I suspect the non-standard JSON license was in part a strategy to encourage third-party implementations, so that the format would become a standard.
(W3C standards, for example, require "multiple independent implementations to proceed along a standardisation path". https://www.w3.org/TR/webdatabase/ )
If you want to install software on your Microsoft Windows computer, it has to be signed by a verified developer, otherwise you get an overridable warning that the developer cannot be verified, the software may contain malware etc.
If you want to install software on you MacOS machine, the same thing applies. It must come from a verified developer with an apple account, otherwise you get a warning and must jump through hoops to override. As of macos15.1 this is considerably more difficult to override.
If you want to install iOS apps, the apps have to be signed by a verified developer. Theres no exceptions.
I just dont see a future where being able to create and publish an app anonymously is going to be supported.
Becoming a verified developer is a PITA, and can take a while or be impossible (i.e. getting a DUNS number if you're in a sanctioned country might be not at all possible) but at the same time, eliminating the ability of our devices from running any old code it downloads and runs is a huge safety win.
I'm okay with overridable warnings, having to open system settings to override the verification, etc. It's a "huge safety win" for the 80% of users who don't really know what they're doing, security wise. But not for me.
I won't be using any OS that doesn't allow me to step outside its walled garden, if I have any alternatives at all. With macOS it's quite simple - the second they won't allow apps from unverified/unsigned developers, I'm switching to Linux. On mobile, I might as well switch to iOS, since I'm not really sure what else Android offers anymore that's so compelling, other than being able to install apps directly. And then I'll just wait for a Linux phone or something.
But Apple will change those "warnings" into straight-up lies, and fail to mention the user can override them, and hide those overrides in non-discoverable places:
Whenever I try to open an unverified app, this popup comes up saying "[AppName] Not Opened" "Apple could not verify [AppName] is free of malware that may harm your Mac or compromise your privacy." Then there's only two options to either press "Done" or "Move to Trash." - https://old.reddit.com/r/mac/comments/1ekv55h/cant_right_cli...
This also implies that Apple does verify that app store apps are free from malware, when that's not the case. It only verifies that they are from a developer who paid the fee and whose apps pass Apple's automated screens.
> I just dont see a future where being able to create and publish an app anonymously is going to be supported.
This is strongly needed if surveillance laws like Chat Control are not to be trivially bypassed. This way applications that don't offer governments the required surveillance features can be banned and the developpers can be sued. Not looking forward to that.
I dunno man, it doesn't feel like a "huge safety win" that my computer has to check with a singular US tech company before it will let me use any software on it.
That's only sorta how it usually works. The developer has to check with a singular US tech company before they can sign the software they've given you.
Except yeah, the way this android stuff works is closer to that way. Instead of Google giving out a key for signing, they instead ask for one and tie a developer to a namespace, so yeah, I guess your Android phone has to check whether or not that namespace is "in the clear"
Right, Google could revoke that signature at any time and my device would refuse to install that software. The exact mechanics don't really matter, the end result is the same, my device will only install software that one company approves of and can change at any time, huge win for security right?
> eliminating the ability of our devices from running any old code it downloads and runs is a huge safety win
No, this is just false. There's numerous, well-documented instances of malware making it past gatekeepers security checks. This move is exclusively about Google asserting control over users and developers and has nothing to do with security or safety.
The only "huge safety win" comes from designing more secure execution models (capabilities, sandboxing, virtual machines) that are a property of the operating system, not manual inspection by some megacorp (or other human organization).
Thats a false equivalency. I didnt say that software was safe because its been checked. Just that at the least, one can somewhat figure out where the software came from.
Getting a DUNS number obviously doesn't make it so that you cant publish malware. It just provides a level of traceability/obstacle that slows down the process of distributing malware.
The difference is in the apparent available resources. You cant get to "professional" without the time and money, and NPM post acquisition, presumably, has more of both. Granted, NPM probably doesn't have a revenue model to speak of, which means Microsoft is probably not paying it much attention.
The contents in question are statically generated, 1-3 KB HTML files. Hosting a single image would be the equivalent of cold serving 100s of requests.
Putting up a scraper shield seems like it's more of a political statement than a solution to a real technical problem. It's also antithetical to open collaboration and an open internet of which Linux is a product.
reply