linux' can be what you make it. You can have it as sleek as something straight out of the fruit factory or as spartan as a VT100 and anything in between. If you're new to the game the pre-packaged 'consumer' distributions might be a good starting point but for those with a bit of nix savvy - of which I assume there to be many on this board - those bells and whistles probably just get in the way.

                                                                                                                                                                                                                                                                                                                                          If my 8yo daughter and my 82yo mother can use Linux - the latter through a remote X2go session from her kitchen table in the Netherlands to my server under the stairs in Sweden - I'd say people around here can be assumed to be able to handle it. The nice thing about 'Linux' is that you can change out those parts which you find disagreeable for whatever reason for those you like better, this in contrast to that last bastion of somewhat good, thoughtful design, user experience and attention to detail* which by your own statement has been changed into excrement. Just take out the shitty bits and replace them with something better... oh, no, not possible...

                                                                                                                                                                                                                                                                                                                                          That is why the parent poster is right in this sense, things in 'Linux' land might not be perfect - and can never be 'perfect' since one person's perfection is another's nightmare - but at least you get to do something about it.

                                                                                                                                                                                                                                                                                                                                          • kick 10 days ago

                                                                                                                                                                                                                                                                                                                                            Linux was always a disaster in terms of user experience and isn't improving.

                                                                                                                                                                                                                                                                                                                                            Curious: what have you tried? People who use "Linux" as a catch-all in terms of UX usually have only tried a single distribution with a single desktop environment.

                                                                                                                                                                                                                                                                                                                                            • tsukurimashou 10 days ago

                                                                                                                                                                                                                                                                                                                                              I feel like people still have in mind what Linux desktop was 15 / 20 years ago. It improved a lot in the past years, battery life improved on laptops, Ubuntu that was already very stable and feature complete also got a lot of things with previous releases and I've personally been running Arch on my main computers now for 5+ years and haven't got any major issues while upgrading.

                                                                                                                                                                                                                                                                                                                                              • defnotashton2 10 days ago

                                                                                                                                                                                                                                                                                                                                                Try using the latest version of software that has a more frequent release cycle than arch. If you have an incompatibility there goes your install.

                                                                                                                                                                                                                                                                                                                                                Have yet to see a distro do multi monitor hi dipi that results in readable fonts out of the box..

                                                                                                                                                                                                                                                                                                                                                This gets updated yearly -

                                                                                                                                                                                                                                                                                                                                                • ubercow13 10 days ago

                                                                                                                                                                                                                                                                                                                                                  This list is quite comprehensive, but also quite boring. It's just a list of bugs and things that are suboptimal on Linux. You could write one about any operating system. Some of the items like 'such-and-such needs to be configured using a text file' are also not even real problems.

                                                                                                                                                                                                                                                                                                                                                  What do you mean by 'there goes your install'? There are multiple ways you could run bleeding-edge software before it's packaged for Arch. See for example every 'xxx-git' package in the AUR. Or Flatpak.

                                                                                                                                                                                                                                                                                                                                                  • hexchain 8 days ago

                                                                                                                                                                                                                                                                                                                                                    Arch does not have a release cycle, sorry.

                                                                                                                                                                                                                                                                                                                                                • m463 10 days ago

                                                                                                                                                                                                                                                                                                                                                  People who have used ubuntu might want to just once try arch linux.

                                                                                                                                                                                                                                                                                                                                                  I had an ubuntu machine that took a while to boot even with an SSD. Later I installed arch linux on the same machine and boom! it would be to the desktop in seconds. It was night and day.

                                                                                                                                                                                                                                                                                                                                                  • zozbot234 10 days ago

                                                                                                                                                                                                                                                                                                                                                    Debian is just as quick, and does not have the problematic "rolling" updates of Arch. (It does have the "testing" and "unstable" channels which are roughly comparable, but the Debian folks won't tell you to use them in production.)

                                                                                                                                                                                                                                                                                                                                                    • m463 10 days ago

                                                                                                                                                                                                                                                                                                                                                      > problematic "rolling" updates

                                                                                                                                                                                                                                                                                                                                                      Rolling updates for me have not been problematic.

                                                                                                                                                                                                                                                                                                                                                      I've had a few updates that gave an error message, and they were easily fixed in one minute after searching the arch website.

                                                                                                                                                                                                                                                                                                                                                      I think one was a key expired - I had to manually update it and redo the update process.

                                                                                                                                                                                                                                                                                                                                                      The other I can recall was a package that had become obsolete/conflicting and a question had to be answered.

                                                                                                                                                                                                                                                                                                                                                      In general rolling updates are a tiny blip every few months.

                                                                                                                                                                                                                                                                                                                                                      In comparison, the several debian based distributions I've run have been a "lost weekend" type of upgrade for major updates.

                                                                                                                                                                                                                                                                                                                                                      • kick 10 days ago

                                                                                                                                                                                                                                                                                                                                                        Debian is not just as quick (significantly slower and higher resource usage), but Arch isn't all that fast nowadays, either.

                                                                                                                                                                                                                                                                                                                                                        • Yetanfou 10 days ago

                                                                                                                                                                                                                                                                                                                                                          Debian - or Devuan if you don't want systemd - can be made as spartan as you want. It boots in those mentioned few seconds on my 15yo T42p (Pentium M@1.8GHz, 2GB). Use Sid/Unstable if you want more up-to-date software with the accompanying larger flow of updates.

                                                                                                                                                                                                                                                                                                                                                          • catalogia 10 days ago

                                                                                                                                                                                                                                                                                                                                                            > Debian is not just as quick (significantly slower and higher resource usage)

                                                                                                                                                                                                                                                                                                                                                            In which respects? Are you talking about apt vs pacman or something? Default DEs?

                                                                                                                                                                                                                                                                                                                                                            • kick 10 days ago

                                                                                                                                                                                                                                                                                                                                                              Default install; a default Debian install has about 3x running.

                                                                                                                                                                                                                                                                                                                                                      • the_af 10 days ago

                                                                                                                                                                                                                                                                                                                                                        Moreover, I've been running Linux for decades now, both in my personal laptop and at work, and Ubuntu has been (mostly) frictionless for me. I'm not an average user, of course, but for most users a friendly distro would work just as well as Windows (browsing the internet, using whatsapp web, watching movies). In some cases I've had a better user experience with Ubuntu than with Windows or OS X, namely seamlessly installing a wireless HP laser printer.

                                                                                                                                                                                                                                                                                                                                                        • hrktb 10 days ago

                                                                                                                                                                                                                                                                                                                                                          I only tried Ubuntu, a few month ago. For the day or two spent with it:

                                                                                                                                                                                                                                                                                                                                                          - multi-language support requires a lot of work to get to the same point as macos.

                                                                                                                                                                                                                                                                                                                                                          In particular I use third party shortcut mappers to get language switching on left and right command keys (mimicking the JIS keyboards, but with an english international layout). That looks like something I’d have to give up on code myself.

                                                                                                                                                                                                                                                                                                                                                          - printer support is not at the same level.

                                                                                                                                                                                                                                                                                                                                                          Using a xerox printer, some options that appear by default on macos where not there on ubuntu. I’m sure there must be drivers somewhere, or I could hunt down more settings. But then my work office two other printers. It would be a PITA to hunt down drivers every time I want to use another printer.

                                                                                                                                                                                                                                                                                                                                                          - Hi DPI support is still flagged as experimental, and there’s a bunch of hoops to jump through to get a good setting in multi-monitor mode. Sure it’s doable, but still arcane.

                                                                                                                                                                                                                                                                                                                                                          - sleep/wake was weird. It would work most of the time, but randomly kept awake after closing the lid, or not waking up when opening. Not critical, but still not good (I’d ahte to have the battery depleted while traveling)

                                                                                                                                                                                                                                                                                                                                                          Overall if I had no choice that would be a fine environment. But as it is now, with all its quirks, I feel macos is still a smoother environment.

                                                                                                                                                                                                                                                                                                                                                          • the_af 10 days ago

                                                                                                                                                                                                                                                                                                                                                            Fair enough. I'm not a Mac OS X user so I don't know how it would compare. I can only compare it with my past experience with Windows, and I think it's superior (for me) to Windows circa 7 -- I stopped using Windows entirely at that point, so I wouldn't know how later versions of Windows fare.

                                                                                                                                                                                                                                                                                                                                                            Portability is also a fair issue to raise, but it's simply not a problem for me. When I say Linux "on the desktop", I literally mean it: to me a laptop is simply a slightly more portable desktop computer. I sometimes take my work laptop to/from the office, and the battery lasts long enough for that. I'm not worried about longer trips, since I don't use laptops for that. Again, if you do care about this (which is completely fair), I'm aware many Linux distros still have issues with battery life. You certainly can't compete with a Macbook Pro, that's for sure!

                                                                                                                                                                                                                                                                                                                                                            I do note that my experience with printers is opposite to yours. Like I said, when trying to connect to an HP wireless printer, Ubuntu autodetected and self-downloaded the necessary drivers; however, it took a lot of patience to get it to work with a Macbook Pro. Today, that I have it configured for my Ubuntu laptop and my wife's Macbook Pro, the Mac will sometimes fail to print (the print job simply stuck in limbo) while my laptop prints reliably. Who knows?

                                                                                                                                                                                                                                                                                                                                                            And like I said in another comment, I game (or used to, anyway) a lot with Ubuntu, and many games are even AAA (though they tend to arrive later than on Windows).

                                                                                                                                                                                                                                                                                                                                                            So I really have a hard time believing Linux is not "ready for the desktop". It is, and has been for many years now.

                                                                                                                                                                                                                                                                                                                                                            edit: one last thing. You mentioned HDPi modes, multimonitor, multilanguage... none of those are for average users. My mom would be comfortable browsing the net, reading mail and watching movies on Ubuntu. She doesn't even know what HDPi is, nor does she want external monitors. (Spoiler: she still uses Windows because she can't learn anything else at this point... I've thought of tricking her by themeing Ubuntu to look like Windows, but that would just be mean).

