[HN Gopher] The Perils of M1 Ownership
___________________________________________________________________
The Perils of M1 Ownership
Author : ingve
Score : 206 points
Date : 2021-07-18 17:13 UTC (5 hours ago)
(HTM) web link (eclecticlight.co)
(TXT) w3m dump (eclecticlight.co)
| laurent92 wrote:
| The other peril is not being able to run a docker machine because
| it's not available for M1. Which is disappointing because, you
| know, because you can't tell customers that your software wasn't
| tested in Oracle, and we invented VMs to be able to run any VM on
| any other machine...
| zepto wrote:
| This is totally false.
|
| https://docs.docker.com/docker-for-mac/apple-silicon/
| rvz wrote:
| Had to wait _6 months_ since launch for it to be stable.
|
| That there tells me it was not production ready for M1 Macs
| at the time, which isn't good.
| zepto wrote:
| > at the time, which isn't good.
|
| At what time?
| rvz wrote:
| Since the month the M1 Macs first launched; November
| 2020.
| zepto wrote:
| I see you've edited your earlier comment so it is
| clearer.
|
| So your point was to complain about how Docker took a
| long time to update their code. I guess that's not good.
| jitl wrote:
| Docker is available for the M1 and runs both x64 and ARM images
| https://docs.docker.com/docker-for-mac/apple-silicon/
| rahen wrote:
| Docker on M1 can run x86_64 containers when aarch64 isn't
| available in the registry. I use it everyday.
| kbutler wrote:
| This was true until April 15, 2021.
| https://www.docker.com/press-release/Docker-Desktop-for-M1-p...
| rgbrenner wrote:
| It was only true for 1 month after m1 started shipping..
| because the Docker Desktop Beta was released on Dec 16, 2020:
| https://www.docker.com/blog/download-and-try-the-tech-
| previe...
|
| It worked pretty well.. sometimes you had to use the x86
| container instead of the arm version. And I had one container
| that hadnt been updated by the maintainer in a few years, so
| I had to update it myself so it would work. And sometimes
| qemu would crash... but those cases were all exceptions, and
| it generally worked well.
| kbutler wrote:
| I'll just say my experience in early 2021 didn't match
| that, or I wasn't willing to invest enough to get
| unsupported, pre-release software working, when I had easy
| access to x86 macs.
| rvz wrote:
| That doesn't mean anything since at the time (November
| 2020) it explicitly says it is 'not stable' for general
| use. Like you said yourself _' sometimes qemu would crash'_
| and one of the known issues in the preview and beta
| versions is that the kernel panics regularly.
|
| At the time since November 2020:
|
| > 'Docker Desktop on Apple M1 chip is still under
| development. We recommend that you do not use tech preview
| builds in production environments.'
|
| My intention is not to 'test' this software, I am simply
| using it for general use and I do not suggest using beta or
| preview software to anyone if it is known to be _that_
| unstable. As soon as it was marked officially as a
| 'stable' release, then I would use it.
|
| Those who bought the M1 would have waited 6 months for it
| to be stable.
| dawnerd wrote:
| I have with with docker on Mac about two years ago. Just got a
| dedicated server to run it and it's made my development a lot
| less stressful. I'd suggest doing the same.
| leemcd56 wrote:
| Not true. I use Docker every day on my Mac mini M1. Now
| Dropbox, on the other hand, barely does... it brings my Mac to
| a crawl.
| Wowfunhappy wrote:
| This isn't the right solution, but I'd be curious to know if
| these problems disappear in Permissive Security mode (aka Secure
| Boot off).
| ravenstine wrote:
| Right. I'm not sure we know whether the author is describing a
| bug or a feature.
| millzlane wrote:
| Most likely a bug. If the instructions start with "Install
| Beta anything", with apple, this wouldn't garner support from
| them. Report the problem to apple on the beta channel.
| https://beta.apple.com/sp/betaprogram/ if you're a developer
| having an issue they have a support channel for that too
| rStar wrote:
| apple doesn't care about technical users, they sell a product
| designed to be of use to the most people who can pay. They are
| trying to move towards an IOS security model while preserving
| most of the features of a general purpose computer. we'll see
| where it's headed. in my use case, I dual boot and am the only
| user of my machine. If this ever becomes untenable I'll switch
| mainly linux and dual boot windows, until and unless windows
| stops letting me dual boot, at which point I'll have to
| reevaluate.
| randyrand wrote:
| Will Macs still work in 15 to 50 years if Apple goes out of
| business?
| [deleted]
| jonwinstanley wrote:
| Anyone hanging on to a computer for that long will have found a
| workaround
| bruce343434 wrote:
| The oldest computer I have is a 2009 mac mini, which still
| works, but it gets hot and it's pretty slow. The second oldest
| is a 2011 fujitsu esprimo e900 which has unreliable capacitors,
| and has to be plugged in for a while before it can boot up
| without shutting down randomly. My point is, computers are
| fragile, even more so the newer one with smaller parts with
| tighter tolerances. And with the quick advancement of the
| technology, I think 15 years is already an excessive lifetime.
| foft wrote:
| Interesting. I just bought an M1 Mac mini. I added a nvme m.2 ssd
| (Samsung PM9A1 + Orico SCM2T3-G40) over thunderbolt 3 and moved
| the admin user over. Unfortunately I had to send back the ssd and
| adaptor since it was reading at only 75MB/s for some reason.
| Anyway I created a new admin on the internal ssd before deleting
| the external ssd. If I understand this article correctly it's
| saying that I will no longer be able to update since I now only
| have a secondary admin user. Is that correct?
| 70rd wrote:
| Were you getting those speeds with random reads or sequential?
| I have one of the Orico enclosures and it works great.
| foft wrote:
| I used initially 'Blackmagic disk speed test'. This tool
| seems to only have an option for 1-5GB. I did not find a
| random or sequential option. I've definitely seen screenshots
| of this tool giving high read speeds using the Orico.
|
| Then I tried 'ATTO disk benchmark'. This tool tries a variety
| of read and write I/O size ranges. The results I got here
| were strange. As expected as the I/O size range grows, the
| read bytes/s increase. Then it hits 1MB I/O size and the
| throughput drops to almost 0. Write was consistent across the
| range, perhaps since it simply hits a buffer on the SSD to be
| processed later.
