Monday, 12 March 2012

offtopic : Signed binaries in the next OS X

From: Francis E Reyes
Date: 16 February 2012 15:01


It seems that Apple is building a higher walled garden for OS X in the form of signed binaries. They're not mandating every app come from the appstore but instead have a level that allows developers to 'sign' their binaries with their own developer ID (which of course costs $99USD/year). Or the user can go rogue and 'Ctrl-Click' install any application.

http://www.apple.com/macosx/mountain-lion/security.html

Personally I'll probably choose  Mac App Store and identified developers. (I imagine this will be the default).




---------------------------------------------
Francis E. Reyes 

----------
From: Tim Gruene 


Dear Francis,

not sure what you are trying to say. Many people have been securing
their software e.g. with md5sums or PGP-signatures. Debian do that, and
they do it for free as far as I know. You could sign your own software
(for free) and then distribute your public key to the community, in case
you want to do something similar.

Cheers,
Tim

P.S. If anyone happens to know Annie Schott (aschott@cipf.es) could they
help her to set up her vacation notifier to send her spanish news only
once per email address? I keep on getting her notification anytime I
send an email to this board.
- --
- --
Dr Tim Gruene

----------
From: Francis E Reyes


Hi Tim

The problem is not developers ensuring their identities by signing their apps.  It's that there's now a (small) barrier for the end user in installing unsigned apps.

The implementation has yet to be seen, but will getting around this barrier simply be a  pop up ("press OK if you really trust this software", the implementation most people are familiar with but largely ineffective IMHO), or will the INSTALL file include OS X specific directives to circumvent the walled garden? ("OS X users must CTRL-Click to install this application").
[FUD] OS X won't trust those keys, only the ones that come from apple [/FUD]


----------
From: Mark J van Raaij


Hi Tim,
we all get the "aschott notification" - I don't know her, but I do know about the CIPF, the Centro de Investigacion Principe Felipe in Valencia, Spain. This centre recently laid off an important number of researchers and I would guess she was one of them - so I doubt she will want anything to do with them. You can look up the CIPF administrators and send them a mail, but if they really are as incompetent as the news coverage suggest, I also doubt they will take any notice.
See: http://www.nature.com/news/2011/111101/full/news.2011.623.html
I think the only solution is to ask the CCP4bb administrators to unsubscribe the email address for her...
Mark

Mark J van Raaij


----------
From: Nat Echols


I'm sure anyone smart and adventurous enough to take on X-ray
crystallography can figure out how to do this.  More realistically,
it'll just mean that we'll see at least one question a month on ccp4bb
asking what to do when installation of <program X> doesn't immediately
work.  Labs that are members of SBGrid won't even notice the change.

I can't speak for anyone else, but I think the probability of
crystallography software developers going the App Store route is
nearly zero.

-Nat


No comments:

Post a Comment