                                                                                                                                                                                                                                                                                                                                                            • bgorman 10 days ago

                                                                                                                                                                                                                                                                                                                                                              Without HiDPI support lots of applications become useless when you use a HiDPI display. Even Steam does not respect HiDPI settings in Gnome 3 even when setting custom environment variables.

                                                                                                                                                                                                                                                                                                                                                              • the_af 10 days ago

                                                                                                                                                                                                                                                                                                                                                                It's probably a case of "I don't miss what I don't use" then. I'm a power user, I cut my teeth with MS-DOS and I've been using Linux for work and gaming for more than a decade (and less intensive usage before that) and I really never noticed anything about HiDPI. That has to mean something :)

                                                                                                                                                                                                                                                                                                                                                              • hrktb 10 days ago

                                                                                                                                                                                                                                                                                                                                                                Thanks for the additional details.

                                                                                                                                                                                                                                                                                                                                                                For the printers, you are right in that it’s far from being a solved problem on macos. I had an EPSON all in one before, and it was also a pain to get everything working. If I remember correctly the generic driver could print, but we didn’t get “advanced” options without going through the EPSON pkg installer and all the garbage coming with it. I’d totally imagine the linux driver being done cleaner than that.

                                                                                                                                                                                                                                                                                                                                                                For the record I’ve worked with a decent number of devs using linux workstations, so I totally vouch for your use case. I’d just temper the niche nature of multi-language support; that’s an everyday need for basically all Asia. Granted my use of shortcuts is niche (I wouldn’t need them if I had enough keys), but looking at maintenance projects annual reports there seem to be a sizeable amount of quality of life fixes still on the way.

                                                                                                                                                                                                                                                                                                                                                                • the_af 10 days ago

                                                                                                                                                                                                                                                                                                                                                                  Right. I forgot about Asia. In that case it must be painful, agreed!

                                                                                                                                                                                                                                                                                                                                                              • bgorman 10 days ago

                                                                                                                                                                                                                                                                                                                                                                With Linux you have to pay for proper support. HP is by far the best company in terms of supporting Linux printers. It isn't the Linux ecosystem's fault that other printer companies do not care.

                                                                                                                                                                                                                                                                                                                                                            • BruceEel 10 days ago

                                                                                                                                                                                                                                                                                                                                                              Interesting. I regularly use RHEL (server/CLI only) but have not tried desktop Linux in a while.

                                                                                                                                                                                                                                                                                                                                                              I get a fair bit of weekly exposure to Windows 10 and well, it's not like heaps of fun, UX wise.

                                                                                                                                                                                                                                                                                                                                                              I'm reluctant to drop Apple mainly because I'm so 'tied up' with the rest of the ecosystem, iphone, Apple Music, iCloud etc.. They are not irreplaceable (for sure) but it always feels like moving away will cost way too much effort and be a pain... Well played, Apple.

                                                                                                                                                                                                                                                                                                                                                              • The_Colonel 10 days ago

                                                                                                                                                                                                                                                                                                                                                                > I'm reluctant to drop Apple mainly because I'm so 'tied up' with the rest of the ecosystem, iphone, Apple Music, iCloud etc.. They are not irreplaceable (for sure) but it always feels like moving away will cost way too much effort and be a pain... Well played, Apple.

                                                                                                                                                                                                                                                                                                                                                                This is why I don't want anything by Apple.

                                                                                                                                                                                                                                                                                                                                                          • godzillabrennus 10 days ago

                                                                                                                                                                                                                                                                                                                                                            Buy a Mac and put ElementaryOS on it to avoid the slowdown and have a slick experience.


                                                                                                                                                                                                                                                                                                                                                          • Terretta 10 days ago

                                                                                                                                                                                                                                                                                                                                                            From the comments, roughly, are you running third party "security" tools?

                                                                                                                                                                                                                                                                                                                                                            > Is there any "security" software running on your Mac? I've seen this sort of thing caused by that, but not in general.

                                                                                                                                                                                                                                                                                                                                                            > I ran the two line test and it had no delay at all. The Mac doesn't check for notarization on shell scripts or any non-bundle executable. I just did it again with a new and Wireshark capture and there is nothing.

                                                                                                                                                                                                                                                                                                                                                            > I do a lot of Keychain code and I've also never seen those delays. The reason I suspect they told you not to use that API is that it's in the "legacy" macOS keychain. They really want everyone to move to the modern keychain but lots of people, myself included, still need the older macOS specific features.

                                                                                                                                                                                                                                                                                                                                                            > I'm not saying you are crazy, but all of these things though are the trademark reek of kernel level security software that is intercepting and scanning every exec and file read on the system. We had an issue with Cisco AMP once that took Xcode builds from under 10 seconds to over 5 minutes until we were able to get it fixed.

                                                                                                                                                                                                                                                                                                                                                            • oefrha 10 days ago

                                                                                                                                                                                                                                                                                                                                                              The only kernel-level security software on my systems is Little Snitch, and I’m pretty sure it doesn’t do anything unless there’s network activity, so it doesn’t explain anything.

                                                                                                                                                                                                                                                                                                                                                            • oasisbob 10 days ago

                                                                                                                                                                                                                                                                                                                                                              Reminds me of the terrible delay I faced after having Sophos installed on my Mac.

                                                                                                                                                                                                                                                                                                                                                              Having to wait 5-10 seconds for a new terminal tab as Sophos churns (checking autoccomplete scripts, rbenv, etc) was infuriating. Oddly, there was fate sharing with Internet interception, so there was a good chance the browser was getting dragged down too, and vice versa.

                                                                                                                                                                                                                                                                                                                                                              Convincing corporate IT of how bad the problem was was maddening. Based on what this author says, 10.15 on rural internet sounds like hell.

                                                                                                                                                                                                                                                                                                                                                              • jwlake 10 days ago

                                                                                                                                                                                                                                                                                                                                                                The funny thing is its not transitive. No slowdown if you invoke bash specifically with a new shell.

                                                                                                                                                                                                                                                                                                                                                                % rm /tmp/ ; echo $'#!/bin/sh\necho Hello' > /tmp/ && chmod a+x /tmp/

                                                                                                                                                                                                                                                                                                                                                                % time bash /tmp/ && time bash /tmp/


                                                                                                                                                                                                                                                                                                                                                                bash /tmp/ 0.00s user 0.00s system 83% cpu 0.004 total


                                                                                                                                                                                                                                                                                                                                                                bash /tmp/ 0.00s user 0.00s system 77% cpu 0.003 total

                                                                                                                                                                                                                                                                                                                                                                vs the one from the article:

                                                                                                                                                                                                                                                                                                                                                                % rm /tmp/ ; echo $'#!/bin/sh\necho Hello' > /tmp/ && chmod a+x /tmp/

                                                                                                                                                                                                                                                                                                                                                                % time /tmp/ && time /tmp/


                                                                                                                                                                                                                                                                                                                                                                /tmp/ 0.00s user 0.00s system 2% cpu 0.134 total


                                                                                                                                                                                                                                                                                                                                                                /tmp/ 0.00s user 0.00s system 73% cpu 0.004 total

                                                                                                                                                                                                                                                                                                                                                                (edited for formating)

                                                                                                                                                                                                                                                                                                                                                                • saurik 10 days ago

                                                                                                                                                                                                                                                                                                                                                                  When you run "bash hello" you are calling exec() on bash, passing "hello" as an argument, which bash then reads; when you run "./hello" you are calling exec() on hello: the kernel then treats "hello" as an executable, but notes that "hello" starts with "#!" and then will run the specified interpreter for you, passing "./hello" as an argument. The kernel doesn't think of "hello" as a program when you run "bash hello".

                                                                                                                                                                                                                                                                                                                                                                  • azinman2 10 days ago

                                                                                                                                                                                                                                                                                                                                                                    Are you sure it's just not cached from the prior result? If I run the article's commands twice in a row, the 2nd time is faster.

                                                                                                                                                                                                                                                                                                                                                                  • halotrope 10 days ago

                                                                                                                                                                                                                                                                                                                                                                    I am using Ubuntu 20.04 on a Thinkpad X1 Extreme Gen2 and you would be surprised how "normal" it feels as a development machine. Sure there some little annoyances, the touchpad behaves a little worse than on windows, sound is a little worse. But the most important things, Keyboard and Screen are excellent. The system in general does not feel like the horror stories that people keep telling about linux on desktop(notebook). Now that WSL2 is getting Cuda even windows looks workable. Their new terminal app is amazing. After a decade of Mac notebooks it was quite liberating and I would not switch back even if the flaws in macOS would be fixed. It is for sure the nicest of the big 3 operating systems but for development work Ubuntu is hard to beat for me. YMMV but it won't hurt to look around you what else is there.

                                                                                                                                                                                                                                                                                                                                                                    • kristopolous 10 days ago

                                                                                                                                                                                                                                                                                                                                                                      I've been seeing the trajectory of Windows (pre-2012 or so) -> Mac (2012 - ~2019 or so) -> Linux (~2018 - now) play out with quite a few people without any issues.

                                                                                                                                                                                                                                                                                                                                                                      And I don't mean developers. They're all pretty educated people but it's taken me by surprise. They come to me in frustration over Mac, they don't want to return to Windows and they really, really, really want linux. I've been using linux since about 1997 so they come to me. I usually push back, thinking "do you really want a unix workstation?!" but they insist.

                                                                                                                                                                                                                                                                                                                                                                      My strategy has been some x2xx lenovo (like x230 or so) for about $300 from ebay, 8/16gb of ram or so with an SSD, the extended battery pack, putting mint on it and then just handing it over. Everyone, much to my continued surprise, has loved it and are really happy with it.

                                                                                                                                                                                                                                                                                                                                                                      It's happened 4 times now and I'm still shocked every time. They've told me they use youtube to figure things out.

                                                                                                                                                                                                                                                                                                                                                                      They're fine with libreoffice, gimp does what they need, supposedly spotify works on it fine, they don't know what bash or the kernel is and it's all fine. Incredible.

