LWN: Comments on "The future for general-purpose computing"

The future for general-purpose computing

lysse — Thu, 17 Dec 2020 06:26:20 +0000

> the hash being sent is for the developer certificate, not the application itself. In many cases, that may amount to the same thing... but the OCSP check is not directly sending a hash that uniquely identifies the application

In isolation, that's true. But when you have a stream of such checks emanating from a single IP address, and you can already uniquely identify some of the applications, in many cases you'll be able to take a pretty good guess at many of the rest of them once you know their developers. So I'm not persuaded that Paul's concerns are as flawed as they've been painted here.

The future for general-purpose computing

brunowolff — Thu, 17 Dec 2020 03:41:00 +0000

If you want general purpose computing to continue to be available and affordable, you need to support it even if there are some extra costs involved. There are groups selling owner controlled hardware such as Raptor Computing Systems. There are also groups fighting section 1201 of the DMCA (which prevents people from cooperating to work around digital restrictions management) in the US, such as the EFF. Other countries have similar laws and may have their own local groups opposing them.

The future for general-purpose computing

cortana — Wed, 16 Dec 2020 09:49:30 +0000

Voting with my feet/wallet can't prevent Apple from capturing the SMS messaging marketplace.

With the popularity of group chats in iMessage, Apple has embraced and extended, and peer pressure from users is taking care of the extinguishment phase.

The future for general-purpose computing

jafd — Tue, 15 Dec 2020 23:00:55 +0000

Just a factual nitpick: the VPN bypass is being granted not by the signature and "entitlements" therein, but by being in the Apple's Special Software Club, which is a list of paths to binaries inside the network framework's Info.plist. Well, at least it's not like a binary from a rando on the internets can gain the same privilege. I'm unsure if this is a signature + bypass list check, or only the latter.

It's still backwards in a lot of ways. What if the network is airtight except for the tunnel made by a VPN? What if I set the routing table so that only select hosts (including Apple's infra) is available via the tunnel, and 0.0.0.0 is in the airtight network? Is it going to try bypassing the VPN, or will it use my routes? The notion of the system software poking around and trying to weasel its way out doesn't sit well with me. It is likely to be a very bug-prone and clever-by-half design. I predict that security researchers are going to be able to poke holes in it.

The future for general-purpose computing

areilly — Mon, 14 Dec 2020 21:12:34 +0000

Is being able to buy a lovely Unix workstation for PC money instead of Sun money, that can run your Unix workloads and software development tasks while also running nice-to-have commercial software really such a difficult idea to digest?

The future for general-purpose computing

mcatanzaro — Sat, 12 Dec 2020 19:58:52 +0000

It is still accurate.

The future for general-purpose computing

NYKevin — Sat, 12 Dec 2020 19:37:27 +0000

If the article predates relevant technology, then maybe people should stop relying on it as accurate.

The future for general-purpose computing

mcatanzaro — Sat, 12 Dec 2020 14:02:42 +0000

Well two points: (1) this article predates the existence of Must-Staple, (2) Must-Staple has totally failed because nobody uses it. The end....

The future for general-purpose computing

NYKevin — Sat, 12 Dec 2020 07:39:44 +0000

What frustrates me about this article is that it does not say anything useful about Must-Staple, which completely solves the problem it identifies with OCSP (provided that both the server and the browser have implemented it correctly; to my surprise, Googling "Must-Staple" turns up a number of articles and blog posts suggesting that this is often not the case).

The future for general-purpose computing

IELLC_LWN — Sat, 12 Dec 2020 02:30:28 +0000

Mozilla is in the process of deploying CRLite, which will eventually replace OCSP for most certificates: Introducing CRLite: All of the Web PKI’s revocations, compressed. Enable it today with security.pki.crlite_mode = 2.

The future for general-purpose computing

ecree — Fri, 11 Dec 2020 21:40:17 +0000

How about the invisible hand of use your head and vote with your feet: don't buy products that cost an arm and a leg and mean Apple has you by the balls.

No regulation that's ever likely to make it through the lobbyist-infested swamp of government will prevent users who want this kind of B&D hardware from buying it. The only way is to stop users from wanting it. (No, I don't know how to achieve that either.)

