[crazygringo]

It doesn't matter if you're dealing with a store run by Apple or Google (or presumably anyone else): the stories are all the same.

Presumably because to make the economics work, review and approval are done by poorly trained contractors who don't have time to do a proper job and need to meet quotas. And with anything security related, there's an inherent bias toward not giving information on the exact violations because this can be used to get around the "spirit" of the law while sticking to its "letter" (very true for spam, questionable for app stores).

Serious question: is there any better model though? In the non-virtual world, similar standards for the public good are achieved through things like FDA regulations, health inspections, building codes and permits, etc.

Since it doesn't seem like there's any kind of elegant free-market or crowd-sourced solution here, what should the standards be for regulating apps and extensions? What kind of "due process" ought there be, or appeal, or whatever? Is there going to come a point when app stores get regulated by a democratically legislated government agency?

[Svip]

But regulations, inspections, codes and permits are all government-run systems. As a result, at least in principle in a democracy, citizens (including companies) can request to learn why those systems rejected them. Otherwise they can take them to court.

Neither Apple nor Google are governments. When laws and constitutions were crafted, those framers did not comprehend a future where private companies had effective control (and even monopoly) on what might amount to critical infrastructure, and if not critical, then infrastructure nonetheless.

[crazygringo]

But that's my point. If app stores are an important enough part of our economy -- not just monetarily, but particularly with regard to privacy and cybersecurity -- then there may reach a point where we need laws around their policies.

It doesn't matter that Apple and Google aren't governments. Either app store approval could be done by a new government agency (after all, aren't doctors and lawyers regulated?), or (far more likely) the legislature could pass laws determining how Apple and Google have to run their own or face stiff penalties that actually have teeth.

So that, at the end of the day, if Apple or Google make a wrong decision and refuse to correct it, you can ultimately sue them in court and win.

[yaktubi]

This seems like more a solution to open, transparent platforms. It’s a shame that we are going backwards: you used to be able to download software from the internet, direct from publishers with no limitations. Now everything’s all stupid requiring developers to beg the “powers that be” for access to distribute their work.

[dividedbyzero]

But that isn't sustainable anymore now that everyone and their mother does all sorts of sensitive thing on the internet. App Stores may not catch any and all malware, but they'll catch some, or even a lot, and they give Google (or whoever runs one) tools to deal with what slips through. They make getting new extensions transparent and they're trustworthy.

What's missing is legislation to level the playing field; either allow alternate stores on equal terms, or abide by rules that force you to play fair in your own store, things like that. There's no going back to the 90s, it's just a whole different world now.

[yaktubi]

Yeah I agree the legislation would help—but the legislators mostly don’t know much about tech I’m guessing. And the experts they call in I’d wager are from big companies with their own interests in mind.

[crazygringo]

It's not stupid, though.

Remember how when an older relative would complain about their computer slowing down, and you had to uninstall like 15 toolbars from their Internet Explorer?

Protecting users from malware and spyware is a huge step forward. Most users can't protect themselves from it. Controlled distribution is a net good for society. The question is, how do we minimize the negatives it also brings along with it, such as seemingly arbitrary, inconsistent, and/or vague rejections?

It's not about what we would personally prefer, as smart tech people who know how to protect ourselves. It's about what's best for everyone -- the societal good.

[cft]

I strongly prefer the internet of the early 2000s than it's cable TV version of 2020s in the name of "safety".

[heavyset_go]

That was vastly preferable to the current status quo where your older relative doesn't even complain about their computer slowing down, because they've been trained by 20 years of planned obsolescence and unupgradable hardware to just buy a new one when given the slightest hint of a problem.

[crazygringo]

The two have nothing whatsoever to do with each other.

The conversation is about app stores not hardware upgrades.

Progress in one has nothing to do with progress in the other.

Why are you trying to combine them?

[sergeykish]

Alternative! Software distributions - community maintained packages.

As Arch Linux user if I found a software I like and want to help with distribution I can create package and push it to AUR [1]. This works as recipe - list of make and run dependencies, configuration, installation. Package is not safe and should be reviewed on installation.

Popular package may be pulled to official repository [2], distributed in binary form. "community" repository maintained by Trusted Users [3], "core" and "extra" by Arch Linux Developers [4]. It is evergreen - rolling release. Some distributions provide Stable releases which should be even safer.

Distributions may remove package, block version, patch to its standards. I think if opt-out addons were distributed by Debian they would be patched to opt-in.

