[gamache]

As required by the Mac App Store, Haskell for Mac is sandboxed. Consequently, Haskell code executed in a Haskell for Mac playground cannot access any data except for Haskell for Mac documents, the app container, and those system files white-listed by the operating system. Any attempt to access other files or to initiate a network connection will be rejected by the operating system.

This seems unnecessarily crippling. Is this really required of desktop App Store apps?

[zoul]

Yes, it’s required. Only some apps are exempt from sandboxing because they existed before sandboxing was introduced. You can also reach out of the sandbox through some user actions, for example opening a file using the system file picker gives you permissions to access this file. Yes, it’s a big constraint. For some apps it’s a show-stopper. As user I mostly welcome it because of the additional protection it gets me.

[feelix]

Apart from that it doesn't get you any additional protection whatsoever. With all the root OS X exploits floating around that bust you out of the sandbox as well as giving you full system access, as someone that has several utilities on the Mac App Store, it would be trivial to put an app there that gets set off by a timer, exploits root, and wreaks havoc.

Source: https://www.google.com/search?q=os+x+root+exploit&gws_rd=ssl

[stouset]

This is a totally unproductive (if all too common) attitude toward security. "If it doesn't solve every problem, it's useless."

This protects against a whole host of issues. It safeguards against garden-variety incompetence[1]. It provides some defense against the large number of badly-intentioned people who can write an Objective-C app, but don't have the expertise necessary to weaponize a typical root escalation exploit. It prevents apps from accessing your contacts, reading your emails, determining your location, and accessing the webcam and mic without your knowledge, amongst other things.

Does it protect against a motivated, highly technical attacker? No, not really. But that hardly makes it useless.

[1]: http://www.macobserver.com/news/98/december/981229/bungierec...

[s73v3r]

Not to mention that exploit will be fixed soon.

[feelix]

>It safeguards against garden-variety incompetence[1]. It provides some defense against the large number of badly-intentioned people who can write an Objective-C app

The exploits tend to be trivial, often trivial enough to fit into a single tweet. (https://twitter.com/i0n1c/status/623727538234368000) They require no competence to use.

As for protecting against incompetence and mistakes, that is far too an extreme of a measure solely to protect against that. Some decent QA will fix that.

So what is the point, really, of sandboxing if it does not thwart highly technical attackers? It severely limits the functioning of apps, makes it far more difficult for app developers (myself included), and for what benefit that could be worth the trade off?

https://www.google.com/search?q=developers+leaving+%22mac+ap...

[cthulha]

> So what is the point, really, of sandboxing if it does not thwart highly technical attackers?

It thwarts the attackers who aren't highly technical, and frustrating the script kiddies could have flow on effects when beginner attackers don't get the reinforcement to motivate themselves to refine and build their skills.

Secondly, exploits can be patched over time. Ten years from now, is OS X going to be better off for having the sandbox? Do you expect a lot of trivial exploits to be discovered after another century of person-hours are invested in the sandbox?

[zoul]

I mean I can easily install an app to try it out, then uninstall and be reasonably sure it’s completely gone, without changing the rest of the system by incompetence or ignorance. That’s still pretty good. If the developer wants to harm you intentionally, that’s tough game on any system.

[kstrauser]

Your logic holds true for things like filesystem permissions and even separate user accounts. Since a privilege escalation exploit could give you root access, might as well do away with limited users and run everything as root to begin with, right?

And yet we do those things anyway. The idea is defense in depth, such that if one mechanism fails then hopefully another will mitigate the damage. Sandboxing isn't perfect, but it's another layer of security and I'd rather have it than not.

[marcosscriven]

Hence https://en.wikipedia.org/wiki/System_Integrity_Protection

[super_mario]

Which is completely pointless. If a hacker wants to hack your system, the very last thing they want to do is destroy your OS. Who cares about the OS, it's just one re-install away and you got it back. If a hacker were to hack into your system they would want your data, your passwords, your bank account details etc. Or they would want to use your system to do illegal things that look like you did it.

It's in the best interest of the hacker that broke into your system that your system continues to work flawlessly for both you and the hacker. This is why Mac OS X "rootless" is just yet another obstacle for the power user, yet another obstacle when compiling and installing POSIX code from source, and yet another step closer to locking down OS X to be an appliance like iOS.

[eridius]

The point of rootless (SIP) is to prevent malware from being able to embed itself into the system such that it's difficult or impossible to remove. And it's also a completely different technology than sandboxing.

[teacup50]

Which in of itself is pretty much an impossible goal, and in the meantime, it destroys a litany of use-cases that make computers useful to people.