|
| With dd I achieved good performance transferring a 5GB file,
| after a reboot to ensure the file cache was definitely
| flushed.
|
| Perhaps it was an issue with the firmware version for the
| Orico or the SSD itself. Unfortunately I was unable to update
| the latter since the 'Samsung Magician' software is windows
| only. On my windows devices I have no thunderbolt ports.
| Amin699 wrote:
| Good job
| GekkePrutser wrote:
| Wow I'm so happy I'm moving away from Mac administration. I
| currently manage a big userbase but we still don't have M1s in
| our environment as our antivirus solution (Cylance) is really
| slow in supporting it.
|
| Apple is introducing more and more mechanisms in the name of
| security but they keep access and information very close to their
| heart. All us Mac admins have struggled with SecureToken in
| combination with AD accounts and it took two major releases for
| Apple to actually introduce a way for us to manage these properly
| through MDM. In the mean time most information had to be gathered
| through blogs such as this one.
|
| Another issue is that more and more enterprise management
| features are becoming dependent on managed (federated) Apple IDs.
| But Apple requires that the email and identifying account address
| (UPN) are the same which will never happen in our 200k user
| environment. So we're stuck with more and more things to work
| around.
|
| This is really something that should have been considered from
| the start. And this owner key thing sounds worse. Security is
| good but the end user or corporate admin should have the keys to
| every lock. Not just the vendor. Now my successor can deal with
| this stuff.
|
| I used to be a big fan of macOS personally too but I moved over
| to FreeBSD 2 years ago and I'm glad I did. I really want an OS
| that answers to me.
| gjsman-1000 wrote:
| You could just set security to Permissive. It's as secure as
| any Windows machine and disables this, even though the only
| time you'd ever run into this would be if you ran 2 Mac
| installs on the same machine, which surely a corporate
| deployment isn't doing.
| GekkePrutser wrote:
| You'd be surprised. Macs for us are only half a percent of
| our userbase (yet still many hundreds), and are mainly used
| by app developers and graphical design roles.
|
| Especially the app dev guys tend to have fairly nonstandard
| usecases. However most of it happens in labs firewalled off
| the company network.
|
| Anyway, I'm glad I'm not the one having to figure out how to
| work around these things with very limited documentation from
| Apple, like I have before ;)
| gjsman-1000 wrote:
| Also of note is that this article only applies to M1 macs,
| so unless you running a beta of Monterey, you'd have to be
| dual-booting Big Sur for some reason.
| JoshTko wrote:
| In other news, edge case use encounters edge case issues.
| gjsman-1000 wrote:
| It's almost as if Apple is building their Macs to be rogue
| nation-state resistant or something. Because otherwise is this
| almost actually security overkill? (Which does exist, we don't
| want TSA Security to enter a grocery store, for example.)
| eertami wrote:
| >It's almost as if Apple is building their Macs to be rogue
| nation-state resistant or something.
|
| This claim feels a little weak when there are two other posts
| currently on the front page discussing a zero-click iMessage
| exploit in iOS 14.6, which has been abused by nation-states to
| spy on journalists and opposition leaders.
|
| If this is truly their aim, then they are likely a long way
| from having adequate software security.
| tomjen3 wrote:
| TSA is theater, the hijackers that were stopped where stopped
| in the air.
|
| But aside from that, looking at the threats of ransomware
| attacks, they probably do need to harden them that much.
| gjsman-1000 wrote:
| What about device Ownership prevents an app with Full Disk
| Access from encrypting files as it pleases?
|
| Ruining the OS install is not the objective of most
| ransomware because that makes it harder to show your demands
| and accept payment.
| Wowfunhappy wrote:
| I assume the idea is to prevent rootkits.
| halotrope wrote:
| Considering the recent ransomware epidemic I would not agree
| for this to be security overkill. Maybe this level of paranoia
| is the minimum required baseline in 5 years. It looks like
| after a decade of relatively few big and public security
| incidents we are starting to go downhill again.
| InTheArena wrote:
| See the trending top story right now as to why they are doing
| so.
| mikl wrote:
| I think rendering stolen devices useless is also on the feature
| list. iPhone theft has become super rare, because a stolen
| device is neigh-impossible to activate and thus has little to
| no resale value.
| southerntofu wrote:
| It's not a feature, it's an anti-feature. Preventing people
| from using a device they get second-hand is actively hurting
| poorer economies, because they can't benefit from all the
| hardware at disposal but have to dispose of it as part of
| global "recycling" trade (which has nothing to do with
| recycling and everything to do with piling up devices in
| areas where random folks will use dangerous chemicals to
| scrap parts or tiny bits of gold).
|
| And then you they go even further with stories like that:
| https://www.vice.com/en/article/yp73jw/apple-recycling-
| iphon...
|
| Apple is doing such policy not for security, as they still
| own the master key to everything they produce (!), but for
| making sure people keep on buying new products and destroying
| the planet ever more. Screw this crap.
|
| EDIT: If you like to think of yourself as an eco-responsible
| or eco-worried person, consider how "right to repair" (or
| "apple/samsung locks" on the other hand of the spectrum) fit
| into that worldview.
| williamdclt wrote:
| I've heard stories of people getting their phone snatched
| from their hand by a thief on a moped, then seeing the thief
| checking if the phone is unlocked while driving away and
| throwing it away immediately if it is (probably smashing it
| to the ground)
| judge2020 wrote:
| Seems like it'd be mostly useless, though - everyone I know
| sets up the iPhone without messing with too many settings,
| which means enabling Find My iPhone (which is on by
| default). The only place I imagine it being worth it is
| outside of Apple Stores or cell carrier stores where
| there's a higher chance they haven't set up FMI yet.
| michaelt wrote:
| Presumably when you snatch a phone, you don't know if
| you're getting a (worthless) iPhone until after the deed
| is done...
| fortran77 wrote:
| > iPhone theft has become super rare,
|
| This is simply untrue. It may be hard to activate it, but it
| still has value for its screen, case, camera, and other
| parts.
|
| https://cbslocal.com/2018/01/31/despite-anti-theft-
| features-...
| curiousgal wrote:
| lol you give thieves too much credit. Literally two minutes
| ago I was watching a video of thieves trying to ram a car
| into an ATM in France.
| mikl wrote:
| Even the stupid thief will learn, once he tries to fence a
| stolen device and gets little-to-nothing for his efforts.
