But I've heard WiFi drivers in particular are not so good - never really looked into it because I wire all my stuff up anyway.

I use a thinkpad laptop for work and a cheap $150 Chuwi laptop for the makerspace but that's all.

That said, I agree that the macOS implementation has issues. It’s tricky though, because if they make it as simple as confirm/deny dialogs, you’ve set users up to quickly succumb to “yes-click syndrome” which is likely why Apple went with the “flip a switch in a preference pane” design for some permissions instead.

Last year you might have heard a court case talking about a nurse who killed a woman by accidentally giving her the wrong medication. She took responsibility but talked at length about how the system in place encourages workers to blindly click yes on alerts about medication because there are many of them. The training they got was basically “just click yes three* times” (* I don’t remember the actual number but three seems right).

One of those warnings could have saved a life had she read it, but she had been clicking yes many times a day every day for a long time and she no longer even saw the banner for what it was.

Interesting stuff from a UI/UX perspective.

Do use Linux on the desktop and be happy if it makes you happy, but don’t smugly assume you’re immune to the outside pressures in today’s world that are causing Apple to institute basic UI security measures on macOS. This isn’t a walled garden issue, it’s “make sure the user knows this binary is doing something that allows it to be a keylogger if the developer is so inclined.”

Some distros like RHEL already bundle apps with profiles that make sure the app can only do what it's supposed to do.

Also it is totally not fit for the "ask user for permission" model.

Like, stock RedHat does too, it just took a ton of effort (and bugs) to get there.

But then it is complex problem so its no wonder that the tools to do it are complex too

I wouldn't actually mind android-like permission model for out-of-distro packages (snap/appimage/etc.), maybe a bit expanded so I could say set this this and that folder for the "graphics editng app", and maybe save that as a profile to apply to some other similar app to ease on repetition/alert fatigue.

With maybe a layer to abstract some operations to not be just "allow this(remember choice)". Like file opening, if app calls to open a file I "just" want DM/WM specific open dialogue, with app/container name in the title and select the file to open.

Same for editing, I'd want to be able to just get dialogue "open file for editing", with app name and the permission to edit said file saved for the duration of the session so app doesn't need to re-ask me every time it saves the file.

Who does this benefit? I can think of two groups of people. 1. Commercial software vendors who want more Linux users to install their proprietary software. 2. 'Transplants', new Linux users who are already accustomed to the Windows/MacOS style of wantonly installing proprietary third party software they downloaded off random corners of the net, and don't want or know to change their habits.

The value proposition for experienced linux users who don't do that sort of thing in the first place is next to nil. The only applications that might benefit from such sandboxing are applications like browsers, which have large attack surfaces and might be compromised while browsing the net. But even this is mostly theoretical, not a realistic day-to-day concern for typical linux desktop users.

You are jumping to conclusions here. RCEs are probably more common than you think, and I'd prefer anything that interacts with the Internet to be sandboxed.

Flatpak allows me to easily sandbox Steam games. It provides an easy target to tell user to test against to eliminate distro-specific issues. It allows to run glibc-only software on distributions such as Alpine. It allows me to have multiple versions of a program installed concurrently. It prevents programs from cluttering my home directory, and sandboxing gives me extra peace of mind. As a non-root user, I can also install flatpaks. Ostree also usually makes updates more efficient.

If you use a couple flatpak apps, they are available regardless of your distribution. That helps when working on multiple different distributions.

Use an old-ish debian but need a feature from the latest unstable software ABC? Install ABC as a flatpak, and do not compromise the stability of the base system by enabling all sorts of external, unstable sources.

If you can run the "beep" command, you can also edit the user's environment and from their easily escalate to root anyway. In modern desktop linux, the user is almost always the admin as well, a single person using their personal computer, so getting root is merely a matter of waiting until the next time that user uses sudo/etc. Windows tries to mitigate this sort of attack using secure UAC prompts that are apparently difficult for attackers to emulate, or so I've been lead to believe. But common desktop Linux distros don't require anything like that. Instead, the user has to be cognizant of such possibilities and not run programs from people and organizations they don't trust.

why would you? that's the package maintainers job. each of these dependency also has a maintainer, so by definition all dependencies have a provenance that is as good as the package you are installing.

this is not npm where anyone can upload something and you have to check the provenance of each yourself

There’s also systems like Arch’s AUR which is quite popular and more likely (if still unlikely) to carry malware, to the point that the Arch Wiki warns that use of AUR is at the user’s own risk.

