Developers unsurprised, but cautious about Gatekeeper
Posted 16 February 2012 - 02:22 PM
I'd welcome it if Apple had a popup or information panel attached any signed application, saying something like "This application has a valid signature by certified developer <developer name> <URL to site>. This does not constitute an endorsement of the application's features or functionality." where the URL goes to the developer's site.
Posted 16 February 2012 - 02:32 PM
That's not true. Certificates do expire but that does not affect anything properly signed in the past, at a time when the certificate was still valid. The signature includes a verified timestamp of when it was signed for this reason.
Only by Apple specifically blacklisting a certificate can a formerly valid signature turn invalid in the future.
This post has been edited by fds: 16 February 2012 - 02:33 PM
Posted 16 February 2012 - 03:18 PM
Two issues come to mind:
1. How would this affect the downloading of so-called web based apps, i.e., those few apps that have chosen this method to avoid Apple's 30% commission?
2. Does or does not this approach still place the majority of responsibility on the end-user where I think this still belongs? I stopped looking for free stuff (that had not been well-vetted in some way) long ago when it turned out I couldn't actually afford what I was to get "free"...
Posted 16 February 2012 - 04:49 PM
Probably GPL2 probably not GPL3. But the Free Software Foundation (FSF) thinks that even GPL2 is not allowed on the iOS App Store so I suspect that you won't find much GPL software on the Mac App Store.
I think the issue is that as a developer you have to keep your signing key secret via your agreement with Apple and with the GPL, the FSF thinks you have to have the key open to anyone who wants to change the software. For GPL2 this is ambiguous in the license but for GPL3 it is explicitly called out.
I'm not a lawyer. These are my layman's understanding of the issues.
Posted 16 February 2012 - 06:27 PM
I don't necessarily agree with this. While not the same as revoking certificates, Apple has, in fact, demonstrated it's willingness to capriciously change the terms of the iOS developer agreement. Forbidding things which were allowed in the past and removing apps from the App Store even after they've been approved and were later found to do something Apple doesn't like.
What if an application uses a non-public API and Apple decides they don't want to allow developers to do that anymore? They could simply say the application is misbehaving (by their definition) and then disable it. Or a developer could invest huge amounts of time and money into developing an application only to have Apple pull the rug out from under them just prior to release by changing the rules for using the certificate (a similar thing has happened to iOS developers, having their apps rejected from the App Store because Apple decided it violated some vague clause in the developer's agreement).
While I think the idea is a good one, having Apple hold the keys makes me wary. As much as I've loved and trusted Apple products and Apple's intentions for the past 20+ years, I simply no longer trust them as much as I used to. Having a 3rd partyi certificate issuing authority could achieve the same level of accountability without the concerns of Apple trying to leverage Gatekeeper as a way to drive all developers to use the Mac App Store so they can get a 30% cut of the sales.
Posted 16 February 2012 - 07:22 PM
(Again, I understand that Gatekeeper will prevent FUTURE installs of newly downloaded apps from that developer).
Posted 16 March 2012 - 05:40 AM
Now get Amazon to provide content in a format for iTunes and I'll be all set.