| finnh wrote:
| Presumably the ATM has money in it, rather than iPhones.
| Engineering-MD wrote:
| I think the point is that their technique is unlikely to
| work
| [deleted]
| satysin wrote:
| It is less common these days thanks to activation lock, Find
| My Phone, etc. but it still happens a fair bit for parts. The
| system board is useless thanks to activation lock but the
| battery, screen, cameras, housing, etc. are all useful to any
| repair business. I think the only part they can't replace is
| the FaceID module as Apple require specific software to
| configure it only available to certified repair techs so a
| small repair store won't have access to it but a genuine
| battery or screen or camera on the cheap from a stolen phone
| is good money to smaller repair shops.
| developer2 wrote:
| This has already been a thing for Macs as well for many, many
| years. If you boot into recovery mode, there is a menu option
| to add a Firmware Password. You cannot access recovery mode
| or enter the boot selection menu without providing that
| password, which means a thief cannot reinstall any operating
| system or boot from a Linux thumb drive.
|
| When you add a Firmware Password to a Mac, you get a long
| recovery code as a fallback safety in case you lose/forget
| the password. Apple, if provided with proof of purchase for
| the serial number being inquired about, can create a bootable
| USB stick with a certificate generated using public/private
| key crypto for which Apple holds the private keys.
|
| I suspect much of this newer functionality acts as a
| replacement for the Firmware Password, giving more options
| and making it a bit more well-known.
| Rd6n6 wrote:
| What exactly is a rogue nation state? One that doesn't follow
| rules?
| sschueller wrote:
| It's the opposite. For this "security" you are handing control
| to a private corporation that when it comes down to it will
| pick money over democracy and freedom.
| heavyset_go wrote:
| And yet Apple is cooperating with authoritarian governments[1].
|
| For example, in Myanmar[2]:
|
| > _Most recently, there was a dispute with ProtonVPN (the
| company that also makes ProtonMail) over an update for its app
| in the App Store. Proton Technologies claimed that Apple was
| intentionally blocking the update amid the ongoing crackdown in
| Myanmar._
|
| And in China[2]:
|
| > _" China appears to have received help on Saturday from an
| unlikely source in its fight against tools that help users
| evade its Great Firewall of internet censorship: Apple."_
|
| > _" The Republic of China flag emoji has disappeared from
| Apple iPhone's keyboard for Hong Kong and Macau users. The
| change happened for users who updated their phones to the
| latest operating system."_
|
| > _September 2019 -- Apple adopts a "SIM canary". If you insert
| a Chinese carrier SIM, apps like TikTok & Apple News no longer
| function._
|
| > _May 2021 -- Censorship, Surveillance and Profits: A Hard
| Bargain for Apple in China_
|
| And in Russia[2]:
|
| > _October 2020 -- Apple forced Telegram to close channels run
| by Belarus protestors_
|
| And in Pakistan[2]:
|
| > _February 2021 -- Apple Removes Apps for Pakistani
| Government_
|
| There are about a dozen more examples than those in this
| article here[2]. Here's its conclusion:
|
| > _So what does any of this have to do with app developers? Why
| should we care? When it comes to the iOS App Store, Apple
| controls where we are allowed to distribute our apps. More
| importantly, Apple has the unilateral power remove our apps
| from any App Store region at any time to nurture its
| relationship with whatever unsavory government it is interested
| in pleasing in order to pursue its political motives or
| financial objectives._
|
| > _Apple's centralized power over app distribution combined
| with its willingness to surrender to political pressures is
| incredibly concerning as ostensibly "democratic" governments
| across the globe (including the United Sates!) increasingly
| exhibit far-right, fascist behavior and implement fascist
| policies. What will happen when you need to build your own
| HKmap.live?_
|
| [1] https://news.ycombinator.com/item?id=26644216
|
| [2] https://www.jessesquires.com/blog/2021/03/30/apple-
| cooperati...
| gjsman-1000 wrote:
| This again. In authoritarian regimes, it's either you comply
| or you are gone. The regime can cut every one of your phones
| off their networks in seconds. Noncompliance is not an
| option. It's not like the US where you can fight with the FBI
| in court.
|
| The argument is whether you think their people should be able
| to use iPhones or not. If so, the rules are the rules. And
| the argument is that it would be better they had iPhones than
| domestic phones more likely to be compromised.
| [deleted]
| jolux wrote:
| I mostly agree but I think it's still a shame that American
| companies are forced to comply with draconian regulations
| like this. It's probably more of a problem for diplomacy
| and state policy to solve than private actors though.
| heavyset_go wrote:
| It's interesting that you don't see the military junta that
| performed a coup[1] in Myanmar and contributed a
| genocide[2][3] as a rogue nation-state, but see cooperating
| with them as just the cost of doing business.
|
| [1] https://en.wikipedia.org/wiki/Myanmar#2020_elections_an
| d_202...
|
| [2] https://www.npr.org/2021/02/11/966923582/what-myanmars-
| coup-...
|
| [3] https://www.mei.edu/publications/myanmar-february-coup-
| and-r...
| gjsman-1000 wrote:
| I'm not disputing what Myanmar did. I'm saying that let's
| say Apple didn't comply:
|
| 1. Within minutes, every iPhone is disabled from
| accessing the state owned cellular systems.
|
| 2. Any employees or executives in Myanmar risk arrest
| and, possibly, torture or death for allowing free speech
| and disobeying the government.
|
| 3. The average Myanmar citizen gets free speech for an
| hour or so, then gets informed they must buy a new phone,
| possibly made by a state owned enterprise, that is much
| more invasive to their privacy.
|
| So what, exactly, did making a stand accomplish?
| Absolutely nothing, and everyone is worse off.
| Miraste wrote:
| This is what would happen in China. Myanmar is not
| capable of it.
|
| > Within minutes, every iPhone is disabled from accessing
| the state owned cellular systems.
|
| Ludicrous. Myanmar has multiple private telcos. During
| the coup the military controlled internet access by the
| highly sophisticated means of cutting wires in data
| centers. It would take them days or weeks to individually
| block iPhones.
|
| > Any employees or executives in Myanmar risk arrest and,
| possibly, torture or death
|
| Some of those employees are US citizens. They all
| represent America's premier megacorporation. Killing them
| would not be a good move, especially as the US military
| finishes opening a spot on its "developing countries to
| demolish" list.