Plus, many people are going to need to use proprietary software, which is always an unknown and likely to act badly in any number of ways. A lot of such software is Electron-based to boot, and devs are notorious for using ancient (and vulnerable) Electron versions.

Sure, it's better than closed source, because at least you have the possibility to check all this. In practice though, we outsource this responsibility to the package maintainer of the package system we use.

not true, for years there are efforts in various distributions to make package builds reproducible. there are ways to build a package from source that allows you to get the same results and verify it.

we outsource this responsibility to the package maintainer

which is the point. i trust the package maintainers to do a better job at that than myself.

Regardless, I'd still like the final say in making that decision, otherwise it's not really my computer anymore, is it.

If a systemwide "disable all safeguards, give all programs access to everything all the time" switch exists, the level of friction encountered when accessing it should be very high to help deter social engineering attacks. It's a one-time action so the annoyance level of that friction is negligible, since those using it will only need to do so on clean installs.

People often just drop the word “sandbox” and say “applications are sandboxed” and that that means that they're safe but it's really not that simple in practice. What often happens is that such applications still need to communicate over some socket with some server that was never designed for such a sandbox, say PulseAudio, and in many cases can then simply instruct the outer daemon to do whatever they want with full permission, either by design, or by oversight since the no one who wrote the outer daemon thought about it at the time since they were never designed for that purpose.

This is why there's a push to do as much as feasibly possible in userland in both macOS and Linux, so even when a bad actor tries to route through system components the blast radius is limited. Realistically, they should be sandboxed too — an audio daemon for instance has no business directly accessing storage or network facilities for example.

What I'm about to say may seem wrong, stupid, or crazy at first. I think permissions often belong in the GUI. Applications would get no access to the file system directly, but they could use an API in the gui to open files - only files that are granted access by the user, often by selection in a File->Open dialog or other direct user interaction. By putting the granting of access in the GUI toolkit, we can run untrusted apps natively with no OS permissions.

Maybe not directly in the GUI, but something like that. Trust the user but not the app.

To the extent that it is the OS's job, you don't have a computer anymore. You have an appliance. Sometimes that's OK; I don't complain because I can't run Doom on my dishwasher. But let's be clear about what is a general-purpose personal computer, and what is not.

In my opinion, that depends on the existence of an escape hatch. If it's like iOS where there effectively is none, sure, but if it's like macOS where SIP, Gatekeeper, etc can be temporarily disabled to make changes and then re-enabled or disabled entirely it's a different story.

I interpreted both of their comments as claiming that the direction MacOS is taking is a poor fit for those who still get value from powerful, general-purpose computers (myself very much included! I occasionally have the misfortune of using Macs, but am much much happier on systems where I can dig as deep into its layers as I need to solve my problems or scratch my itches)

[1] https://news.ycombinator.com/context?id=35219381

[2] Though I do think it's a minor tragedy that the increasing amount of guardrails has narrowed the opportunity for an inquisitive youngster to explore his computer's internals

How many "average" users you know who use sudo? At some point, the software needs to acknowledge users who are saying "I know what I'm doing and the risks, just let me do it" i.e. sudo.

Do you feel the same way about Windows finally starting to take security seriously back in the mid 2000s?

You always to be advocating for ossification to avoid breaking apps which are no longer ok under an evolved threat model.

Finally, you didn’t actually answer the question I asked. It’s all very well and good to say how things should be, but people have to face the world as it actually is instead.

If applications can edit arbitrary files on the system it's already game over. I have no idea why people focus so much on “keylogging” as the supposed super important and dangerous thing.

If one run any malware with the full file edit permissions of one's user account at that point in theory the only solution is erase not only the hard drive, but also every other drive on any other system one's user account has access to or at least in sofar those do not have some logging for connexions in some way to see who connected that cannot be edited by the permissions one has on that system. Of course if one has root on one's own system nothing on that system can be trusted any more from that point. The malware could in theory have edited the firmware at that point to hide any checks one could do with a recovery system on a portable drive, but that's all quite theoretical of course, but it's possible in theory.

Keylogging is such a strange thing to focus on in the face of being able to edit arbitrary files owned by the user.

The supposed threads of malicious applications keylogging and stealing your website passwords to worry about is rather strange when such an application can edit the files on your system such that you're starting a modified version of a web browser they injected with whatever code they want to do the same. In fact, this is probably easier to do than try to write some kind of a.i. that filters what it thinks are “password keypresses” opposed to altering the code of the web browser such that it simply sends whatever is being put into a field marked as “password” on a website.