                                                                                                                                                                                                                                                                                                                                                                      • peferron 10 days ago

                                                                                                                                                                                                                                                                                                                                                                        Seconded. I used to work on a Mac laptop for years, then started using a beefy Linux desktop tower on the side for some work that benefited from higher hardware resources. A few months later I realized that I had slowly grown into doing all my work on Linux, even when I didn't need the hardware, mostly because i3 and apt were so much better than the Mac equivalents, and that I was only opening my Mac laptop to walk into meetings. After realizing that I ditched the Mac laptop for a Linux laptop and haven't looked back.

                                                                                                                                                                                                                                                                                                                                                                        I still use a Mac at home for entertainment (I'm typing this comment on one), and I have to say it works much better used that way. I don't have to worry anymore about random Mac OS upgrades breaking functionality that Apple doesn't care about because it's not part of their vanilla out-of-the-Apple-Store experience, but is vital to me as a developer such as 3rd party window management, dock improvements, keyboard tweaks, or not delaying every new execution by phoning home (LMAO).

                                                                                                                                                                                                                                                                                                                                                                        • kstenerud 10 days ago

                                                                                                                                                                                                                                                                                                                                                                          Yup. Ubuntu 20 is the first desktop linux OS that just worked. Every other Linux desktop before it has had suspend/resume issues, wifi issues, sound issues, 3d issues, ratchet settings (things that can be set but never unset without some arcane magic), weird desktop behaviors, buggy software that crashes all the time, etc etc. Yes, I've tried ALL of them, including pop os and deepin.

                                                                                                                                                                                                                                                                                                                                                                          This year marks the first year that I can just use linux without having to debug it.

                                                                                                                                                                                                                                                                                                                                                                          • julianeon 10 days ago

                                                                                                                                                                                                                                                                                                                                                                            Longtime Linux user (Manjaro) and I never thought I'd see the day when I could pitch it as noticeably superior to MacOS, considering Apple's once-legendary attention to user interfaces. It seems like those days are behind us, now.

                                                                                                                                                                                                                                                                                                                                                                            Linux as an actually better experience, without gigantic embarrassing flubs like this, is looking better by the day.

                                                                                                                                                                                                                                                                                                                                                                            • marssaxman 10 days ago

                                                                                                                                                                                                                                                                                                                                                                              I never intended to switch away from Mac OS; it just sort of... happened. As Mac OS has grown more paternalistic over the years without adding any notable capabilities that I care about, it's felt steadily easier to just go use Linux instead. It has its own frustrations, but it can always be made to do what I want, and then it just behaves. Starting around Ubuntu 16.04, I found that the balance of frustration was tipping; these days I don't really bother to use my personal Mac any more. I still have one for work, but I'd certainly rather use Linux there too if I had the option.

                                                                                                                                                                                                                                                                                                                                                                              • slaw 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                For touchpad issues in Ubuntu uninstall xserver-xorg-input-synaptics and keep only xserver-xorg-input-libinput installed.

                                                                                                                                                                                                                                                                                                                                                                                • chacha2 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                  Isn't Ubuntu much worse than this with the push for Snap packages? It can take 10-30 seconds to open software installed through it.

                                                                                                                                                                                                                                                                                                                                                                                  • seertaak 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                    I have a ThinkPad with Ubuntu 19. I'm very happy with it; it's nice to have apt, and to be able to eg use minikube with docker driver rather than a VM.

                                                                                                                                                                                                                                                                                                                                                                                    It's also true that the trackpad isn't as good as Windows. (It used to be that Mac had the best, but Catalina managed somehow to screw up the trackpad and make it laggy. Catalina has not been good for me!)

                                                                                                                                                                                                                                                                                                                                                                                    • levesque 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                      Windows is still very much subpar, even with support for CUDA in WSL2. Loading packages is terribly slow in Windows, for some reason. Also don't get me started on package management (no, Anaconda doesn't cut it).

                                                                                                                                                                                                                                                                                                                                                                                      • doktrin 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                        I've gone full circle. Went from desktop linux (mostly Arch) to OSX ~7 or so years ago, and now due to a combination of frustration with the butterfly keyboards and then a slew of issues with macOS itself, I'm back to linux desktop for my dev machine.

                                                                                                                                                                                                                                                                                                                                                                                        From my perspective as a quote-unquote power user, it feels like Apple just constantly insists on shooting themselves in the foot with unnecessary and ill conceived innovations. Either way, I'm happy with my new setup and probably won't go back to macbooks anytime soon.

                                                                                                                                                                                                                                                                                                                                                                                        • Myrmornis 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                          I would love to switch back to Linux but Apple's Retina displays are absolutely beautiful and there is no way I could enjoy going back to anything with noticeably lower pixel density on a laptop. I'd like to be told I'm wrong, but as far as I know it's not really possible to recreate a comparable high pixel density experience under Linux on a laptop.

                                                                                                                                                                                                                                                                                                                                                                                          • ubercow13 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                            Many of us who have been using Linux just fine on desktops and laptops for decades find those horror stories to be overstated...

                                                                                                                                                                                                                                                                                                                                                                                            • mosburger 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                              I would definitely consider moving to Linux for my next laptop - unfortunately I do a decent amount of iOS development, which I realize isn't impossible to do on Linux, but I can't imagine it'd be worth the hassle. :/

                                                                                                                                                                                                                                                                                                                                                                                              • Sangeppato 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                The dual GPU is a pain in the butt since Nvidia still doesn't support Optimus on Linux (and probably never will).

                                                                                                                                                                                                                                                                                                                                                                                              • kebman 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                OSX used to be the OS that started really quick, and ran really smoothly. Certainly far better than Windows. Also search was lightning fast. It was a selling point on its own. But recently it has slowed to a crawl. And I have to ask, what business is it to Apple whether I store a script somewhere? I don't even want them to have a checksum. And I don't want to go through the bother of having to change settings for it either. Do they even ask if this is OK? For me this is just yet another reason to steer well clear of Apple products in the near future. Very sad, because I really used to love their stuff.

                                                                                                                                                                                                                                                                                                                                                                                                • haunter 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                  >OSX used to be the OS that started really quick

                                                                                                                                                                                                                                                                                                                                                                                                  Coldboot Windows 10 from pushing the power button to reaching the login screen is 7s for me (i7-7700, m2 SSD, 32GB RAM).

                                                                                                                                                                                                                                                                                                                                                                                                  I never ever had quicker startups on OSX.

                                                                                                                                                                                                                                                                                                                                                                                                  • zozbot234 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                    > OSX used to be the OS that started really quick, and ran really smoothly.

                                                                                                                                                                                                                                                                                                                                                                                                    It was quite slow compared to OS 9, but even most Linux installs have way better performance on equivalent hardware. Windows really is dog slow by comparison.

                                                                                                                                                                                                                                                                                                                                                                                                  • oefrha 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                    Damn, I too have noticed that when developing in compiled languages (C, C++, Go, Rust, what have you) the first execution after a recompile is always noticeably delayed. I thought it was odd but didn’t bother digging into it. This must be why! (Can’t recall having this problem with scripting languages, but maybe subsequent modifications don’t trigger a notarization check? Edit: Yeah TFA does mention this.)

                                                                                                                                                                                                                                                                                                                                                                                                    • dkmar 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                      For anyone looking for more information on what happens on the first run of an app in Catalina, see [0]. Here's a direct link to the diagram [1].



                                                                                                                                                                                                                                                                                                                                                                                                      • dcow 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                        Can anybody actually confirm these claims? I'm no fan of the new notary system, but in my experience the behavior described is not how things work. Has there been an update or change in behavior recently?

                                                                                                                                                                                                                                                                                                                                                                                                        I've been running a Debian thinkpad for the last meaningful stretch of time, but from what I recall macOS quarantines any files created by the user via an extended attribute ``. Quarantined files are not allowed to be executed by gatekeeper. It's not about a network check, they just can't be executed. If the user removes the quarantine attribute, then gatekeeper will shut up and the files will execute normally. Alternatively, if a file has a signed hash stapled to it i.e. if it has been notarized, then gatekeeper will also allow execution after verifying the signature. This doesn't require a network check either.

                                                                                                                                                                                                                                                                                                                                                                                                        Interestingly, the way to bypass the quarantine behavior is to unarchive a folder. Archives themselves include the quarantine attribute, however, files extracted from the archive using a terminal program (a "developer tools" program) don't. And so macOS doesn't care. Also tools like `curl` don't apply the quarantine bit to downloaded files so curling a binary or shell script still works just fine.

                                                                                                                                                                                                                                                                                                                                                                                                        • saagarjha 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                          Notarization is an additional check that ensures that Apple has not revoked permission for the software to run.

                                                                                                                                                                                                                                                                                                                                                                                                        • inimino 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                          It looks like my time with MacOS is rapidly coming to an end. Any Linux distro recommendations these days?

                                                                                                                                                                                                                                                                                                                                                                                                          • markosaric 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                            I switched almost 2 years ago after 15 years on Macs.

                                                                                                                                                                                                                                                                                                                                                                                                            Fedora 32 Workstation is pretty good if you want to see the best of what Linux can offer. It may not be the lightest and fastest distribution but it is easy to install and everything works. You'll get to experience Gnome which is the most original Linux desktop environment and the best one in terms of user experience in my opinion.

                                                                                                                                                                                                                                                                                                                                                                                                            If you want something more traditional with the start menu or dock or desktop icons, perhaps something like KDE Neon is better place to start. It might feel more familiar. Will be lighter/faster too.

                                                                                                                                                                                                                                                                                                                                                                                                            Put each of them on a USB and run them live on your machine for few minutes each and see which one makes more sense to you.

                                                                                                                                                                                                                                                                                                                                                                                                            • jcadam 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                              I switched from MacOS to Linux years ago. For a developer workstation these days I'd probably either go with Ubuntu LTS or Fedora (my personal choice). Either runs fine on my XPS 13.

                                                                                                                                                                                                                                                                                                                                                                                                              Note: I really wanted to like WSL, but it just didn't work for me.

                                                                                                                                                                                                                                                                                                                                                                                                              • j45 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                Ubuntu 20 has been a pleasant surprise, it seems to have turned a productivity and speed corner.. I've been getting lost in it for hours on end and forgetting to use my MacBook.

                                                                                                                                                                                                                                                                                                                                                                                                                The feeling reminds me of the first Macbooks I used when switching away from Windows Vista.

