[STRiDEX]

Really interesting mix of npm packages, gulpfiles, jshint, both underscore and lodash, backbone.js, some stuff i've never really heard of like nedb which is probably because its more specific to electron. It actually uses node-webkit NW.js instead of electron.

It's an interesting mix of new and old things as a project that likely has changed hands many times. Like dayjs is pretty new.

[KennyBlanken]

It's also some real shady shit, requiring MacOS users use an unsigned installer package.

There's no reason it should require an installer package when it can be distributed as a self-contained app.

I'm not giving authorization to an unsigned installer file made by some anonymous Russians.

[ojosilva]

It would be interesting if Github here could put a green check next to the release files certifying they were entirely built from the sources in the repository that link to a corresponding ref/tag SHA. "No external files involved in the build". Obviously this would only be possible if the release files were built by GH Actions and the environment was a special one, absolutely sealed from the open internet that GH would certify, filter and curate.

Still, this would not prevent some shady file in the repo or build hack to go unnoticed, but maybe it could become a starting point for delivering safer binary distributions from open source projects.

[guessmyname]

You’re only looking at the top 12 download links. There’s a link that says “Show all 22 assets”.

Click on that to find a link to download “Popcorn-Time-0.5.0-osx64.zip”, which contains a self-contained [.app] folder.

[qubex]

I don’t know what I’m doing wrong but I can’t get it to run. I get an error message reading “Popcorn-Time” is damaged and can’t be opened. You should move it to the Bin. I can’t diagnose anything sensible from the Console. What am I doing wrong?

[NotPractical]

The "unsigned" part isn't surprising, considering Apple would never approve it. But the installer package is far from ideal. It's typically only used when a program needs to install a privileged helper service, and I don't know why Popcorn Time would need that?

Edit: It appears to be just a .app file? Unless the .pkg is bundled in there...

[GeekyBear]

> The "unsigned" part isn't surprising, considering Apple would never approve it.

Apple doesn't have approval rights when you distribute Mac software outside their App Store.

Signing just requires that you have a developer certificate and pass a virus scan.

[NotPractical]

Just based on the Apple developer documentation, it appears that you're correct: https://developer.apple.com/documentation/security/notarizin...

I was actually surprised not to at least see "your app must agree to abide by some basic terms of service" on the list of requirements. It seems like a mostly automatic system.

At the same time, I would also be surprised if Apple were explicitly alerted by Hollywood lawyers of the fact that an app like Popcorn Time was endorsed in any way by them, and they didn't proceed to revoke the signature.

[jrockway]

I kind of doubt it. Right now Microsoft is paying money to distribute it to people (Github). Code signing is not really any stamp of approval from an "app store" type agency, it's more of a self-certification thing. It's similar to TLS on the Web; Let's Encrypt issuing a certificate says "Let's Encrypt checked that the website was able to receive traffic for the named domain on the issuance date", not "Let's Encrypt wishes that it made this website itself!"

[nick_]

The homogeneity of a JavaScript codebase has a tenth the half-life of an "enterprise" lang/framework.

IMO this is because the JavaScript ecosystem is speedrunning the decades of lessons learned by the greater software engineering field.

[ffsm8]

Your pet theory is questionable, as the JavaScript (ecosystem) is one of the oldest that's still wildly used everywhere.

The big libs have been pretty stable for the last decade though, even if the ecosystem itself feels quiet messy, likely because there are so many interested parties, each having their own ideas of how it should be.

And it's also often the first language for a lot of beginners. ..

[k__]

Users of "real programming languages" have peddled this narrative for decades.

They are so mature and everything JS is just child's play...

[nick_]

Eek. 1) I use JS/TS every day. 2) There are a great many people who are familiar with multiple languages, their ecosystems & culture, their history, and finally how they compare to each other.

To imply that if you are critical of JS, you must be "on the other team", is a false dichotomy.

[makeitrain]

I have been half jokingly saying they’re rewriting php.

[robertoandred]

Good, PHP is an inconsistent intractable pain. Who thought referring to functions by the string value of their name was a good idea?