|
| > they must buy a new phone, possibly made by a state
| owned enterprise, that is much more invasive to their
| privacy.
|
| The junta can't make phones.
|
| Apple has no power in China but China and Myanmar are
| very, very different places. If they wanted to, they
| could exercise significant influence.
| gjsman-1000 wrote:
| That was when the military was trying to take over an
| already established government. No reason why, now that
| they are in charge, things might be different.
|
| In nations considered authoritarian, "private" should be
| taken with a grain of salt. In China, all businesses with
| over 50 employees must have a dedicated CCP
| representative.
|
| Finally, it doesn't matter if they can't make phones.
| They'll call a Chinese company in Shenzhen and they'll
| rush in a pile of branded phones in weeks.
| Wowfunhappy wrote:
| The nice thing about the M1 Macs (as opposed to iOS devices or,
| uh, apparently Windows 11?) is that these systems can be turned
| off if you feel so inclined. More specifically, "Permissive
| Security Mode" can be enabled from the Terminal inside 1TR.
|
| Apple recommends against this, of course, but it's your
| computer, so you can make your own choices!
| smoldesu wrote:
| To be clear, it's still not "your computer": Apple still
| controls the boot process and coprocessors, as well as all of
| the firmware that might be running on it.
| gjsman-1000 wrote:
| So does any other computer except for, like, Purism.
| judge2020 wrote:
| Technically Windows 11 runs just fine without TPM, but that
| might change eventually.
| Wowfunhappy wrote:
| The beta does, I was under the impression Microsoft was
| still saying the final release won't?
| m_ke wrote:
| The logic board on my M1 failed after 2 months of very light use.
| Was also surprised when it wouldn't let me use an external webcam
| while connected to an external monitor.
| danieldk wrote:
| _Was also surprised when it wouldn 't let me use an external
| webcam while connected to an external monitor._
|
| What do you mean? Using an external webcam while connected to
| an external monitor works fine.
|
| (Source: I have been using such a setup in a course for the
| last few weeks.)
| m_ke wrote:
| Was using a 4K monitor with an M1 macbook air and the
| external webcam would only work with the monitor unplugged,
| tried both ports.
| matwood wrote:
| Since your mainboard also failed, it sounds like you got a
| bad machine. It happens. Hopefully you were able to get a
| replacement.
| grishka wrote:
| One question: can I finish the setup of an M1 Mac without giving
| it an internet connection? As in, could I get it from unboxing to
| desktop without it sending a single network packet to Apple?
| gjsman-1000 wrote:
| Yes, right now you can on M1. Windows 11 Home will not support
| that in the final release, but there are workarounds in the
| beta period.
| spideymans wrote:
| From the article:
|
| >According to the small print in Apple's Platform Security
| Guide, when you set up a new M1 Mac, or set one up after
| restoring it in DFU mode, the primary admin account created
| is special: it's the Owner account of that Mac. During that
| inital setup, the Mac sends a request to Apple for that Mac's
| signed Owner Identity Certificate (OIC). This is based on a
| private key generated in the Secure Enclave known as the
| Owner Identity Key (OIK).
|
| I'm not trying to imply that you're wrong at all, but I'm
| curious how the Mac goes about obtaining the OIC without a
| network connection.
| gjsman-1000 wrote:
| The OIC, if I understand correctly, is an Apple vetted OIK
| which is created on-device.
|
| This mainly would come into play, as the article says, if
| you install another operating system. By default, the OS is
| in Full Security mode, so it would contact Apple when
| installing the other OS and the OIC may come into play.
|
| But if you aren't installing another OS, or you set your
| Mac to permissive security which needs no internet, perhaps
| the OIC is not required because you've downgraded the
| security?
|
| Im just speculating.
|
| Still, somehow, the fact remains you can fully set up an M1
| Mac without internet. The technicals of how it does this
| while reconciling that with the security guide is unknown.
| grishka wrote:
| Can you disable secure boot without Apple having a say in
| the process? I trust myself much more than I trust Apple.
| Wowfunhappy wrote:
| Yes, you can.
| gjsman-1000 wrote:
| There are three levels of M1 security, Full, Reduced, and
| Permissive. You can downgrade at any time without
| internet, but you cannot re-enter Full without contacting
| Apple over the internet.
| brigade wrote:
| No, you cannot downgrade before creating a user account
| in setup.
| gjsman-1000 wrote:
| Technically true, but no internet is required to make
| that account, so it's a minor inconvenience.
| grishka wrote:
| Yes, it's after reading this that I'm asking. I _really_
| don 't like my own hardware phoning home without my
| explicit consent. Ideally I'd install a firewall _before_ I
| first connect it to the internet, and I 'd block
| *.apple.com by default.
| gjsman-1000 wrote:
| It is currently unknown how it reconciles with the
| security guide, but the fact remains that you can set up
| a M1 Mac without any internet.
| comex wrote:
| According to [1], the whole dance with the OIC and OIK
| happens
|
| > When macOS is first installed in the factory, or when a
| tethered erase-install is performed
|
| So when you're setting up for the first time after the
| factory install, it already has the OIC. I think.
|
| [1] https://support.apple.com/guide/security/localpolicy-
| signing...
| Beached wrote:
| To clarify, Home will not. But home is targeted to the non
| techy layman. pro / Enterprise will allow this. comparing
| window home to oax is like complaining that my Honda civic
| doesn't have the towing capacity that my f150 has. different
| class and purpose.
|
| apple doesn't even have a comparable os to be compared to
| home, as it's a market they don't even target or develop for.
| vetinari wrote:
| > omparing window home to oax is like complaining that my
| Honda civic doesn't have the towing capacity that my f150
| has. different class and purpose.
|
| Microsoft puts garbage into Pro/Enterprise too, surely you
| know.
| judge2020 wrote:
| > But home is targeted to the non techy layman.
|
| Yet it will be sold on laptops to anyone that buys them,
| even if the customer is a 'pro'. It's their prerogative,
| but I would rather see 'Want to set up with an offline
| account? Upgrade to pro now for $80'.
| [deleted]
| brigade wrote:
| No, because of activation lock. Setup doesn't differentiate
| whether it's been wiped or not, and activation lock would be
| weak if a simple wipe could defeat it.
