richmond62 wrote: ↑Mon Aug 28, 2023 9:47 pm
Maybe I'm a silly person, but if I OWN a computer no-one should tell me what to do with it and how to do it.
<snip>
...in your own house you should be the one who makes the rules.
It's not your house though is it? The apps run in an OS, not just on their own in the box you purchased.
You do not own operating systems, you
licence them. You are bound to their terms and
no ownership is conferred. The fact that you own the hardware means little. Contrary to your beliefs, the actual owners of the OS are the actual lawmakers for that OS.
Just like you can't just flaunt the terms of LiveCode's EULA because it's your hardware and code.
richmond62 wrote: ↑Mon Aug 28, 2023 9:47 pm
I don't somehow feel that not notarising, stapling, nailing, screwing to the sticking point, or whatever is breaking any law.
You're not breaking a law, as you well know. But you're cutting corners designed to
promote security. You don't care about it and neither do your users? Fine. But this does not apply to most developers who want to publish software to a wider audience.
It's not rocket science: The major OS vendors are blamed for allowing malicious software to circulate without checks.
Their corporate responsibility is to put in place mechanisms for preventing malicious software, which is mainly to ensure a software author is clearly identifiable (code signing) and that the the file you're downloading isn't tampered with somewhere en route (notarising & stapling).
For this to
actually work, software developers have to play ball as well.
If you don't want to, you don't
have to - but the OS
will alert users that that there is a
potentially serious security issue.
Nothing scary will happen. Unless, for example, someone maliciously intercepts your software, bundles it with malware and distributes it pretending it's your original software (which I suspect you wouldn't enjoy if it happened to you).
For commercial software it's a showstopper. If you put an app in the wild, especially a paid app, the expectation from users is that the OS won't flag up security warnings. Which exist for good reason.
While you don't have to do this on Linux, I see lots of checksums for each download provided to guarantee their authenticity - but who here really checks the checksums of all the apps they download? (maybe it's just me doesn't bother, I don't know...). It's just shifting this responsibility to the user rather than the OS and we all know how reliable users are...
At present you
can get away with not codesigning/notarising, but there are only 2 real arguments for flaunting 'the rules':
1. It's a bit more work. Not much more, but it is an extra chore. If that's the issue then time to break out those big-boy pants.
2. There is a cost - relatively low on Apple systems (£79/year but this gives you access to much more), but now much more expensive on Windows (cheapest I found was £179/year if you pay 3 years in advance, otherwise £248/year - and has no added value).
You, as the developer, have to decide what is best for your product. In my mind the only reason you might not want to do this is the cost - which understandably is an expense you won't recoup from freeware.
But
nothing about this is about 'doing it by the book' or being sententious (rude much?)
Presenting this discussion in those terms promotes ignorance and irresponsibility.
