waffle

Waffle is a weblog.
The author of Waffle, some guy in Sweden, also occasionally writes stmts.net.

(Waffle passed out from exhaustion in March 2012 and is now coming back online.)

A Gate With Destiny

On the one hand, I agree with Steven Frank.

But I can’t find it in me to disparage this goodwill effort that Apple has undertaken to not turn every third-party developer upside-down with regard to app distribution. To me it’s a great sign that they’re aware and at some level sympathetic to our concerns, while remaining committed to a high-security experience for users.

On the other hand, there are still some loose ends.

  • Will Developer ID require that developers identify themselves beyond a nickname, an email address and a link? Why? (Or rather, why the lucky stiff, or IceFrog?)
  • What will happen to apps that are currently signed? (For one thing, there are implications to keychain migration.)
  • Will partial signing, so as to facilitate selective fiddling-around, be permitted?
  • Can additional trusted roots and revocation lists be added?
  • What about plugin loading? Will Gatekeeper load an unsigned plugin in a signed app? What about a self-signed plugin in a Developer ID app? Or a Mac Store App?
  • What is the ultimate fate of the “run all code” option?
  • How does Gatekeeper address code that can’t currently be signed (scripts of various flavors, lone binaries)?

And furthermore, at which point will Apple even revoke a developer certificate?

  • Will Apple revoke the developer certificate of a developer like Unsanity, developing addons that use technical trickery to achieve a deeper level of customization?
  • Are apps that Apple, for App Store purposes, consider enabling illegal acts — like Bittorrent clients — acceptable?
  • Apps that include, or are tailored for, porn?
  • What about other apps that are morally ambiguous?
  • Will Apple revoke the developer certificate of a developer like Unsanity, developing addons that use technical trickery to achieve a deeper level of customization?
  • Apps that are legal in the country of intended use, but illegal in the US?
  • Apps that are legal in the US but illegal in the country of intended use?
  • Apps that are legal in the US and legal in the country of intended use, but potentially illegal in other countries?
  • Will Apple revoke a developer certificate at the request of governmental agencies?
  • Will Apple revoke a developer certificate of software that is poorly maintained, severely instable (although not harmful in any way) and seldom updated?

Don’t get me wrong; I am happy that they have listened to the community and to common sense and are willing to offer at least one lasting alternative to the Mac App Store. I also understand that they are just getting out the gates. There are still important things to sort out, and the choices Apple makes will determine the future of the Mac platform and deeply impact those who use it going forward.

Comments

  1. Actually, according to Macworld, Gatekeeper in Mountain Lion only restricts how a file can exit file quarantine. So any app not having the quarantine flag on it will run as usual.

    http://www.macworld.com/article/165408/2012/02/mountain_lion_hands_on_with_gatekeeper.html

    By Michel Fortin · 2012.02.18 00:29

  2. For more details of Gatekeeper and file quarantine, see the TidBITS article and the technical followup at securosis.com .

    By John Wenn · 2012.02.18 02:33

  3. Michel: That sounds good, but what of revocation then?

    By Jesper · 2012.02.18 10:01

  4. My guess is that revocation will make file quarantine more resilient against opening the downloaded application… something like telling you this file comes from an evil developer who has spread malware in the past and move it automatically to the trash.

    That won’t help those for which the file is already out of quarantine. But then if this is malware, it surly has already rooted itself deeper the first time you launched it so it’s too late already.

    By Michel Fortin · 2012.02.19 04:20

Sorry, the comment form is closed at this time.