                                                                                                                                                                                                                                                                                                                                                                                                                • gnalck 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                  Fedora "just works" and has the some of the more sane defaults. Only tweaks one typically needs to do is add the RPM Fusion repos and, at some point, disable/tune-down SELinux when it is a bit too paranoid.

                                                                                                                                                                                                                                                                                                                                                                                                                  • swebs 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                    Give Pop OS a look. It's based on Ubuntu with some additional UI polish.


                                                                                                                                                                                                                                                                                                                                                                                                                    • dhruvkar 10 days ago


                                                                                                                                                                                                                                                                                                                                                                                                                      By far the best linux I've tried when trying to get feature parity with macOS.

                                                                                                                                                                                                                                                                                                                                                                                                                      • m463 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                        After you've gotten used to Linux, you might want to try Arch.

                                                                                                                                                                                                                                                                                                                                                                                                                        It is lightweight, since you choose everything that is installed, sort of opt-in.

                                                                                                                                                                                                                                                                                                                                                                                                                        It has all the latest software.

                                                                                                                                                                                                                                                                                                                                                                                                                        It has "rolling releases" which means there is never a giant lost-weekend distribution upgrade.

                                                                                                                                                                                                                                                                                                                                                                                                                        It has the AUR (arch user repository) for just about any software ever.

                                                                                                                                                                                                                                                                                                                                                                                                                        • speedgoose 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                          Windows 10 with WSL if you have a laptop.

                                                                                                                                                                                                                                                                                                                                                                                                                          Debian or similar or ArchLinux if you have a desktop.

                                                                                                                                                                                                                                                                                                                                                                                                                          • tsukurimashou 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                            I would recommend: Ubuntu, Linux Mint, Elementary OS, Pop_OS!

                                                                                                                                                                                                                                                                                                                                                                                                                            if you want: nice experience out of the box

                                                                                                                                                                                                                                                                                                                                                                                                                            I would recommend: Arch, Gentoo, Debian Net inst, Void

                                                                                                                                                                                                                                                                                                                                                                                                                            if you want a base system and install things you want on top of it

                                                                                                                                                                                                                                                                                                                                                                                                                            • andarleen 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                              If in doubt just switch to ubuntu (there are better alternatives, but its a good starting point). I’m done with macos (tho i really loved it).

                                                                                                                                                                                                                                                                                                                                                                                                                              • wetpaws 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                Mint been my daily driver for a year, does a fine job so far

                                                                                                                                                                                                                                                                                                                                                                                                                                • sergiotapia 10 days ago


                                                                                                                                                                                                                                                                                                                                                                                                                                  It's ubuntu without the bullshit monitization.

                                                                                                                                                                                                                                                                                                                                                                                                                                  • valeg 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                    Kids love Manjaro these days.

                                                                                                                                                                                                                                                                                                                                                                                                                                  • KevinSjoberg 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                    Thought I was going insane seeing delays myself on a daily basis since Catalina. Turns out I'm not insane but a victim of Apple's continuous neglect of Mac OS.

                                                                                                                                                                                                                                                                                                                                                                                                                                    How can something as damning as this ever reach end consumers without getting detected?

                                                                                                                                                                                                                                                                                                                                                                                                                                    • marcinzm 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                      If Microsoft wasn't doing ever worse privacy things with Windows I'd seriously look into switching away from Mac OS given the ever growing issues it's been having with every release.

                                                                                                                                                                                                                                                                                                                                                                                                                                      • lol768 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                        The set of possible operating systems to consider does not contain two items.

                                                                                                                                                                                                                                                                                                                                                                                                                                        • wl 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                          At least 10.14 is supported for now.

                                                                                                                                                                                                                                                                                                                                                                                                                                          It's really frustrating to see Apple make all these poor decisions and they almost never are willing to admit their mistakes and go back. In the rare case when they do (e.g. butterfly keyboard, Mac Pro), it takes them years to turn around.

                                                                                                                                                                                                                                                                                                                                                                                                                                          • ksec 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                            That has been my view as well. It isn't Apple that is particularly good with anything Software ( I will give them they have an Edge in UX ). But Microsoft is just horribly bad every time I look at it makes macOS looks good.

                                                                                                                                                                                                                                                                                                                                                                                                                                            • philwelch 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                              Switch to Linux then.

                                                                                                                                                                                                                                                                                                                                                                                                                                            • kar1181 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                              I completely understand why things are going the way they are as our computing environment has become ever more hostile. But I am very nostalgic for the time where I would power up a Vic-20 and within seconds be able to get to work.

                                                                                                                                                                                                                                                                                                                                                                                                                                              Teaching my daughter to program on a modern computer, we spend more time bootstrapping and in process, than we do in actual development.

                                                                                                                                                                                                                                                                                                                                                                                                                                              • tragomaskhalos 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                That computers are just slower to interact with now is such a truism that we hardly remark upon it any more. It seems utterly insane that in the early 90's I could just run Windows 3.1 on a bit of kit that in all likelihood wouldn't even power a toaster today, and the experience was, well, frictionless. I don't recall ever thinking "wtf is this thing doing?", whereas today, by contrast, if I have the audacity to be afk for long enough for my Windows 10 box to go sleep I know I am in for an infuriating waste of minutes' worth of disk thrashing before the bloody thing even deigns to reacknowledge my existence.

                                                                                                                                                                                                                                                                                                                                                                                                                                                • massysett 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                  If that’s what you really want, grab a used ThinkPad and put Arch Linux on it. It will boot in a few seconds and is much more powerful than a Vic-20.

                                                                                                                                                                                                                                                                                                                                                                                                                                                  • amelius 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                    We're moving away from general purpose computing, and Apple is one of the greatest forces in this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                    Also, they are a threat to a free market for software, as they regulate their walled garden with arbitrary rules and skim off a lot of value.

                                                                                                                                                                                                                                                                                                                                                                                                                                                    I honestly don't understand why a large portion of developers have so much love for Apple. I'm personally a proud owner of a desktop PC with an ASUS motherboard. It serves me fine, and gives me full control over the software installed on it. I'm not a laptop-person but I believe there are many perfectly capable non-Apple laptops out there.

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • kens 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                      At the Computer History Museum, I use an IBM 1401 mainframe (1959). When you hit the power button, relays go ch-ch-chunk and it's immediately ready to use. Because it has magnetic core memory, it even has the previous program already in memory, preserved over power-down. Computers have taken many steps backwards as far as startup time. Of course, loading a new program from punch cards is slow, so some things have improved :-)

                                                                                                                                                                                                                                                                                                                                                                                                                                                      • gorgoiler 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                        Watch a boot. It is the new joy, for children, to see an entire machine appear before their eyes and be able to instantly code away on it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                        • downerending 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                          On the plus side, emacs now starts far faster than most computers.

                                                                                                                                                                                                                                                                                                                                                                                                                                                          • blondin 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                            > I completely understand why things are going the way they are as our computing environment has become ever more hostile.

                                                                                                                                                                                                                                                                                                                                                                                                                                                            care to elaborate a bit? what did you understand?

                                                                                                                                                                                                                                                                                                                                                                                                                                                            i just can't get my head around this idea that most non-mobile OSes have become such hostile environments...

                                                                                                                                                                                                                                                                                                                                                                                                                                                            yes, the population at large only uses their phones and tablets and doesn't care much. but they would be left without any entertainment if it wasn't for those of us who still need decent non-mobile environments.

                                                                                                                                                                                                                                                                                                                                                                                                                                                            • chooseaname 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                              So, the question is will people get to a point and say enough is enough? And if so, will enough people be saying it for it to make a difference?

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • hota_mazi 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                It takes less than five seconds for my Windows 10 to go from asleep to ready for work, and that includes logging in with Windows Hello (the fingerprint reading is crazy fast).

