[chrisfinazzo]

Not to put too fine a point on it, but those examples don't pass muster.

- If you're not using .NET, the CLR doesn't affect you, and although Microsoft has done well with ,NET, I wouldn't necessarily expect Apple to make Redmond's job easier.

- Java is much the same boat, and is perhaps in even worse shape as it used to be included by default in macOS releases but now isn't.

Read: security nightmare.

- From 10.16 on, scripting languages also aren't included by default. This seems less adversarial than the situation with Java, but for things like Homebrew, it's a stumbling block they will need to overcome.

https://discourse.brew.sh/t/mac-os-deprecating-system-script...

[scarface74]

Apple introduced the Mac App Store over a decade ago. Since then, conspiracy theorists have been predicting that Apple will force all apps to be signed.

Are you predicting that Apple will disallow all scripting language runtimes and all VM based development environments? So if these same predictions have been wrong for over a decade - and still aren’t happening with 10.13, exactly when will this happen?

As far as Apple not including (outdated) versions of various scripting languages or Java - neither does Microsoft. That hasn’t been a major impediment to adoption.

[chrisfinazzo]

Sigh, you're just not getting it, sorry to say.

I have NO TROUBLE imagining that Apple will continue to tighten the screws on this, enforcing signing through Developer TOS and requiring MAS apps to pay for distribution certs.

Direct download isn't going away, not after all the work that's gone into securing it, but if you think you can sell an app off your own site without giving Apple some identifiable info about who you are and what your code does, prepare to be disappointed.

Runtimes won't be disallowed, just that you (the user) are responsible for installing them and keeping things updated.

Oh, and for record, my reference to "Perry the Cynic" is no accident...he literally invented how code signing works.

https://weblog.rogueamoeba.com/2008/03/07/code-signing-and-y...

https://red-sweater.com/blog/514/development-phase-code-sign...

http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=H...

http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=H...

[scarface74]

So you realize you’re kind of arguing against your point? He made a prediction that still hasn’t come true over a decade later.

And citing the patent office isn’t helping either. Every company patents everything they can.

Direct download isn't going away, not after all the work that's gone into securing it, but if you think you can sell an app off your own site without giving Apple some identifiable info about who you are and what your code does, prepare to be disappointed.

Well today you can. As you have been able to do since the info-Mac archives since before the World Wide Web existed. So unless you can bring back some proof from either your time machine or visiting some other world in the multiverse, I would rather talks about facts as they exist today.

And code signing still won’t stop you from being able to run code that runs on top of a VM or scripting languages without them being signed and you won’t have to do the ctrl-click bypass.

Why is it wrong for Apple not to bundle extra runtimes (scripting/JVM) software that increases the attack surface? Should they also start back bundling Flash?

[chrisfinazzo]

> Well today you can. As you have been able to do since the info-Mac archives since before the World Wide Web existed. So unless you can bring back some proof from either your time machine or visiting some other world in the multiverse, I would rather talks about facts as they exist today.

Watch WWDC 2019 Session 701, you'll learn something.

https://developer.apple.com/videos/play/wwdc2019/701/

> And code signing still won’t stop you from being able to run code that runs on top of a VM or scripting languages without them being signed and you won’t have to do the ctrl-click bypass.

It is easy to do this? No, in many cases I'd expect it to be a serious P.I.T.A, but it's unquestionably the right move going forward.

https://mjtsai.com/blog/2019/06/17/notarizing-command-line-t...

[scarface74]

That has nothing to do with distributing the programs that run on top of VMs/runtimes. The operating system only sees the JVM/CLR as an executable. Even if that has to be signed, there is no way of enforcing the programs that run on top of them to be signed.