[azag0]

The point of rootless is that doing privilege escalation attacks will be much more difficult

[dasil003]

Except you have get through Apple's code review and then once you activate Apple can push a button and wipe out all the installs with a single button push.

Yeah, cracking is asymmetric warfare that we have no hope of winning, I think anyone with any knowledge of computers realizes that is true. It doesn't mean we should smugly shoot down anything that makes it incrementally harder.

[feelix]

That is nothing that cannot be trivially obviated with a date check before doing bad stuff.

[chc]

That seems to be orthogonal to the sandbox, which is the measure under criticism here.

[z5h]

No side effects!

[vvanders]

This is way more funny that it has any right to be, bravo!

[z5h]

The other option was "there's a monad for that".

[pjmlp]

I love sandboxing.

It is also the way to go on Android, iOS, Windows 10 onwards. And was on Symbian as well.

If an application get p0wned, it won't be able to access more than what is strictly necessary to perform its duty, instead of free reign over my $HOME.

[duaneb]

Quite honestly, this is the main attraction of the app store. That and trivial installs, though that's a tiny constant convenience.

[teacup50]

I don't understand why they're only releasing this through the App Store in the first place.

- Giving 30% to Apple is no small thing

- You lose the ability to maintain a direct relationship with your customers, provide upgrade pricing, etc

- Any updates are gated behind a delay-and-frustration-prone release process.

- There are plenty of services that will handle billing for 5% or less, compared to Apple's 30%. However, in the post-Stripe universe, implementing a webstore yourself is actually super easy.

[mchakravarty]

There are many advantages and disadvantages to distributing through the App Store. It definitely makes launching a new product easier.

We have started to investigate other distribution channels. However, adding that option will take some work (= time).

[outworlder]

Is the company located in the US? Or in a Stripe-supported country?

If not, there's your answer.

[teacup50]

There are plenty of long-standing options other than Stripe if you don't go the "run the store yourself" route.

[_jsn]

Swift Playgrounds are sandboxed in about the exact same way. And for pretty obvious reasons, I'd think. (Or have people already forgotten about when Playground files would immediately destroy your home directory as soon as you typed in the code?)

[rubiquity]

It sounds like this app needs a monad for interacting with the host file system and network.

[kyllo]

Wait, this is a desktop app?

Wow... based on the sandboxing thing I had assumed it was an iOS app for learning Haskell on your iPad or something.

[hundchenkatze]

How? The title clearly states Haskell for Mac. The site's host is even http://haskellformac.com, and there's no mention of iOS on the home page.

[kyllo]

Because of the sandboxing and no networking limitations.

I own a Mac but I didn't even know what "Mac App Store" was. Why does such a thing exist? The concept of a centralized app store for desktop apps is absurd.

[gohrt]

MAS apps are banned from accessing the Internet?!

[rdsnsca]

NO

[tempodox]

Exhibit A for how questionable this Sandboxing is when it comes to things like programming languages. And exhibit A for how Mac is becoming a household appliance instead of a general-purpose computer that YOU own and do with what YOU want. If you want to own your Mac you need to stay away from the AppStore at the very least, and ideally build all your shit yourself.

[webXL]

I'd bet that fewer than 5% of Apple customers want a general-purpose computer, and it hasn't deviated much from that over time. Apple has always locked down their hardware and software relative to their competitors. The "it just works" philosophy isn't free, and if it seems like it's getting more locked down, it might have something to do with Apple trying to maintain its profits in the face of increasing competition.

The "household-appliance" moniker is a red herring though. Just because they supply an App Store doesn't mean you have to use it, and it doesn't mean you can't do amazing things with it. Are we really comparing something that can help educate, research, run a business, entertain, etc. with a dishwasher or TV?

[nobleach]

As I sit here in my building with 400 others sitting around me writing code on Macbook Pros. Knowing that in this industrial park alone there are other startups with hundreds of employees doing the same thing. (And this is in Utah - not San Francisco) I'd venture to say that 5% may be extremely off base. I'd say, you take every coffee-shop college student and match them against thousands who are writing code as we speak.

[webXL]

So "people writing code" == "people who want a general purpose Mac"? And I didn't say Apple customers who buy/own Macs. Keep in mind that a lot of people get an iPhone or iPad first, then want to be more productive with a keyboard and larger screen, or just want to keep buying App Store-enabled Apple devices in general. These are not professional coders and are the overwhelming demographic that Apple is selling to.

Do you think they don't know who their customers are?

[nobleach]

As opposed to a sandboxed device? Yes. Someone who wants the freedom to write code, install VMs, test browsers, compile C, you name it, no, they do _not_ want a little sandboxed device. The college student at Starbucks typing a term paper? sure.