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • konart 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                I've been using linux distros (~5 years of Ubuntu and ~3 years of Arch) before switching to macOS somewhere around 2013-2014. And now years later I'm thinking about moving back. But every time I'm think about this I start with digging about current Linux situation and every time I realise than it is still a horrible system for anything outside of work, especially if you can't really do without a decent UI\UX.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Apple's ecosystem is also an issue. iOS + macOS is still much better than anything on the market (no alternatives really).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                • PKop 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Switched from macOS this year having used it for about 8 years to first PoP_OS and now Manjaro. Both were great (GNOME environments) and very productive for both development and general use. I really like the streamlined, "get out of your way" UI.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I would say go for it, I'm glad to not be dealing with any of this nonsense, while paying a premium for it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • inimino 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I use my work machine for work and my personal equipment for everything else. My iPhone is more standalone then they used to be. I don't see any reason why I'd ever connect my personal phone to my work computer. So I don't see many downsides to making the switch.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • bitcharmer 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Linux on the desktop has been my daily driver for years (mainly xfce and gnome).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I use linux to watch movies, create music, play games and everything else. What exactly makes it a "horrible system outside of work" for you?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • formercoder 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PC + WSL + somewhat illicit OS X VM has been a dream for me as a former Mac user.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • halotrope 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Give windows 10 and WSL2 a try. With the new terminal and editor it is really a neat setup. macOS is hard to beat in terms of smoothness and looks but unfortunately it gets more and more clunky for working.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • jfkebwjsbx 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                            > iOS + macOS is still much better than anything on the market (no alternatives really).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The Windows + Linux combo is way better for all productivity, gaming and development than the mess macOS has become since Jobs passed away.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • zimpenfish 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Their "see!" shell script example is a bit rubbish because I get 0.012s, 0.005s on this Mac laptop whilst getting 0.022s, 0.023s on Linux box 1 and 0.006s, 0.006s on Linux box 2.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Changing the filename to on the Mac (which should trigger the delay, right?) gets 0.006s, 0.006s.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I don't think the shell scripts are doing what they claim (and wouldn't the second run be faster anyway because of caching?)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • egorfine 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              If they are caching based on inode, this will not invalidate the cache. Do cp and try again.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Nextgrid 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I've been forced to update to this pile of shit because latest iOS requires latest Xcode which in turn requires Catalina. It's a nightmare.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              First off the new apps (music, podcasts, etc) are terrible. They killed off iTunes but replaced it with much worse. These apps don't behave like standard macOS apps, the UI is full of inconsistencies and is just so empty. This website has nice examples of the failures of modern Mac OS:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              For some reason after updating the "new updates" badge was stuck on the system preferences icon (and even on the preference pane itself) despite no updates being available. I ended up having to delete a plist and reboot to fix it, apparently a common issue.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The Mail app will now randomly play the "new mail" sound. I can't confirm it for sure but I'm assuming it's treating read, existing mails when they are moved to the trash/archive or newly created drafts. They screwed up the mail app, a problem that has been solved for decades. WTF? The worst is that I see no major changes in there, so why touch the mail client in the first place if you're not even going to give me additional features in exchange?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Xcode was stuck upgrading in the App Store. It would start the process and never make any progress. Cancelling it had no effect. Rebooting cancelled it but the second attempt, while making progress, ended up failing with a generic error message with no actual information. Logs are useless because they're being spammed by all the background processes even during normal operation making it impossible to find anything. Finally the third attempt succeeded.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1Password now takes 5 more seconds to unlock my password database. Somehow this disgrace of an OS slowed down the password hashing process by an order of magnitude.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Switching screen resolutions or connecting to an external screen takes a good 10 seconds of flickering and frozen UI before everything starts working again. This is now actually worse than both Windows and Linux. I dread moving the laptop or touching the USB-C cable (also because USB-C is so brittle) when it's connected to an external monitor out of fear that it'll disconnect/reconnect and I end up in a 30-second cycle of flickering.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I upgraded a couple of days ago, so those are not early bugs. Apple had a year to fix all of this. The Xcode thing might be an isolated issue but there's no excuse for the general performance penalty or the stuck update badge which has many hits on search engines suggesting it's a widespread issue.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • BruceEel 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                > I've been forced to update to this pile of shit because latest iOS requires latest Xcode which in turn requires Catalina. It's a nightmare.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I'm literally halfway there as I type this, Xcode 'installing components'. Having to upgrade essentially everything just to get the right dev tools for the current iOS is madness, feels like buying a new house to fit the new coffeemaker...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • saagarjha 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > The Mail app will now randomly play the "new mail" sound.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  It’s not quite random: it plays the sounds as it gets new email, but then it takes anywhere between a couple of seconds to a minute for the new email to be visible in the UI. Infuriating.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > Xcode was stuck upgrading in the App Store. It would start the process and never make any progress. Cancelling it had no effect. Rebooting cancelled it but the second attempt, while making progress, ended up failing with a generic error message with no actual information.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I just normally kill the store-related daemons when that happens.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • davidvartan 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Re: downloading Xcode, this page has saved me hours: It's just a list of direct links to each version of Xcode at Mystery why Mac App Store downloads still can't be bulletproof after all these years.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • dmix 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I don't share your issues with Catalina [1] but I have to agree Podcast app's UI design is very strange. The primary interface should be the "Episodes" tab.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Just like Twitter's UI, app developers think they know what content is best for you with a 'feed' or 'featured'... they've completely abandoned chronological ordered lists of content unless you click 2-3 buttons.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      [1] Catalina has been painless for me, not sure why my experience was different than everyone else

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • inimino 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I also upgraded days ago, assuming they would have had time to fix the bugs. However, I can say the USB-C external screen flicker was plaguing me before the upgrade and hasn't gotten worse. Turning off hot corners, oddly, helped, although the problem hasn't gone away.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • maevyn11 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I've had a similarly painful experience upgrading last week. Though it doesn't seem quite so bad as the posters above, and after making a few fixes most everything is back to normal.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          My one remaining serious annoyance is that my external monitor color settings are screwed up and there appears to be no fix. Reds are purple and everything is just a little washed out, which is a shame for a 4k monitor that was beautiful with Mojave.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Strangely, right before the computer restarts, or if booted in safe mode the color starts to look perfect again, but I can't seem to replicate that in normal operation.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • 2ion 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Our help desk is wise enough to keep existing mac users on the oldest supported macOS version; but inevitably at some point in the future they'll have to roll out the latest version. This will be the week when I will exchange my macbook for a Windows 10 ThinkPad. A lot of our dev teams have moved to this setup alreay using WSL or a VM for Linux if really needed and it has been really smooth (our helpdesk staying on top of the Active Directory and Windows Update management game also).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • neuronic 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I share almost all of these issues. What drives me super nuts is the multi-display support which NEVER "just works".

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I have to disconnect and reconnect USB-C 3 times, turn off the second monitor, switch inputs, restart the €3000 machines twice or whatever. So annoying, how does this pass QA at all?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Also, don't setup and use multiple users at the same time. That's really messy as well.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • fredsted 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Your experience certainly sounds bad, but none of this is normal; mail sound, USB-C cable brittleness, 1password slowness, all of it works nicely for me.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • ehutch79 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Have you actually done anything to try and fix these issues? Because this is not typical

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I use 1password and it doesn't take 5 seconds to open. Did I accidently install linux or something? because since it's the OS causing your delay it would be causing me to have the same delay.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  xcode installs just fine for my entire team. Just did the update myself, worked just fine.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I plug into a dock and undock constantly during the day, and while it could be quickinger, 10 seconds and flickering is NOT my experience.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  and what the fk are you doing to your connections that you consider usb-c brittle?!?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • chadlavi 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > You can test this by running the following two lines in a terminal:


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > echo $'#!/bin/sh\necho Hello' > /tmp/ && chmod a+x /tmp/

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > time /tmp/ && time /tmp/

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Am I missing something here?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I just did this, and the timing between the first and second run was barely noticeable -- in fact, the first run was slightly quicker:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > echo $'#!/bin/sh\necho Hello' > /tmp/ && chmod a+x /tmp/ time /tmp/ && time /tmp/

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > Hello

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > /tmp/ 0.00s user 0.00s system 55% cpu 0.006 total

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > Hello

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > /tmp/ 0.00s user 0.00s system 41% cpu 0.010 total

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  This is on macOS 10.15.4.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • vegardx 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I had put off upgrading for a long time because nothing good can come from running the latest stable release. They've never been stable. But Apple sort of forced me to update recently since wanted to back up my phone, which I wanted to do before switching to a new one. I imagined that it would be better after a year. Boy was I wrong, and I regret doing it much. It has been a constant pain ever since, bluetooth is completely broken.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    - My external trackpad isn't able to connect, at all. Audio devices require that I kill coreaudiod before connecting, otherwise they just disconnect after a few seconds.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    - I can wake the laptop with a bluetooth keyboard, but when it's awake the keyboard stops working. Flipping the switch on the backside of the keyboard lets it reconnect again.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    - There are transitions that you cannot disable that makes your laptop feel super slow. In Mojave you could disable them, in Catalina you can't unless you want to run with SIP disabled.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    - There's also a super fun bug with mobile hotspot failing to activate, and there's no way for you to just manually connect to your own hotspot, it has to go through this bluetooth activation, even though your mobile hotspot is visible and connectable on all other devices. You end up in situation where you connect to your friends hotspot and they connect to yours, since neither of you are able to connect to your own.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I've given up. The quality control in Apple is down the drain, and have been for quite some time. I'm fixing to downgrade to Mojave this weekend, hopefully that will make it more stable. But I'm not holding my breath. To add injury to insult I'm on my third broken keyboard now. Next time it breaks I might just use the consumer laws and make them refund the laptop so they'll have to take a big loss for creating such a flawed device.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • 1123581321 9 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Those all sound like unusual problems. What external hardware and phone are you using?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • hitekker 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      > Another way to reduce the delays is by disabling System Integrity Protection. I say reduce, because I still do get some delays even with SIP disabled, but the system does overall feel much faster, and I would strongly recommend anyone who thinks their system is sluggish to do the same.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The tone of this article reminds me of a passage from the seminal Google+ Platforms Rant:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      > Like anything else big and important in life, Accessibility has an evil twin who, jilted by the unbalanced affection displayed by their parents in their youth, has grown into an equally powerful Arch-Nemesis (yes, there's more than one nemesis to accessibility) named Security. And boy howdy are the two ever at odds. > But I'll argue that Accessibility is actually more important than Security because dialing Accessibility to zero means you have no product at all, whereas dialing Security to zero can still get you a reasonably successful product such as the Playstation Network.


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • rtomayko 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I made the jump to a System76 Adder WS laptop and pop!os for development after buying the lemon first gen MBP with the terrible keyboard. It was my seventh and possibly last MBP (including powerbooks before it).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I was considering one of the new 13” MBPs but that seems unlikely if injecting network latency into syscalls is the direction things are going.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If you’re not building Mac/iOS apps, find a Linux laptop you can tolerate for development and an iPad Pro for everything else.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • justinclift 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Thinking about it, this probably also gives Apple a ~fairly accurate set of usage stats for software.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          All they'd need to do - and it's very simple - is count the number of requests of each given hash lookup.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Since they know the hash for each of their own executables, that gives a direct count of "most used" through to "least used" programs.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Not sure if they'd have the hash for third party executables though, to know what the given hash request corresponds to.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If they receive the hash for 3rd party executables when developers sign things, then Apple seems like it's able to generate usage stats for their entire OS and 3rd party app ecosystem.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • grandinj 9 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            This seems like a natural outflow of a company design process that (a) prioritizes security highly (b) prioritizes regular users over developers (c) does not allocate sufficient resources to the product to thoroughly cover all the bases (d) is developed by people in North America, for whom the USA === the whole world, and are used to near 100% seamless internet connectivity with latency < 20ms.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I love macOS, but their software generally has issues with flakey internet connectivity and long latencies - down here in South Africa, ~400ms RTT is not uncommon.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • soraminazuki 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Up until the release of Catalina, I've always upgraded to the latest version of macOS within a month or two. But some of the changes this time is really stopping me from upgrading.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              As of Catalina, there's no sane way to install the Nix package manager without losing functionality because macOS now disallows creating new files in the root directory[1]. Nix stores its packages in the /nix directory and it's not possible to migrate without causing major disruptions for existing NixOS and other Linux users. This is too bad, since apart from Nix being a nice package manager, it also provides a sane binary package for Emacs. The Homebrew core/cask versions only provides a limited feature set[2][3].