| gjsman-1000 wrote:
| False. Setup is actually quite aware of whether it's been
| wiped or not, because of the Secure Enclave.
| Kenji wrote:
| People who use modern Apple computers are not "hackers". They are
| hipsters, slaves to the system. They are people who would sell
| their soul for a few more FLOPs or a few more square pixels of
| resolution. They hate exploration, tinkering, general computing
| and freedom. The devil comes and tempts you with a CNC milled
| chassis, another millimeter shaved off in thickness and magnetic
| gadgets. And you will take his gift for you know: Your soul is
| already worthless, it is already corrupted and compromised.
| xrd wrote:
| Trying to ship software for OSX *in general* drives me crazy, and
| this seems like more.
|
| This quote: "I've been unable to find any information provided by
| Apple (or anyone else) which explains what's going on, what the
| errors mean, or how to address them."
|
| That's my experience constantly.
|
| My development build had weird behavior when I explicitly launch
| it? Oops, Apple launched a cached version of the app inside a
| private temp directory (thanks Gatekeeper!) associated with the
| protocol handler.
|
| But no way to tell until I casually check the process working
| directory. No documentation indicating how to troubleshoot this.
|
| Countless issues like this.
|
| Whenever I develop for JavaScript, if I find a module that just
| has weird undefined and undocumented behavior, I get rid of it no
| matter how powerful. I wish I could do that with the Mac
| developer ecosystem. It's closed and Apple will say that gives
| them a premier experience but it's the little snags that cost me
| 90% of my time and are impossible to troubleshoot other than
| grunting through it.
| kennywinker wrote:
| > Whenever I develop for JavaScript, if I find a module that
| just has weird undefined and undocumented behavior, I get rid
| of it no matter how powerful.
|
| `rm -rf Chrome.app`
|
| The equivalent between native development and web is not the
| quirks of a library, it's the quirks of browsers. That's the
| metal you're running on.
| oblio wrote:
| > I wish I could do that with the Mac developer ecosystem.
| It's closed and Apple will say that gives them a premier
| experience but it's the little snags that cost me 90% of my
| time and are impossible to troubleshoot other than grunting
| through it.
|
| Might be worth reading the entire post and commenting on it
| in its entirety, not cherry picking.
| kennywinker wrote:
| I'm not sure what you mean by cherry-picking, I'm directly
| addressing their comment. The kinds of struggles `xrd`
| mentions (Gatekeeper, protocol handlers) are not library
| level dependencies, they are the platform their code is
| running on. Comparing that to a js library is just the
| wrong equivalence. If their beef was with AppKit, or
| NSWindow or something at the dependency level then yeah
| it's fair to compare that to an npm package.
|
| The bulk of my experience has been with native development,
| so I find these struggles familiar and un-threatening.
| However, when I do browser-based development and I'm faced
| with one of those massive "Browser compatibility" tables on
| Mozilla.org explaining how this "standard" is implemented
| in wildly different ways across the major browsers, and
| then the reality turns out to be different from what the
| table suggested, I get as frustrated as `xrd` is.
| mschuster91 wrote:
| > The equivalent between native development and web is not
| the quirks of a library, it's the quirks of browsers. That's
| the metal you're running on.
|
| Unfortunately, the one browser causing the most miserability
| for web developers these days _is Safari itself_ , not Chrome
| as you implied. It is the only web browser engine that's
| allowed to be used on iOS devices, and many people use it on
| Macs since it is able to use all the undocumented quirks and
| nooks in OS X to smash Chrome/FF in battery usage.
|
| The problem is that it has so much stuff that's outright
| _broken_ (IndexedDB), is outdated (its developer tools) or
| just plain sucks (it won 't play <video> elements if the
| server doesn't serve Range HTTP headers, for example -
| painful if you're streaming from inside a CMS). And that's
| been the case for _years_.
|
| Safari is the new IE. Apple should be forced, just like
| Microsoft, to de-bundle it from the OS and open up and
| document their private APIs to allow Chrome and Firefox to be
| competitive!
| gjsman-1000 wrote:
| If they did that, you'd risk Chrome taking over and
| extending it's browser engine monopoly to be even bigger.
|
| And Firefox, remember, laid off most of the engineering
| team. The only real people benefiting would be Chrome based
| browsers, with their ability to spread Chrome to even more
| places.
| kennywinker wrote:
| > Unfortunately, the one browser causing the most
| miserability for web developers these days is Safari itself
|
| I think it's a bit of a straw man to say that the only
| reason web development is hard is safari. Browser support
| is irreducibly difficult as long as we live in a world with
| more than one browser. Safari may stand out as the odd
| duck, but I for one don't want to stream video on my 3gb a
| month data connection if it has to load the full content in
| order to jump ahead 2min.
| dabinat wrote:
| The Apple security feature I hate the most is notarization. I
| get the point of it, but Apple's execution of it is poor.
| Sometimes it takes 10+ mins to notarize an app and the service
| regularly returns random failures.
|
| My software has a feature where you can package certain files
| into a basic no-frills installer. This is a minor feature that
| pre-dates notarization in a much bigger suite of tools and it
| causes a lot of issues because users contact tech support every
| time Apple's notarization service goes down (which is often).
| At this point I'm considering just removing the whole feature
| from the suite.
| judge2020 wrote:
| > users contact tech support every time Apple's notarization
| service goes down (which is often).
|
| Isn't notarization stapling supposed to prevent this? Or does
| it do a OSCP/"is this signature still good" check on every
| launch?
| NegativeLatency wrote:
| Sounds like OPs app is calling the notarization APIs
| directly to notarize user created installers
| dabinat wrote:
| Yes, it notarizes using the end-user's Apple ID.
| gjsman-1000 wrote:
| Apple did a talk recently about how notarization will be
| easier with MacOS 12. Might help.
| tootie wrote:
| Same for iOS. It's just 10x harder than Linux or android for no
| good reason.
| gjsman-1000 wrote:
| Could the same not be said for Windows developers, or Linux
| developers? Or, heck, almost any developer?
| wila wrote:
| Nope.
|
| Have been a developer for windows applications for 20 and
| some years. Software I build back then still runs fine.