It's a moral panic boogeyman that has no actual implications for actual real life security. Like quite a bit of “security” talk these days. Much of it comes down to the “door in your room” analogy where “security experts” talk about putting a big door in the middle of one's living room with an impenetrable lock on the idea of kindly asking criminals to only go through that door to steal things. In reality they'll just walk around it, and now one has an inconvenient door in the middle of one's living room.

It’s an improvement for users because it means that not all random applications and programs that run can act as keyloggers. It’s optimising for the common use case (random people running random software and being very annoyed if they get ransomed) against the rare case. It’s the same thing with debuggers and attaching to other processes. In the end it is a good thing to not be able to do that without explicit authorisation.

> So I had a very expensive laptop and the OS didn't let me use it freely.

It does not prevent you from doing it. It added some friction, sure, and you can find that this friction is unacceptable (and changing OS every now and then is a good idea in general anyway). But from a fundamental perspective the functionality is still there. The OS still lets you do this.

> I created the best looking/most usable desktop experience MacOS will never have.

It is great that you have both the ability and the time to do this. I’ll look into it for my Linux boxes.

However, my experience is that it’s never actually “the most beautiful/user-friendly/consistent/polished” (things we see all the time with new DEs). They all tend to fall apart with millions of corner cases and inconsistencies every time you get off the beaten path. In any case, good luck with your project.

It seems alongside security there appears to be a strong desire at Apple to make macos a walled garden like iOS devices. They've hamstrung mobile safari for years to ensure the app store doesn't have competition from web apps.

(Disclaimer: Apple fan/user since 1985.)

This is obviously where open source is superior. Apple probably can’t justify cleaning this up in macOS, but you can just go in and make it easier on on Linux if you have the knowledge and time.

Many of the things one can at least ask permissions for as I read it on the Apple system are actually purposefully simply not available due to similar concerns.

Many of the leading Wayland developers believe in this. The Enlightenment lead developer for instance does not believe a programmatic way to make screenshots or listen to keypresses should ever exist. I had some debates with him about this and he believes the risks are too high as well as revealing that he seemed to believe that streaming videogames did not work by way of a third party tool that captures the screen contents, but that each video game had this functionality built in, which is certainly not the case and that he believes this might explain his reluctance for such an a.p.i. to facilitate this.

> But at any rate, Wayland is completely optional. You can keep running X and nobody will stop you. People will keep running X without issue for a very long time. This is very different from what the Apple world is like.

Opinions are divided on that matter. The reality is that many of the developers of Xorg have abandoned in in lieu of Wayland and many Wayland developers, many former Xorg developers are clear in their opinion that they see it as a replacement, not an alternative and eventually expect everyone to switch.

Whether that will happen is anyone's guess. They are often met with counter arguments that Xorg and the X11 protocol itself simply has features that many businesses and private individuals need for their lifelihood so there is going to be commercial incentive to pick up maintainership should they abandon it. They have also conceded heavily already on many of the features they initially said where either unneeded or a security risk when they realized the reality that many people outside of their bubble did use them. Libinput originally did not have any mouse acceleration settings on the argument that no one would want to turn it off or fine tune it to begin with, but now has it when they realized that unlike what they thought, demand for the ability to fine tune or turn off mouse acceleration is higher than they anticipated.

Rasterman is entitled to his opinion, but every production-ready Wayland server ("compositor") implements an extension to do screenshots:

  * Weston: https://wayland.app/protocols/weston-screenshooter
  * Sway and friends: https://wayland.app/protocols/wlr-screencopy-unstable-v1
  * KDE: https://wayland.app/protocols/kde-zkde-screencast-unstable-v1

> Opinions are divided on that matter.

I feel like those holding the opposite opinion are pretty clearly wrong and it seems to be some kind of hubris. Fortunately their opinion is not binding.

> The reality is that many of the developers of Xorg have abandoned in in lieu of Wayland and many Wayland developers,

Not an issue. It doesn't need a lot of maintenance. It's "done". Source is available too. Just needs minimal effort to keep the lights on. As long as someone is interested in running it, as many will be, it will happen.

It's very much chasing a moving target of new graphics technology and many of the innovations made by Wayland have been ported to Xorg. The interesting thing is that screen tearing used to be a problem on Xorg but never was on Wayland but much of the technology responsible for that has now found it's way into Xorg to make it a thing of the past there too. Of course integration with new hardware drivers is also required.

It's entirely possible it will continue to be maintained that way, or that the Wayland philosophy will finally be broken and these things will be added once they realize there is a great enough demand, but these are all possibilities, not certainties.