The future for general-purpose computing

cpitrat — Fri, 11 Dec 2020 20:32:37 +0000

Same here, how Mac became popular among some computer scientists always puzzled me.

The future for general-purpose computing

jerojasro — Fri, 11 Dec 2020 19:05:35 +0000

And, do we have enough regulation?

or are in a situation where we are wishing that Big Tech were less prone to treating customers like serfs ?

The future for general-purpose computing

smitty_one_each — Fri, 11 Dec 2020 17:21:54 +0000

You over-read me.
Capitalism is buyer/marketplace/seller.
Sellers seek to conquer marketplace and buyer.
You need "enough" regulation for keep buyer/marketplace/seller in equilibrium.

The future for general-purpose computing

dskoll — Fri, 11 Dec 2020 17:17:17 +0000

So you don't think there's any role at all for government regulation? Throw out anti-trust laws? Let corporations do whatever they want to stifle competition with no legal barriers?

The future for general-purpose computing

smitty_one_each — Fri, 11 Dec 2020 14:20:22 +0000

Government is to competition as
singular is to plural.

The future for general-purpose computing

jerojasro — Fri, 11 Dec 2020 13:32:02 +0000

If only there were some. . .invisible hand. . .that could somehow inject competition into the situation

The invisible hand of the ~~market~~ government regulation?

The future for general-purpose computing

mcatanzaro — Thu, 10 Dec 2020 18:29:04 +0000

> In some sense, the privacy implications are not all that different from those of web browsers, which also use OCSP to determine if the TLS certificates for HTTPS sites have been revoked.

Most browsers stopped doing this a decade ago when Adam Langley famously pointed out that it is pointless, see https://www.imperialviolet.org/2012/02/05/crlsets.html. I believe Firefox is the only major browser that still does this useless check.

The future for general-purpose computing

smitty_one_each — Thu, 10 Dec 2020 17:54:24 +0000

If only there were some. . .invisible hand. . .that could somehow inject competition into the situation, such that Big Tech were less prone to treating customers like serfs. Such a mechanism, to be viable, would need the ubiquity of capitalism to succeed.

The future for general-purpose computing

halla — Thu, 10 Dec 2020 11:42:43 +0000

Note that Microsoft does this at the application level: Krita is signed with the KDE developer certificate, as are dozens of other applications, but we can still see the number unique active Krita installations for any given time period. (Currently 3,500,000 / month.)

The future for general-purpose computing

smurf — Thu, 10 Dec 2020 11:15:17 +0000

… no. Entirely unlike AppArmor, Apple's stuff doesn't prevent apps from doing, well, whatever they want (or whatever a security breach has subverted them into doing; just like signing your M$ Office binary cannot block macro viruses).

In fact the opposite appears to be true: a signature with the magic pixie dust in it allows them to bypass net filters and VPNs. It's fairly easy to paint a scenario where that would be dangerous for the continued health of the user.

The future for general-purpose computing

ale2018 — Thu, 10 Dec 2020 10:41:39 +0000

Free (as in freedom) software is undoubtedly better than that. However, we have AppArmor sneaking into the kernel and causing various kinds of malfunctions, until the machine owner figures out what's going on and how to stop it.

AppArmor doesn't entail privacy-breaking network exchanges, and can be disabled rather easily. Yet, it testifies a whim of super-control, apparently directed against malware, which reaches the point to break long established contracts such as that of the execve man page. That's the same whim that arguably justifies Apple's choice, isn't it?

The future for general-purpose computing

Cyberax — Thu, 10 Dec 2020 01:08:05 +0000

> If the developer does not want to ask Apple's permission (in the form of a developer certificate), their applications cannot be installed and run at all.
This is not (yet) true. You can just create a self-signed certificate and use it to sign binaries.

For now.

The future for general-purpose computing

dskoll — Thu, 10 Dec 2020 00:24:22 +0000

Apple has been playing shenanigans like this for years. I'm always very sad when I go to an open-source/free software meeting and see lots of people lugging around Macbooks.

I'm convinced general-purpose computing has a future... but not with Apple products.