|
| Have been a developer for macOS since 2013, since around 2019
| I need to bring out patches for changes in the core OS
| multiple times per year. macOS is not a pleasant OS for a
| developer. Documentation is pretty shitty and the rugs that
| get pulled from under you all the time are frustrating.
| rapind wrote:
| At least you aren't paying for this sub par environment...
| oh wait.
| wila wrote:
| Actually, I'm fine with that part :)
|
| For Windows you nowadays need EV code sign certificates
| in order to be able to distribute without any troubles
| and -while you don't pay that directly to Microsoft-
| these certs are significantly more expensive than the
| "macOS developer tax".
|
| Yes, you can also distribute to the Windows App store,
| which is cheaper (a one time tax). But I'm not really a
| fan of "App Store's" be it from Apple/Google or
| Microsoft.
| xrd wrote:
| Glad to know it isn't just me. Same general developer
| history, same experience.
|
| Windows has its quirks and bad decisions they made over the
| years but the developer experience is consistent, even when
| bad.
|
| Apple's experience is like being in an Arabian desert:
| sometimes you see a mysterious oasis that wasn't there
| before, but mostly it is shifting dunes that cost days or
| months.
| ethbr0 wrote:
| I think this is one of the reason Microsoft leadership
| was historically so rabid about reminding their employees
| that _developer_ experience was core (because it 's the
| indirect upstream of user experience).
|
| Third party developers are an example of "out of sight,
| out of mind." It's easy to forget how a feature impacts
| them. And it's easy to say "We still have apps coming
| into the platform."
|
| But what you don't see is the frustration, resentment, or
| apps that were never written because developers found
| something better to do with their time.
|
| Mac and iOS development isn't there yet, but it sure
| feels like they aren't trying very hard to steer the ship
| in any other direction.
| mst wrote:
| There was an article talking about how we train ourselves
| to our tools to not do the things that cause problems.
|
| This works a _lot_ better when the set of "things that
| cause problems" stays relatively constant.
| zh3 wrote:
| Oh and if you have an older Mac Mini, you need to upgrade
| the OS to run a newer Safari? (that's the first platform
| I've ever seen that needed an OS update to install the OS's
| own browser).
|
| So the kids are now using Brave.
| djxfade wrote:
| > that's the first platform I've ever seen that needed an
| OS update to install the OS's own browser
|
| Used to be the case for Windows as well with Internet
| Explorer.
| gjsman-1000 wrote:
| And Microsoft Edge right after that for a few years.
| wila wrote:
| You can install Microsoft Edge right now still on Windows
| 2008 R2 as well as on Windows 7. [1]
|
| They even support this for WebView2, the embedded version
| of MS Edge that you can use in your applications. [2]
|
| Both of those operating systems have been retired for a
| while.
|
| Microsoft has its flaws as well, but at least in this
| part they are doing quite well.
|
| I just happen to be working on a WebView2 ActiveX control
| and this is one of those areas that really did surprise
| me.
|
| [1] https://docs.microsoft.com/en-
| us/deployedge/microsoft-edge-s...
|
| [2] https://docs.microsoft.com/en-us/microsoft-
| edge/webview2/#su...
| zh3 wrote:
| My mistake then, I guess I never hit that despite using
| Windows way more than IOS (Windows has a _lot_ better at
| backward compatibility, at least in my experience).
|
| Personal experience with trying to switch to Mac has
| been...well, both expensive and unpleasant. Single data
| point, but new hardware that fails every 4 minutes after
| power on and the fix being an upsell has really put me
| off.
| tonyedgecombe wrote:
| Windows is much better documented and mostly stable. The main
| downside from a developer perspective is framework churn.
| ethbr0 wrote:
| > _framework churn_
|
| Aka "never trust Microsoft's pronouncements and stick with
| legacy frameworks forever, because it's the least risky
| option."
| [deleted]
| Shorel wrote:
| Windows? No fscking way. Backwards compatibility is Windows
| strength.
|
| Linux? Sometimes. Trying to run DXX-Rebirth in a modern Linux
| is an exercise in frustration.
|
| The Windows version still runs flawlessly in Windows 10.
| fortran77 wrote:
| Wow! A good reason to hold off until all the kinks have been
| worked out.
|
| Even with "secure boot" and "UEFI", I have no trouble installing
| other OSs on the latest Intel hardware from Microsoft,
| Supermicro, or Dell.
| dlevine wrote:
| It seems like these changes have good intentions (i.e. improved
| security), but introduce a lot of complexity that can have
| unintended consequences for end-users. This reminds me somewhat
| of my process setting up UEFI Secure Boot on my Windows PC that
| wasn't originally configured for it. Not in the exact steps, but
| in that there is a ton going on behind the scenes and the UX is
| horrendously bad.
|
| Unfortunately, vendors haven't really thought about how to
| explain these changes to end-users. They are trying to make them
| fairly transparent, which probably works at least 95% of the
| time, but for a small percentage of people, becomes a big PITA.
| TranquilMarmot wrote:
| I wanted to try out Windows 11 on my desktop, and one of the
| requirements was that UEFI secure boot is turned on. Took me
| the better part of a day to figure out how to turn it on, which
| required deleting some random partitions that had been created
| on my drive when I had upgraded from Windows 8 to Windows 10
| because the tool to enable UEFI requires a _very specific_
| number of partitions in the drive that it's being set up on.
| The error messages to figure out that was the problem were
| incredibly frustrating. The BIOS UI to turn it on was also so
| confusing; everything seems to be named differently in
| different places.
|
| The kicker was that the Windows 11 install was borked and I had
| to wipe everything and reinstall. Ha.
| blunte wrote:
| This is worth knowing about, but it is really a distant edge
| case. Calling it a peril of M1 ownership is a bit dramatic when
| you consider how few people it will affect.
| jfarmer wrote:
| I think the title was meant to be wordplay: the perils of the
| M1 "Ownership System" and the perils of owning an M1 Mac.
| gjsman-1000 wrote:
| This blog is well known for both deep original knowledge, and
| extreme hyperbole. There was a post about MacOS update size
| that compared the size of the updates to beating the backs of
| Mac users raw and ignoring their pleas.
| blunte wrote:
| Ok then. Literary license :)
| sylens wrote:
| Isn't there a chance this could show up in Macs provisioned by
| enterprise IT before being assigned to employees who sign in
| with their own Apple ID?