                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • yalogin 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Brew never had this problem because they chose a sane path without corrupting the system directory. It’s a bad design on part of NixOS and one can even say the changes in the macOS were designed to encourage good/sane design.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • skohan 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  For me it's aperture. I like the interface better than lightroom, and I don't want to pay a monthly fee to have access to my photo library which I only add to once in a while. It's a shame because it's a great piece of software, and even the UI doesn't feel dated, but I just won't be able to run it if I upgrade.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • glofish 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    IMHO the original choice of the path seems incredibly ill-advised and the main burden lies with the original developers.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    sometimes old errors and mistakes come back and bite

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • lilyball 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      You can install Nix without losing functionality, it’s just annoying because it requires setting up a separate volume, and if you want it encrypted and available before the GUI session restores then you have to use a login script to force-mount it. Personally I just keep my Nix volume unencrypted because I don’t build any proprietary software in it and I don’t care if someone can see what I have installed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I really wish Apple would give third parties the ability to create firmlinks (or at least give Nix one), or barring that, give us a sane way to mount encrypted volumes at the same time that the system volume is unlocked.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • joosters 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        You can create permanent symlinks inside / by creating a file called /etc/synthetic.conf - 'man synthetic.conf' has the full documentation. This sounds like it would solve the issue?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • mjhoy 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          It's funny, I just had to do this a few days ago.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          This comment has worked for me on two machines:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • mkchoi212 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I understand the purpose of notarization but I feel like they could've come up with a much better solution to this. A network call __everytime__ someone runs an executable is not acceptable. But for the cases where the user is offline, Apple must keep a list of notarized apps on the machine...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • thedanbob 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Nearly every article I see about macOS or Windows these days further confirms to me that switching entirely to Linux was the right call. Maybe 2020 will be the year of the Linux Desktop by default.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • aflag 9 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Did apple make any comments on this? I haven't been able to find any public responses from them. I'm really interested on reading their side of things. This is quite jarring, it's hard to believe it is a thing. However, as I read through tests people did, it seems just as bad as it sounds.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I was actually getting a mac mini now that I'm working from home (I thought I'd get better integration with some of the company's wfh infrastructure while still having a unixy environment, so a win/win situation), but I cancelled the purchase after reading this. I get that you can jump some hoops and set some apple specific flags to things so that it works better, but the reason I wanted a mac was to make things easier and not having to look into obscure APIs and features to get simple things working. I was really looking forward to that, but I don't feel that sort of investment will be justified with issues like this in their OS :/

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • pram 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              This is frankly hyperbole. A single checkbox in a GUI menu that is routinely accessed for managing other system-wide sandbox privileges isn't exactly obscure. It also isn't some difficult, inconvenient task. It needs to be done once.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • ambernightcrush 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              This is also the case with APFS on rotational disk drives. Why does APFS perform so much worse on HDD vs SSD? Will Apple fix it?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • cmckn 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                APFS was not designed for spinning disks. No, they won't fix it; because they don't even sell a computer that ships with only a spinning disk (asterisk on the iMac's hybrid drive). HFS+ is still available, just use it if you need to format a spinning disk. I think this is a very different type of issue, with much more reasonable trade-offs.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • dkmar 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Perhaps related: "How come someone notarized my app?"[0]

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                It mentions that anyone with an apple developer ID can notarize a qualifying app and submit this notary to the Apple Notary Service. However, the proof of notarization—the notarization ticket—might not be stapled to the application.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                In the case of no stapled ticket, Catalina contacts the notary service to see whether a ticket exists. If so, the app is good to go.


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                EDIT. More informative link here[1]. It specifically outlines what happens on first run of an app. (and there's a great diagram if you scroll down)


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • tozeur 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I feel like the continual development of MacOS is making it worse and worse. Similar to Windows, where every extra feature causes more and more complications.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  But alas the 1000s of engineers gotta be put to work somehow.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • saagarjha 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    There are significantly fewer than 1000 engineers working on macOS.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • sneak 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Increasingly I find macOS only to be tolerable with iCloud (and Siri, location, suggestions, bug reporting, et c) entirely disabled, and Little Snitch’s built in/automatic whitelisting for Apple services disabled, and most of the background processes entirely denied networking access. It phones home constantly even with all of the services disabled/opted out.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    It’s indeed a huge mess, from a privacy standpoint too, not just a performance one. It’s sad also to lose things like AirPlay or iMessage as collateral damage in the process. :/

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I just can’t tolerate a machine that hits the network hundreds of times a day when doing normal computing tasks that do not involve the network. They even tolerate this sort of spyware in App Store apps, too.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Is it too much to ask for a polished workstation OS that lets me boot and edit a local text file of notes and save and quit without notifying 4 different parties that I did so?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • m463 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      and there are a lot of background processes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      running just firefox and terminal, ps -ef|wc -l is 198

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      and many of them have no reason to be on my system.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • cmckn 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I run a pihole at home, which has intermittent issues. When macOS can't resolve a hostname, almost every user-facing UI grinds to a halt. It's truly bizarre. Applications won't launch, menus don't respond, etc. Feels like a decade ago when your spinning disk was going bad. Not cute :(

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • skykooler 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If it checks with Apple servers every time you execute a new binary, what happens if you don't have an Internet connection? Are you just unable to run new code?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • nromiun 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          > One way to solve the delays is to disable your internet connection.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I think it just skips the checks if internet isn't available. But doesn't that kind of defeats the point of notarization?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • OskarS 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The linked website isn't loading, so I don't know what it says, but: if we're talking about notarization, you can "staple" the notarization to a .app or a .pkg, which means you don't have to do the internet lookup at all, and you can run the apps without having access to the internet. I'm not sure about the technical details, but I would assume you add some sort of signature that's like "This .app with hash X has been notarized and it's fine" signed by Apple's secret key.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            EDIT: how to staple:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • cpncrunch 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The article says "One way to solve the delays is to disable your internet connection" so I assume it just doesn't bother with notarization when you do that.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • enriquto 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                > If it checks with Apple servers every time you execute a new binary, what happens if you don't have an Internet connection? Are you just unable to run new code?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                It waits 5 seconds while trying to connect, and then it gives up and caches the program as un-notarized, allowing it to run faster on later executions.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Notice that notarization seems to be disabled if the network is disabled from within the OS. To observe the 5 second delay you need to cut the connection outside (e.g., on your router), while the mac still thinks it is connected. I observed it by running catalina inside a virtualbox, and disabling its network.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • ken 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                > With internet enabled, it was reproducible by relaunching the application and triggering the code that called SecKeychainFindGenericPassword.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I have issues with a lot of APIs, but SecKeychain has got to be one of the worst. I don't think it's gotten any love in many, many years. Unlike literally every other Apple API that a Macintosh application might reasonably use, you call its functions (even from Swift) by passing strings as (length:UInt32, data:UnsafePointer<Int8>?) pairs, and getting results out by passing (length:UnsafeMutablePointer<UInt32>?, data:UnsafeMutablePointer<UnsafeMutableRawPointer?>?) pairs, and checking OSStatus return values. Every aspect of it is painful.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                In Apple's "Documentation Archive" there's three "Sample Code" downloads related to Keychain. The newest one is for TouchID, and the oldest is for PowerPC. This is an area of the OS that doesn't get much attention.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                > This issue has been reported to Apple and assigned FB7679198. Apple has responded that applications should not use this function, though the documentation for SecKeychainFindGenericPassword does not state that it is deprecated

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I see that it's now grouped in a section of the docs called "Legacy Password Storage", but not actually "deprecated". Strange. That means you won't get any indication of its non-current status from Xcode, or even reading the release notes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I like that there's a newer (and presumably less awful) interface. I don't look forward to having to rewrite/retest that corner of my application. Seeing all the CFString/CFDictionary casting and OSStatus checking with the new functions, it still doesn't look all that great.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • xvector 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  What a ridiculous feature. The people involved in making this decision ought to be fired.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • parhamn 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I'm showing 20-200ms longer on first run of the exec. Modified the test script a bit to show that it doesn't happen again if you modify the executable's contents.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        echo $'#!/bin/sh\necho Hello' > /tmp/ && \
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        chmod a+x /tmp/ && \
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        time /tmp/ && \
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        time /tmp/ && \
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        echo 'echo Hello2' >> /tmp/ && \
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        time /tmp/
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • eugenekolo 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Another slight modification to make this show the effect every time:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f=$(mktemp) && \
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          echo $'#!/bin/sh\necho Hello' > $f && \
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          chmod a+x $f && \
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          time $f && \
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          time $f && \
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          echo 'echo Hello2' >> $f && \
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          time $f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      On my system:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          real 0m0.131s
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          user 0m0.001s
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          sys 0m0.002s
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          real 0m0.004s
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          user 0m0.001s
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          sys 0m0.002s
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          real 0m0.004s
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          user 0m0.001s
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          sys 0m0.002s
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • unilynx 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I got hit by this yesterday, borgbackup (installed using home-brew) had a 5 second delay on every invocation.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Setting Terminal as a Developer Tool in Security&Privacy fixed it