In other words - many 3rd party distributions, by users to users, pulled - not pushed, not required to accept all packages.

[1] https://aur.archlinux.org/

[2] https://www.archlinux.org/packages/

[3] https://wiki.archlinux.org/index.php/Trusted_Users

[4] https://www.archlinux.org/people/developers/

[dfabulich]

"many 3rd party distributions, by users to users" is not how Arch works. Arch has a single official repository, AUR, that everybody uses. Becoming a Trusted User requires you to run for office under a standard voting procedure with bylaws.

[sergeykish]

I've described that in Arch part. Arch has several official repositories [0] and AUR is not one of them. I've also mentioned Debian.

"many 3rd party distributions" is many distributions - Debian, Arch, Gentoo, Fedora, Mint, etc. It is often cited as inefficient but it provides choice. And if there was only one distribution it would create too much pressure on maintainer not to sell its users.

"by users to users" is general description of distribution. I would be surprised if distribution maintainers does not use distribution they work on.

I've created my own addon and shared it [0] - just a few lines. From user to users - just because someone may find it useful.

I understand it is hard to maintain community and trust. Anyone can create distribution but real working distribution is a lot of work. But it should start somewhere. I review addons I install, I can share it.

[0] https://wiki.archlinux.org/index.php/Official_repositories

[1] https://github.com/sergeykish/hide-scrollbars

[Dayshine]

Then those users mess up dependencies, or simply forget to update the package for a few years.

Then open source maintainers get spammed with angry users because of a poor user experience they can't control.

[sergeykish]

That is general problem with Open Source - people expect product and authors provide tools.

Free as "paid by data collection and advertisement" really messed peoples mind. Walking around, thinking "I am a product, my data is valuable". Not for me. The whole story is unfortunate. But there is also Pulse Audio and systemd with toxic responses on real problems, hard not to become angry.

[ryan29]

I think an open system with easy to add 3rd party stores would be better. The official stores could focus on super high trust applications from huge brands and let the market find a solution to the bottom end. However, the current system is about maintaining outsized control rather than providing a good product to consumers.

As soon as you give up the idea of preventing people from distributing malicious software, and they're not even doing a good job of it right now, you can let competition in a curation market solve the problem for you. I'd way rather have a system where I can get recommendations from someone that's an expert in an area. Ex: Like JonnyGURU is for power supply recommendations, but for software / extensions.

If you extend that concept to the mobile app stores, a system where someone from my city could run a store for local businesses would be significantly better for users and developers than what we have now. For developers it would be amazing to go to a local business, show some local ID, and get a signing certificate. For users it would be amazing to have a local store where established businesses with ties to the community all have a vested interest in it's quality / trustworthiness. That would be at the lowest end for tiny apps. For anything bigger, someone could build a brand / reputation around curation. For example, think of something like a specialized password manager extension store.

When it comes to Google I think there are two problems that prevent them from building a better system. First, they're arrogant and think users are too stupid to control their own devices. Second, their search has devolved to be an atrocious garbage pit of paid content that's optimized for SEO. It's a cyclic dependency where Google's failure makes it difficult for users to make good choices. Google interprets that as the users being dumb and makes the system even more complicated / less effective by adding more ML and automation.

That also probably plays a role in the reluctance to open up some of the current systems. The attempts at scaling with automation and ML are such failures (everywhere) the only way to make them look half reasonable is to ensure no one else can build a competing system.

[judge2020]

> review and approval are done by poorly trained contractors

That's the "middle ground" scenario that isn't true for either side. Apple does directly hire employees to do this, so their policies and rules are often the pain point. Google doesn't hire anyone - they have the team that runs the approval systems and will review certain extensions, but it's completely automated for 99% of all cases.

The only people that probably do use contractors are Amazon for their Alexa skills and Kindle apps.

[fragmede]

Apple has contractors as second-class employees, same as the rest of the valley.

[Tiltowait--]

I notice this a lot with tech companies - secret rules. They won't tell you what the rules are because they want to keep you dancing. Nobody knows where the borders are, so that gives the company a lot of power and leeway to ban anyone they don't like or that crosses them in any way. More than once, I've seen the "Nope, sorry. TOS! Hands are tied!" when a company dares speak out and gets cancelled.

[winrid]

Imagine if you were getting your house inspected and your insurance drops you as a result of the inspection, but won't tell you why.