| Nextgrid wrote:
| The other peril of M1 ownership is the lack of alternative
| operating systems. The other way I reinstalled an older Macbook
| through "internet recovery" and it downloaded the version it was
| originally shipped with - macOS Mojave.
|
| The UI was a breath of fresh air compared to Big Sur. Despite the
| screen being smaller than my M1 the information density was
| higher and it felt more like a tool than a toy. The lack of
| bullshit apps such as Apple TV, News & co and useless "widgets"
| was also good (for all of iTunes' flaws, it's still better than
| its modern successors), and it somehow felt faster despite being
| less than half the processing power of the M1.
|
| I now wish I could run this on my M1 but alas I can't. At least
| with PCs and older Macs you could always switch to Windows or
| Linux, but with the M1 you're currently screwed - if Apple drops
| the ball or decides to take their OS in a direction you don't
| like you currently have no alternative (and all the "security"
| around locking out the user from their own machine doesn't bode
| well for alternative OSes).
| aeontech wrote:
| You might be happy to hear about Linux running on M1 Macs
| already then (and Windows ARM version will run as soon as
| Microsoft gets around to it, I expect).
|
| https://asahilinux.org/about/
|
| https://9to5mac.com/2021/06/28/linux-kernel-5-13-officially-...
| rvz wrote:
| That's great news but how do users go about _' installing
| it'_ right now?
|
| I think the comments in 9to5mac are just as bewildered as I
| and many users are. By the time a guide is written, they
| would have moved on to getting an M1X or M2 Macbook, still
| waiting.
|
| It's only got kernel support, but is actually still not _'
| user ready'_. Could take months for that to happen.
| deaddodo wrote:
| You don't. Asahi is far away from usable. They've got
| initial kernel support in, which allows it to boot. However
| no drivers have been written yet, there's nothing ready in
| the userspace and it definitely doesn't have an installer.
|
| * Not decrying Asahi, they've done a lot of work and
| continue to do so. But it's best not to misrepresent the
| project's status.
| rvz wrote:
| > They've got initial kernel support in, which allows it
| to boot. However no drivers have been written yet,
| there's nothing ready in the userspace and it definitely
| doesn't have an installer.
|
| Exactly my point as I have already said. We know it is
| not user ready but the parent comment is making as if it
| is already running on M1 Macs; which is hardly true.
|
| To debunk the M1 Linux hype squad again, it does not work
| to the point of it being usable and will take months to
| get it _' user ready'_.
| deaddodo wrote:
| Asahi Linux hardly runs on M1. They're definitely
| spearheading research into the hardware and have done a ton.
| But the project is well into it's infancy.
|
| And it's doubtful Microsoft would ever go through the same
| effort to port Windows on ARM to the M1, instead probably
| relying on Apple's virtualization framework to allow it to
| run.
| brianzelip wrote:
| ...and Mojave is EOL this year, so here comes Catalina, with
| the shit show that was that experience which kept me on Mojave
| so long.
| salamandersauce wrote:
| T2 Macs are still handicapped when it comes to Linux. It can
| run but with too many caveats. Needs special kernel versions
| with custom modules to have working keyboard/trackpad and at
| least last time I looked couldn't have both audio and sleep.
| Too big of a compromise on a laptop for me to use it. Wish I
| could. Seems like M1 Macs are going to have better Linux
| support than the T2 ones where BridgeOS throws a bunch of
| complications into the mix.
| gjsman-1000 wrote:
| Well, in Apple's defense, backporting old versions of MacOS
| makes no sense and would cause developers much headache, Linux
| already boots to a GUI on the M1 Mac mini (just no HW
| acceleration), and the list of available operating systems will
| grow each year there is a MacOS release. Just like you can't
| run MacOS 10.6 Snow Leopard on the MacBook you restored.
| smoldesu wrote:
| I'm glad I'm not the only one who truly loved Mojave! Once
| Apple cut off 32-bit support, it seemed like stuff really
| started going downhill. I still might pick up an M1 machine
| secondhand once Linux support is ironed out, it would be a fun
| little tinker-toy.
| kartayyar wrote:
| You don't buy a Mac (M1 or otherwise) to live an adventurous
| life. You get it because it has really well executed take on an
| opinionated computing platform that just works for normal people.
| FireBeyond wrote:
| That's completely orthogonal to Apple's take. They talk about
| how much your development efforts will speed up, your creative
| production. So on, so forth.
|
| Not "it's to be an unadventurous consumer of product".
| gjsman-1000 wrote:
| For a lot of normal people, Mac is what you buy if you want to
| work _with_ your computer, but it is not what you buy if you
| want to work _on_ your computer.
| robertoandred wrote:
| Do you work with your screwdriver or on your screwdriver?
| samatman wrote:
| With my screwdriver.
|
| Unless you're a blacksmith who makes his own drivers or a
| wordworker who makes her own handles, the same is true for
| you.
| my123 wrote:
| Note that the BootPolicy mechanism changed quite a bit in macOS
| Monterey betas, and will continue to do so within the beta cycle.
|
| Installing betas tends to come with caveats...
| mark_l_watson wrote:
| For most (almost all) Mac users this will not be a problem. For
| me, it was a problem when installing the beta macOS Big Sur a few
| months ago. For a while I was worried that I may have bricked my
| fairly new MacBook Pro laptop, but I eventually got it sorted
| out.
|
| I don't like that you apparently can no longer boot into the
| setup tools and reset a Mac to factory new condition. I had
| wanted to do this when I could not get LispWorks running with the
| newest beta macOS - I ended up just deciding to use SBCL until
| this gets sorted out.
| CharlesW wrote:
| > _I don 't like that you apparently can no longer boot into
| the setup tools and reset a Mac to factory new condition._
|
| I recently did this on an M1 Mac mini (wiped boot drive + did a
| clean install of macOS via the internet), so unless I'm
| misunderstanding what you mean this is definitely possible.
|
| https://support.apple.com/en-us/HT201255
| mark_l_watson wrote:
| Thanks Charles. So, you installed meta macOS Big Sur, then
| wiped from there? Good to know.
| MarkusWandel wrote:
| I'm with Richard Stallman on this one, even if the machine isn't
| quite free of binary blob (management engine if applicable, wifi
| drivers).
|
| How much longer? Will Windows 11 finally choke off the supply of
| perfectly good, cheap, secondhand Linux capable hardware (by no
| longer requiring an unlockable bootloader)?
