←back to thread

Catalina is checking notarization of unsigned executables

(lapcatsoftware.com)
361 points robenkleene | 2 comments | 23 May 20 09:42 UTC | HN request time: 0s | source
Show context
londons_explore ◴[23 May 20 14:03 UTC] No.23283004[source]
So you're telling me that every time I install a program in OSX, it pings apple to let them know what program I'm installing, my IP address, my location, and my OS version?

Sounds very Orwellian for a privacy focussed company...

replies(3): >>23283075 #>>23283270 #>>23283783 #
daneel_w ◴[23 May 20 14:36 UTC] No.23283270[source]
No, that's not what he's telling you. You're getting ahead of yourself with your question. He's telling us that macOS will consult with Apple regarding the "fingerprint" of an executable when you run it.
replies(1): >>23283313 #
londons_explore ◴[23 May 20 14:41 UTC] No.23283313[source]
But the fingerprint of photoshop is the same for everyone. If apple knows what the fingerprint of photoshop is (which they could easily find out), now they have a giant list of who installed photoshop and when, and from which IP address, and which IP location.

That data would be a wet dream for some IP lawyer looking for pirate copies of software...

replies(3): >>23283510 #>>23283999 #>>23288033 #
daneel_w ◴[23 May 20 15:05 UTC] No.23283510[source]
I understand the privacy concern. We don't know if they store/log anything from the request, or even what it contains in itself besides the "fingerprint". I'm personally certain that Apple is not in cahoots with Big Software to put a squeeze on users in exchange for small money. It's not their business, and it's not something they are required by law to make their business.
replies(1): >>23283585 #
ctrlcctrlv ◴[23 May 20 15:14 UTC] No.23283585[source]
> I'm personally certain that Apple is not in cahoots with Big Software to put a squeeze on users in exchange for small money

Well, this is the problem people have I think - that it comes down good intentions on Apple's part, no matter how trustworthy they are deemed to be.

replies(1): >>23284105 #
1. Operyl ◴[23 May 20 16:13 UTC] No.23284105[source]
With this logic you might as well not try at all. You have to trust Intel, your bios/UEFI, Apple/Microsoft, all the various builds of software closed and open source alike .. at some point you need to trust someone.
replies(1): >>23284147 #
2. throwaway2048 ◴[23 May 20 16:17 UTC] No.23284147[source]
how is that a justification to heap on more "required" trust into a system?

Feels like somebody could flesh out this argument in terms of accidental vs necessary complexity, but in terms of how much you need to trust the other party.

Few would accept the argument "This code is already very complex, why do you have a problem with doubling the complexity?" on its own merits, so why is it sensible in terms of trust?