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • blackrock 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        One frustrating experience on the Mac is keyboard shortcuts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Yes, they have polished the GUI, which makes it easy to navigate by mouse. But, when you need to work in speed mode, then you reach for the keyboard shortcuts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The problem, is that there are plenty, too much sometimes, and they are often inconsistent between applications.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        And yes, the Mac has a keyboard shortcut assignment tool, but it often doesn’t work correctly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I must give credit to Microsoft here. They at least seemed to have perfected most of the common keyboard shortcuts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Some good features about Windows shortcuts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1. Alt-Spacebar to open the windows control menu, to move, minimize, maximize, or close the window.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2. Alt combinations are used to control the active Window application itself.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3. Alt-F4 to close the window. But, I would have preferred Alt-Escape instead, to close the window.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4. Control key for shortcuts inside the application. Like, Ctrl-C for copy. O for open. P for print. Etc.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5. Then the Windows key, to control Operating System level shortcuts. Like Win-M to minimize all windows. Win-L to lock the computer. Win-R to launch a command.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Some feature I would like are to use, Win-Spacebar to open a command search, similar to Win-R, but with the ability to list all possible commands. Similar to activating the command palette on VSCode.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        And Ctrl-Spacebar, to activate keyboard commands for the active window. Kinda like Emacs, where I can run macros on it, like highlighting the words that I want, and execute something on it, like changing to uppercase, or converting to comma separated, or whatever else is needed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • astronautjones 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          this has always been the case. the underlined shortcuts in menus are a godsend in non-osx OSes. I am still astonished at the hostility of macos when it comes to Yes/No dialogs - you usually can't hit Y or N! This changed at some point after snow leopard. If I could run HDCP on my old macbook, I'd still be using snow leopard. aesthetically, they have made no innovations of use since then.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • jakearmitage 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          This seems to be, once again, a case of user experience being degraded due to lack of attention, testing and measurement of impact by security engineers.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • inimino 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Once you have security engineers, security is no longer the responsibility of all engineers equally, and you've already lost at security.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • HugoDaniel 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I have been running OpenBSD for all my dev work in a VM for quite some time now.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            This just makes me wanna start using it for more things besides dev work :(

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • PopeRigby 9 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Just did a test using the command the author listed. Benchmarked on ArchLinux and got 0.00s. I then did the same test on MacBook Pro and got 0.332s. I feel like that's pretty bad. 0.332s might sound inconsequential, but that's just for a single echo command. I would imagine it gets exponentially worse as your executable grows in complexity.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • herova 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Windows + VSCode + WSL2 + Terminal + PowerToys = Just one love, never looked back.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • xyst 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The only problem I have with that is "Windows"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I'm currently trying to figure out how to emulate windows from a *nix distribution using qemu. I plan to use this as a "home lab" (k8s cluster or just plain fucking around), but still retain the ability to play an occasional AAA game.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • rb808 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The weird thing is the price of windows laptops have skyrocketed with the shortages. New MBPs are cheaper than X1 Carbons and XPSs with 10gen chips.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • asdff 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    New MBP with a 10th gen chip is a $600 upgrade over the base model with an 8th gen chip.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • jarjoura 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Every other week Lenovo has some crazy 25-50% off coupon for their laptops.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • swiley 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      How do people put up with the complete brokenness in commercial OSes? Is this really better than having to edit the occasional config file?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • saagarjha 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Personally, I know which process to kill when things go south. It's not early to acquire this information, though.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • inimino 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Last year I was preaching that if you can't develop in a submarine or a space station (or on the metro), from a fresh git clone to your next git push, then your development environment is broken and you should burn it to the ground and start over.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        It'll be interesting to see how much power we developers will let Apple take from us before we jump the garden wall.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • saagarjha 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Interestingly, I hear that iPads cannot be used on the ISS because apps will stop launching if you disconnect from Apple's servers for too long.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • mnm1 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I'm getting 10-15 minute beach ball of death freezes on a month old MBP 16". That recur until I hard reboot. I can't open the 'force quit applications' window during this nor the apple menu. Can't reboot or shutdown from the cli or otherwise. Some apps lose network connections, some don't. The entire system becomes unusable. It requires a hard reboot. I think it's related to Intellij IDEA and similar IDEs somehow, but profiling those shows the slowdown is not in their apps but in the OS. It won't start with anything plugged into the USB ports, not even just power. Been trying various things but if it doesn't go away, I will return this when the Apple store here reopens. The only good thing about this coronavirus is that I've had more than 14 days to test this and find out what a clusterfuck this OS is even on a $4400 brand new mbpro. Do they even test anything anymore?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • jrochkind1 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Do you think developers make up a significant portion of Mac buyers? I think it's possible, but I'm not sure.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I am pretty sure the laptop market has been shrinking generally (as more people have a phone but no laptop). And most developers I know have macs. They probably don't want to make the OS significantly worse for developers...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • vsskanth 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              After this, you can be sure the developer interest will go down even further

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • gautamcgoel 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              This why having a vibrant open-source ecosystem is so important. Firstly, the needs of users is the main priority (as opposed to profit or liability minimization or advertising...), and secondly, users have so many options to pick from. For example, if you don't like systemd, you are free to pick an OS without it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • mleonhard 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I don't want to send over the Internet a record of every program I run. Is there a way to opt-out completely?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • dahfizz 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Buy a machine not from Apple.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • sfj 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Unplug from the internet.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • headmelted 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    “ Another way to reduce the delays is by disabling System Integrity Protection. I say reduce, because I still do get some delays even with SIP disabled, but the system does overall feel much faster, and I would strongly recommend anyone who thinks their system is sluggish to do the same.”


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • jasoneckert 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "Another way to reduce the delays is by disabling System Integrity Protection."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Definitely agree on this one here - I've noticed a big speed improvement when disabling SIP debugging with "csrutil enable --without debug" while in recovery mode.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I should note that the main reason I disable SIP isn't for speed, but to install the yabai window manager to make Aqua far more useful as a developer. I wrote a recent blog post on this, actually (

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • saagarjha 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I believe disabling System Integrity Protection actually carries over to everything you boot off the computer.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • heinrichhartman 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        > [...] it appears that low-level system API such as exec and getxattr now do synchronous network activity before returning to the caller.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        WTAF. If this is really true, this is a reason for me to leave the platform for good. This is just in-acceptable in so many ways.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • enriquto 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          > a degraded user experience, as the first time a user runs a new executable, Apple delays execution while waiting for a reply from their server.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Wow, this is extremely infuriating! I just ran the "hello world" test script with the network connection disabled and it took 5 seconds to run!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               $ echo $'#!/bin/sh\necho Hello' > /tmp/ && chmod a+x /tmp/
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               $ time /tmp/ && time /tmp/
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               /tmp/  0.00s user 0.00s system 0% cpu 4.991 total
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               /tmp/  0.00s user 0.00s system 77% cpu 0.005 total
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • crazygringo 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I'm so confused about the comments here.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            There are a bunch of people who can't reproduce the slowness at all, but nearly all downvoted or you have to wade through 100's of comments to get to them.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The majority of comments are just dumping on Macs, nothing whatsoever to do with the content of the article, and seem to be blindly assuming it's true.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            And I can't seem to find any substantive discussion of whether this is actually real or not, or just some weird bug on the author's machine.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I don't see any evidence that Catalina is "slow by design", just a single anecdote from the author. I was definitely hoping for some more substantive critique/discussion...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • defnotashton2 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Op linked validated bug reports.. One of which Apple responded with "by design" of which op derived the title.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The down votes are because it seems pretty clear that the people who don't experience have long lived instances of their os and likely have grandfathered or disabled security settings. There are a lot of people saying ita pretty easy to replicate with a new os.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              And it is, I just did it. Did you?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • tinco 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Did you run the test yourself? Why do you assume people are blindly assuming it's true? For me first run was 0.5s, second run was 0.004s, so there's definitely something going on.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • saagarjha 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > There are a bunch of people who can't reproduce the slowness at all, but nearly all downvoted or you have to wade through 100's of comments to get to them.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  It's possible that they have certain security features disabled.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > The majority of comments are just dumping on Macs, nothing whatsoever to do with the content of the article, and seem to be blindly assuming it's true.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Welcome to Hacker News…this is common on any discussion on any topic, especially one that many people can understand in some way.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • vbsteven 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  With Apple degrading the developer experience with each release and Microsoft working hard on things like WSL(2) and the new "package manager" I think within a year or 2 lots of developers will go back to Windows-based machines.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • xvector 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    As a security engineer myself, what Apple is doing here is completely fucking insane. I honestly cannot believe that anyone thought it was a good idea.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • jaykru 9 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Has anybody in the tech media picked up on this? Doesn't seem like it from a cursory browse of my favorite sites (HN do your magic) This seems like something that Apple really ought to be taken to task for. I'm sure the privacy concerns if not the performance will rile up the broader non-HN public if only the information reaches them. Perhaps then we can get Apple to move to a less stupid system.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • sorryitstrue 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      An issue I've been dealing with forever on my mbp 2013 is the machine just pausing input for 2-4 secs (video and audio don't hitch, just keyboard/mouse input).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I recently took the trouble to completely wipe the disk and reinstall macos mojave and it's still happening so it's not due to cruft installed over time in OSX. I dunno. I'll deal with it until it gives up the ghost and probably move to a windows machine with the work they're putting into WSL2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • rch 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        High quality laptops shipping with Linux have been available for some time now. I know of a couple of companies that are providing an option for employees to switch.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • harpratap 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          This coupled with the horrible docker 100% cpu usage bug ( might be the top reasons why I hate WFH right now. My Linux desktop in office was so much faster at everything (granted its desktop vs laptop but still, it's a laggy mess developing on OSX now)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • csomar 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            It gets even worse. I was doing some web dev in the last couple months and I noticed that my "localhost" was ridiculously slow. At first, I thought it was NPM/Gulp but then I noticed that it behaved irrationally, sometimes it is slow and sometimes it works.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The problem was: Parental Control. Apparently, every request was checked and thus slowed the whole thing down. Needless to say, a couple days at least were wasted in this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • sub7 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Just switch to Windows and WSL. For most cases, it works just great/not noticeably slower.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              There's a lot of bullshit on Windows too but nothing near OSX levels of wannabe big brother shit.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Can't think of a better long term short right now in the market than Apple (and sister cult Tesla but the electric story is at least in the early days so they may do ok)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • kasabali 9 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Windows has SmartScreen and MAPS (which was previously called "SpyNet") turned on by default, on top of telemetry level that goes to eleven and cannot be turned off in consumer editions.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                They're not implemented in a braindead way that's being discussed here but they're at the same level big brotherness-wise, if not worse.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • trollied 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                The only time I’ve seen similar delays is when my mac decides it needs to do something on an external disk that needs to spin up. I have a 12Tb external that can take 10 seconds to spin up, so get a 10 second stall waiting for I/O once in a while.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I do wonder if the author has something similar going on, either with a directly attached disk or a network share.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • trashburger 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Did the site get hit by the Slashdot effect? Can't access it.