| heavyset_go wrote:
| Stallman[1] and others[2] have talked about this 15+ years ago.
|
| [1] https://www.gnu.org/philosophy/can-you-trust.en.html
|
| [2] https://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
| zohch wrote:
| I personally would be more concerned that it was made by a
| company that uses slave labor in collaboration with an
| authoritarian state that is perpetrating a genocide on a minority
| religion. But I guess if you are okay with that ... then maybe
| this will bother you.
| gjsman-1000 wrote:
| So is your PlayStation, your Nintendo Switch, your Surface
| Laptop, your Lenovo desktop, your Pixel phone...
| zohch wrote:
| > So is your PlayStation, your Nintendo Switch, your Surface
| Laptop, your Lenovo desktop, your Pixel phone...
|
| Not things I own. There are other places that manufacture
| electronics than China. And "everyone does it" does not a
| justification for being complicit in genocide.
|
| Here are good places to start looking:
|
| - https://notmadeinchina.directory/
|
| - https://chinanever.com/
|
| - https://bestfreereviews.com/best-laptops-not-made-in-china/
|
| - https://www.republicworld.com/technology-news/gadgets/non-
| ch...
|
| Maybe if Europe stopped colluding and glad handing with
| Tyrannical governments like China and Russia they too could
| offer up some alternatives. Doubtful though, Germany is all
| about double speak, saying that they are against genocide
| while doing everything in their power to prop up genocidal
| regimes to maintain their regional hegemony.
| [deleted]
| gjsman-1000 wrote:
| I get despising the CCP, but your sources are significantly
| flawed.
|
| For example, best laptops not made In China showed a
| Surface Pro 7. Which is Made in China.
| zohch wrote:
| Apologies for that. The point is I guess that there is
| production in South Korea, Taiwan, Japan and India.
| smoldesu wrote:
| Well, this just about confirms the worst nightmares I've had
| about hardware-based TPM. This "Owner" concept in particular rubs
| me the wrong way, it just seems antithetical to the idea of
| general computing.
| mikl wrote:
| While there are perils, there are also benefits. Organised
| theft of iPhones basically stopped being a problem because
| features like these makes the device a mostly useless brick
| once it's marked in Apple's systems as stolen.
|
| I like the idea that should anyone be foolish enough to steal
| my MacBook, not only will they not be able to get my data, they
| won't even be able to get much useful value out of the
| purloined goods.
| ccmcarey wrote:
| > Theft of iPhones basically stopped being a problem because
| features like these makes the device a mostly useless brick
| once it's marked in Apple's systems as stolen.
|
| Uhh, got a citation on that?
| foldr wrote:
| https://9to5mac.com/2015/02/11/iphone-thefts/
| mikl wrote:
| Sure, how about https://www.lifewire.com/security-settings-
| iphone-thieves-ha...
|
| There's more to be found on this new-fangled internet
| search engine called Google. You should try it:
| https://www.google.com/
| Andrew_nenakhov wrote:
| People are still routinely tricked to enter their iCloud
| credentials into fraudlent websites designed to look just
| like iCloud, allowing thieves to wipe the device.
|
| I've had this happen to three people I know. Works like
| this: they contact you via your contacts, pretending to
| be apple care specialists, ship a link, then social
| engineer you into entering credentials, then they
| disappear.
|
| (I don't really know how they get to contacts, but this
| was the case in all three instances)
| mikl wrote:
| It's not really surprising that organised criminals are
| trying to get around the anti-theft measures (although
| crazy to hear that you know that many who've had their
| phones stolen). But as you can imagine, running such
| social engineering schemes takes time, and success is not
| guaranteed, so even in this case, the anti-theft measures
| are making it less attractive to steal iPhones.
| aunty_helen wrote:
| Can confirm, had my XR stolen. Contacted on whatsapp via
| a number that I put as the lost message (displays when
| you turn the phone on).
|
| Story was, this girl from Italy bought my phone on ebay
| but then saw my message and then took it to the Apple
| store. Someone from the apple store would contact me to
| arrange recovery of my stolen phone.
|
| Couple hours later I got a message from another number
| asking for me to log in to my iCloud account and arrange
| an appointment using this link. Opened the link and about
| to type my details in then I saw the domain wasn't quite
| right. Looked into it, realised it was a phishing
| attempted and bailed on that.
|
| I know they can't access the phone whilst it's still on
| my iCloud account so it will remain there, in lost mode,
| until the heat death of the universe.
| unstatusthequo wrote:
| Fringe use case of using multiple operating systems != peril.
| FireBeyond wrote:
| I don't think it's entirely odd.
|
| I'm still using Catalina, because Big Sur broke Display Stream
| Compression completely, and it's still not fixed in any of
| those releases, let alone Monterey.
|
| So until Apple pays attention to the hundreds or thousands of
| bug reports on a completely working piece of functionality they
| broke (although I'm sure they'd rather we all just bought Pro
| Display XDR monitors), I'll dutifully stick with Catalina and
| cross my fingers and test each new release from an SSD, so my
| 27" 4K HDR 144 Hz monitors aren't completely crippled.
| smoldesu wrote:
| > These may seem elaborate and esoteric, but in the next few
| months we're all expecting Apple to release more Apple Silicon
| Macs aimed well above the lower end of the market, where users
| often live more adventurous lives and have Macs which are far
| from vanilla. Yet as far as I can see, none of these subtleties
| are documented for those more advanced users.
|
| At the bottom of the article he seems to address this
| sentiment.
| maxfromua wrote:
| So, one of the conclusions should be "don't buy used M1 Mac". Do
| I understand this correctly?
| gjsman-1000 wrote:
| Ah, no. This is an extremely niche situation when dual-booting
| multiple versions of MacOS that could possibly just be a bug.
| jarym wrote:
| The lack of documentation is concerning, it makes me wonder why
| Apple are rushing the rollout since they could have provided a
| lot more technical info in advance to prepare users.
|
| Aside from that, with all these security features I'd be quite
| content if there was a way to setup an endpoint at *.myco.com
| instead of *.apple.com for the 'calling home'.
|
| I just don't want my hardware being so tied to the network
| services of one vendor. Is it too much to ask?
___________________________________________________________________
(page generated 2021-07-18 23:01 UTC)