[noelsusman]

You can do all of those things with OSX. This whole discussion doesn't make sense because you can do pretty much whatever you want outside of the app store ecosystem.

[s73v3r]

"I'd bet that fewer than 5% of Apple customers want a general-purpose computer"

I'd bet that fewer than 5% of any computer company's customers want a general purpose computer.

[rdsnsca]

Its not required to install apps through the MAS.

[15155]

Yet.

First it was a setting in the preference panel, preventing you from installing non-MAS apps without disabling it.

Next it's the upcoming rootless OS X, System Integrity Protection: it's only a matter of time until the ability to install non-MAS apps is completely removed, buried, or hidden in Recovery mode (as the SIP setting is)

I suspect this will happen within the next one or two major versions of OS X.

[microtonal]

Yet.

And we have heard this for how long already? Doing so would basically be suicide for the Mac. First of all because a sizeable chunk of users are technical users. Secondly, a lot of software is not available in the Mac App store and likely will never be (I think Microsoft and Adobe would rather abandon OS X than giving 30% for each cloud subscription to Apple and being at the mercy of the MAS gatekeepers).

[tempodox]

As to your question of “how long already”, I found a blog post (not mine) from 2000 A.D. that considers “The Future of Apple's Curated Computing”:

http://widgetsandshit.com/teddziuba/2010/05/the-future-of-ap...

[teacup50]

Every single release, Apple tightens the restrictions and grandfathers in the existing things people use.

It's not "yet" -- it's now, with each release, and getting worse each time.

[s73v3r]

No, it isn't. Not even close.

[jkyle]

> First it was a setting in the preference panel, preventing you from installing non-MAS apps without disabling it.

Pretty sure the default is MAS + Signed Apps. This setting also doesn't actually stop you from installing a non-signed app. You just have to right click and select open to bypass the warning.

I actually keep this enabled so I know if an app isn't signed. So installing non-signed apps is a conscious decision.

[JadeNB]

> You just have to right click and select open to bypass the warning.

I think that you also need an admin password, which can be an issue for users who don't control their machines. (My work distributes Macs with users configured to be admins, but on Windows machines only allows standard users, so I assume that it's only a matter of time until they change policies and this bites me.)

[JadeNB]

I'm a little surprised by the downvote; I may have made a mistake, or it may be something peculiar about my configuration, but, when I try to run an application, even if I control-click to bypass the policy, I still have to enter my administrative password. Is this not the way it usually behaves? (As I say, it's a work computer, so perhaps they have some unusual security policy in place.)

[joesmo]

And every single version, including minor version upgrades, this setting goes back to "MAS and identified developers," despite me explicitly setting to "Anywhere." If that isn't obnoxiously bad UI design (that I'm sure some idiot will defend), I don't know what is. I love the hardware, but the software is slowly turning to shit because of bugs (especially core bugs like not supporting many Bluetooth or RF mice/trackballs) and "features" like this. No two ways about it.

[MaysonL]

Did you remember that when you set it to "Anywhere" it gave you a little warning that if you didn't use the anywhere option for 30 days it would rever to "MAS and identified developers"?

[porsupah]

Your installation would appear to be anomalous, as such reversion of that (or indeed, any) preference isn't the norm.

[tempodox]

It wasn't the norm in the past, but that has changed. For those whose memory goes back to the pre-X MacOS, there has been a decline in “respecting your user's decisions” and an increase in inconsistencies. Progress in some areas has definitely cost quality in others.

[joesmo]

Nope. Tested it on three different systems and it happens every single upgrade.

[mason55]

And if this happens then I won't upgrade or I will stop buying Macs.

Until then I find them to be the best laptops on the market.

[jeromegv]

This setting in Preference Panel is opt-in, not opt-out. Default behaviour does not reject non-MAS apps. Most likely a security setting for companies or restricted environments.

The rest is pure speculation.

[15155]

Which part was speculation?

The SIP setting is most certainly "opt-out." Have you demoed El Capitan?

The Preferences -> Security -> Allow non-MAS/non-signed apps setting is most certainly "opt-out" on any machine you buy from Apple or at the store.

Prefacing something with "I suspect" generally allows one to speculate.

The trend is that you're gradually losing control of your machine.

[tempodox]

I see the same tendency and I don't like it at all. It seems only a question of time until you will have to decide whether you want a computer or a Mac.

[s73v3r]

I suspect you're crazy pants.

[s73v3r]

No, it really isn't. There's no reason why this app couldn't be distributed outside of the App Store, in which case YOU can still do what YOU want.