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • sigjuice 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I intend to stay on Mojave for as long as possible, but I am curious to try out Catalina. I believe it is easy enough to install Catalina on an external SSD. My concern is whether this would be safe enough and if my computer would remain unmodified (e.g. could there be changes to firmware settings or firmware updates?)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • blinkingled 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Apple has an opportunity here - to fix all these issues in the first release of ARM macOS and disable some more functions that "don't really work well" or are "insecure" - all of a sudden ARM Mac will be so much better there will be many blog posts and videos about it smugly proclaiming how Intel could not keep up!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • john_alan 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I can see the delay when I remove my terminal from the DevTools permission in Security preferences.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        So it's real.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        However, scripts are NOT notarised, so what is it doing?


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        So after digging the scripts are being "checked" for malware, as part of XProtect.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This is interesting, it seems to be hashing scripts and testing to see if its known malware.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Anyway, easy to disable, but weird stuff.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • crazygringo 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Sorry but it's just not happening for me, on macOS 10.15.3, on my late 2016 MBP. (And I've certainly never done anything like disable SIP.)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I run the commands and get:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            /tmp/  0.00s user 0.00s system 8% cpu 0.045 total
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            /tmp/  0.00s user 0.00s system 75% cpu 0.005 total
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If I'm reading this correctly, the first run takes less than a twentieth of a second, and the second a two-hundredth? I've never experienced anything like "have the entire machine freeze for 1-2 seconds every 10th minute". And I have the slowest internet package I can buy.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The only delay that's ever noticeable is when running a program I've installed for the first time, which yes usually seems to take a few seconds, before often telling me the application couldn't be verified or something, do I want to run it anyways. Which makes sense if you're running a checksum on a 400 MB application binary. But after that first time, starting an app is always instant.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Can anyone else elucidate what the author is talking about? They're presenting it as a universal, but maybe there's something else going on with their machine? Clearly something's wrong on their end, but possibly it's just some kind of bug. I'd avoid jumping to conclusions that executables taking a second to launch is "by design".

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          EDIT: switching from zsh to sh gives more granular results:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            real 0m0.009s
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            user 0m0.002s
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            sys 0m0.003s
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            real 0m0.005s
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            user 0m0.001s
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            sys 0m0.003s
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • vortico 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I used to use Mac pretty heavily for design and audio work, but around 10.14 because of Apple switching the way they do things, I've now entirely switched to Windows for that, and Linux for everything else. I just don't want to deal with the nonsense described in this post, among several other things.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • anderspitman 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "Modern" OSX, iOS, and Android are so secure and safe they even protect you from using your computer.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • apatheticonion 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Just wanted to drop this here but WSL & WSL2 makes a compelling case to move to Windows.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • kup0 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  10.15.1 and then 10.15.4 both introduced random kernel panics on my iMac. Only way to solve was to reinstall MacOS on top of itself (via Recovery, kept files/apps intact).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Still no idea what or why the panics would happen, or why the reinstall solved it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Catalina has been a very bumpy road for me so far.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • mattbillenstein 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Man, I think I was having this issue earlier in the year and thought it was some funkyness with the firewall or application -- custom golang apps.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Who at apple thought it was a good idea to hop on the internet when invoking an application without any warning? This is loony.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • mshockwave 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I don't think they do the notarization for shell scripts and program you build from source. I've been doing large scale software development on my Catalina for quite some time and I observed zero performance degradation compared to previous OS X version.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • e40 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I really hope the mess that is Catalina is fixed in the next round, or I might be on Mojave until I can switch to another OS. I've been on macOS for a long time, and I really like it. I'm productive on it. But Catalina... no, I won't touch that.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • s800 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Anyone of packet captures of this behavior? I'm still on 10.14, or I would check it myself.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • commandlinefan 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I can't upgrade IntelliJ any more, because it's trying to write to privileged file locations that I (the owner of the computer) no longer have access to. Believe me, I've tried to work around this, macOS has it locked down completely.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • stephenr 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ... Can you elaborate? I use IntelliJ on a daily basis on Catalina, and I have zero issues updating it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • dfabulich 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                The latest IntelliJ 2020.1.1 works out of the box on macOS 10.15.4, without disabling System Integrity Protection (SIP).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Whatever problem you're having, it's a problem specific to your machine.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • tebruno99 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I use and upgrade IntelliJ fine. Install Jetbrains Toolbox and everything is installed in your home dir. What kind of locations are you having troubles with?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • ehutch79 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Why do you need access to the areas protected by SIP?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • mschuster91 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      You can disable SIP in recovery mode.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • sj4nz 6 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Did anyone try the setting the terminal to "Developer Tools" permissions and find that things go worse?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • discourses 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I have this kind of issues on Mojave. I blamed the firewall. With ethernet disconnected, everything runs smoothly. Connected: random freezes of 1-2 secs.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Why does it need the internet all the time?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • dre-hh 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Upgraded only in Spring. Waited long enough. Never have been I saw wrong. Now when I want to reboot my computer I just try to pair my Bluetooth headphones - instant hard reboot

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • saagarjha 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Does this literally panic your machine?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • msie 9 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Lack of upgradability of MacBook Pros, numerous bugs in Catalina (ImageCapture Im looking at you), T2 chip and secure boot issues. It all adds up...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • markdog12 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Can we get a MacOS @BruceDawson0xB up in here?


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • soapdog 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                If microsoft was doing this there'd be a riot but since it is Apple but will rationalize this bad behaviour and say it is for the best.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • gitgud 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Why would they send off binary hashes synchronously before execution of the program?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Are they checking if the app is dangerous? Are they logging all my activity?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • bad_user 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I like the fine grained permissions on Catalina, but along with dropping support for 32 bits binaries, this is getting ridiculous.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • fulldecent2 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NSA had a "hardening macOS" guide on GitHub that I can't find.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I wonder if that defeats the phone home that this article is highlighting.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • AlexanderDhoore 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I noticed recently that the first `git` command I run takes longer. This is insane. What's the status of debian on macbook?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • ben-schaaf 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Last I heard you can't even access the SSD on newer macbooks. If you want a good experience with running Linux on a laptop, don't use a Mac.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • stephc_int13 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Wow, this is incredible and clearly a huge step in the wrong direction.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I clearly won't switch to their system anytime soon...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • MintelIE 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            When will computer and OS companies start telling us exactly what data they’re taking and who they give it to? I was an Apple user from 2002 until last year. I just can’t be spied on and telemetized any more. It’s not beneficial to me and I can see all kinds of downsides. Especially since big tech has it in for anybody politically to the right of Bernie.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • mickotron 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              My 2011 era MacBook Pro has run Linux most of its life. It runs super fast compared to its performance under MacOS even a year into its existence.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I've heard people ask me "why bother with Linux when MacOS is Unix?". Well technically it is from its heritage, but it gets less unixy by the day.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • LeoNatan25 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Disabling SIP and amfi kills all the process startup delay and limitations.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • seemslegit 9 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The slowness seems like the smallest concern here

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • bfrog 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I feel like this is one of those times, a wut moment.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • dwighttk 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      How many new applications are you people running?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • zapf 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        One more reason to stay away from corporate OSes

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • RyanShook 9 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          So should we disable SIP on our Macs?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • rmrfrmrf 9 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            By this logic, HTTPS is "slow by design" and a nefarious plot by Big Certificate to siphon money away from tech companies.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • zelly 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Linux is waiting for you.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • waynesonfire 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                now I understand the importance of niche OS.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Craighead 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  People please check how hot your devices are.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • znpy 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    congrats on realizing that your macbook pro 16" is a 4000$ facebook machine.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • 3combinatorHN 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Beyond me how people still paying for mac and windows botnet , just switch to linux everything just works

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • 3combinatorHN 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Beyond me how people(and specially “power users”) are still paying for mac or windows botnets , just switch to linux everything works

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • shmerl 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Switch to Linux and forget about it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • andarleen 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I switched to a sleek amd based setup and ubuntu, 64 gigs of ram, tons of nvme storage and for a decent price. Sad to see macos go out my daily toolkit, but fortunately i no longer have to deal with this kind of crap. I still use mac occasionally but day by day it becomes less relevant.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • beders 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            You should know by now:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Apple is the Father, Apple is the Mother.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            After Apple has re-invented or re-written the MSFT playbook of the 90s, nothing surprises me anymore.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Yet I cling to these machines, that take away the freedom to do with my hardware as I please. It's odd.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • inimino 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The UX is good. Freedom has always been a little more subtle.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • bluedino 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              In many unrelated ways, Mac OS X has just always been slow.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The first computers I ran OS X on were a Pismo Powerbook and one of the first iMacs. Both with upgraded hard drives and maxed out RAM. They were almost unusable, and we'd put classic OS back on them, a new release of OS X would come out, and repeat.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I later got a chance to use a shiny new G5. I couldn't believe how slow it felt. Same goes for the PowerBook G4. The first Intel MacBook Pro didn't feel any faster.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Somewhere around the i5, Mac OS started to feel 'okay'. But I'd always still feel blown away at how fast a similar machine felt running Windows or Linux.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              But I've stuck with it ever since 2010. I remember talking about my 16", saying "It's really fast...for a Mac."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • api 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                All of these complaints are about security features.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Yes these features could be better implemented, but I'm happy they're there. It's very important to be able to opt out of them, but I like that they're the default.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Notarization needs a cleanup pass and the rest of it seems like it needs an optimization pass.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                P.S. The rationale for notarization is to not distribute and thus advertise the filters and detection mechanisms Apple uses to detect malware. If these things were distributed then malware authors could analyze and evade them. Security through obscurity does make a certain amount of sense here as the Church-Turing thesis means there are an infinite number of ways to implement any given thing including malware and there is no single filter or analytical step that can detect all possible malware permutations.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • inimino 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Being able to run arbitrary software on the hardware Apple has graciously lent me is an annoying level of power that I'm not fully comfortable with either. I'm liable to shoot my foot off if Apple the all-seeing doesn't save me from myself.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • philwelch 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    The OS phoning home for every executable I want to run on my machine is a “security feature” the same way a key logger is.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • JadeNB 10 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      > the Church-Turing thesis means there are an infinite number of ways to implement any given thing

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      That's true (or else there are 0 ways), but it's not what the Church–Turing thesis says.