What with Gatekeeper* and Developer ID, who didn't see this coming? How else do you protect the walled garden from vile betrayers that come in via Developer ID?
Criminal Hacker gets Dev ID, makes malicious app, distributes said app, runs for months, then one day whamo! it does Nasty Shit. Apple blacklists the app and the Dev ID certs. Easier worm and virus control. At least until one of these rogue devs finds a privilege escalation bug that gets it out of the sandbox and also into more privileged execution.
It's not a magic bullet, but it'll be a good thing unless they abuse it. An example of Apple's track record in this regard would be GPL apps on the App Store - they'll pull the app from the store but I have yet to hear Apple 'remote wiping' someone's previously downloaded apps.
Tangentially, I'm a little miffed at spending $100 to get certificates to do Developer ID, but in the Grand Scheme of Business, it's just not that much money.
I bet $50 the old iCal, Address Book and Front Row are not compatible with new security restrictions introduced in ML, so again you should be happy Apple has blacklisted them.
That doesn't mean that I like the current state of these apps any more than you.
> Tangentially, I'm a little miffed at spending $100 to get certificates to do Developer ID, but in the Grand Scheme of Business, it's just not that much money.
My understanding is that Gatekeeper signing is free.
Depends on how you define "free." Apple says "no additional charge over your Mac Dev membership. It's included with the Mac Developer Program." I spent two entire days watching WWDC videos and digging around on developer.apple.com trying to find out how to get certificates without paying Apple the $99 for Mac Dev.
The Apple employees that I am connected to were also surprised to find out that it wasn't free outside the Mac Dev program. A former Appler helping me dig around also noted that Apple never said it'd be "free."
If you can find somewhere Apple said it would be free, I'd love to dig deeper.
I don't know about you, but I tend to multitask with things like research. Did I spend two solid, uninterrupted days without touching any other projects or not performing any other work-related activities? Of course not. This kind of thing is right up there with "Why is the sky blue?" and researching until you're satisfied with the answer. I spent the money, I'll see a return on the 'investment' before the week's out. But I'd still like to know more about what Apple said, when they said it, and how they've changed it since then.
Also note this in my comment above: "...in the Grand Scheme of Business, it's just not that much money."
Why not? They can get them for $99 and the rewards will likely net them thousands of dollars before Apple catches on and revokes their certificates. If you want cost to be an obstacle to malware authors, it needs to be more than a measly $99.
This is simply a mechanism for Apple to stay ahead of any worm-like activity and they decided to attach a barrier to entry ($99) and recoup a pittance while they're at it.
It also gets Apple more information on the developer, should the company ever want to track them down. A payment history leaves a wider and longer paper trail.
I'd also assume that Apple blacklists any certificate if the developer used some sort of fraudulent payment. I'd hope so, in fact.
>It's not a magic bullet, but it'll be a good thing unless they abuse it. An example of Apple's track record in this regard would be GPL apps on the App Store - they'll pull the app from the store but I have yet to hear Apple 'remote wiping' someone's previously downloaded apps.
Actually they won't "pull the app" by themselves.
At least in the one example I'm aware off, a minor contributor to a project (VLC) specifically _asked_ Apple to remove the app from the iOS app store, pissing on both the users wanting it AND the developers doing the porting for free and making the source code available for everyone, because it being on the app store didn't satisfy some GPL technicality.
Yes, but other people working on the GPL project, including more major contributors didn't have a problem with the porting and availability on iOS.
I guess all it takes is a misguided picking of licence in the beginning and a zealot that contributed somewhat (even marginally) to ruin it for all the other contributors who could care less about 100% enforcement. Maybe that explains why BSD and MIT style licences rule the roost when it comes to new projects on GitHub...
Criminal Hacker gets Dev ID, makes malicious app, distributes said app, runs for months, then one day whamo! it does Nasty Shit. Apple blacklists the app and the Dev ID certs. Easier worm and virus control. At least until one of these rogue devs finds a privilege escalation bug that gets it out of the sandbox and also into more privileged execution.
It's not a magic bullet, but it'll be a good thing unless they abuse it. An example of Apple's track record in this regard would be GPL apps on the App Store - they'll pull the app from the store but I have yet to hear Apple 'remote wiping' someone's previously downloaded apps.
Tangentially, I'm a little miffed at spending $100 to get certificates to do Developer ID, but in the Grand Scheme of Business, it's just not that much money.
*I have flashbacks to 'The Net' - I shudder