Comment by latexr

Comment by latexr 2 days ago

8 replies

View on Hacker News

> There is no contradiction.

Neither have I claimed there is one. I understood the point perfectly, I simply found it humorous. Things can be funny without being contradictions, my point was about the tradeoffs inherent to different types of OS lockdown.

> You can indeed delete System Preferences and nothing will break, ditto for utilities, it just makes life difficult if you do.

And—surprise!—most people don’t want to make their own lives difficult.

> Also reversing the problem isn't hard, you can just copy in the apps from elsewhere.

It is hard for most people. Most of us don’t just have something else at hand to copy from at all times, including the younger OP.

https://news.ycombinator.com/item?id=44973333

> For a locked down system for say a child though it might make sense.

I’m not saying that’s what you’re doing, but most of the time I see a variation on that comment it is attached to a fair bit of condescension. Like with calling something a “toy OS” when it’s used by millions of adults worldwide for productive work. Locked down systems don’t just make sense for children. On the contrary, children might benefit the most from operating systems which are not locked down, because they have the free time and willingness to experiment and won’t yet have a lot of important data. Or maybe you have kids who don’t really enjoy computers and just want to play an occasional game or need to write a school report. That’s OK too.

Both can also be true of your elderly relative, or your partner, or your cousin, or your friend who doesn’t want to fiddle with the damn machine, they just want to get their shit done without having to worry about screwing up anything. Your other friend will want the freedom to do everything and ask you for help.

There is no right approach for everyone, and there is no age at which one approach is definitely superior to another.

Wowfunhappy 2 days ago

(I know I already replied in a different comment, but just thinking about this more.)

> Both can also be true of your elderly relative, or your partner, or your cousin, or your friend who doesn’t want to fiddle with the damn machine, they just want to get their shit done without having to worry about screwing up anything. Your other friend will want the freedom to do everything and ask you for help.

...you know, this is also why, as much as I love the hackability of Mavericks, I also kind of liked the way Apple initially implemented System Integrity Protection in El Capitan.

It was easy to turn off! Just boot into recovery mode, open the Terminal, type in a short command, and boom, SIP will never bother you again for the entire life of that computer! The process wasn't onerous, or even difficult as long as you knew how to open a Terminal in recovery mode, or were willing to learn. And if you couldn't do those things, well, you probably shouldn't turn off SIP!

Where I get annoyed is with the signed system volume stuff, because that consistently gets in your way! It is impossible for any type of user to "unlock" modern macOS.

Although then again, even going back to the original SIP without SSV... well, we did already have a system for this before SIP, didn't we? It was called UNIX permissions! If you didn't know what you're doing, or didn't want to learn, why were you using an administrator account? Why did your elderly relative ever have superuser privileges in the first place?

...the answer is kind of obvious, actually. Administrator accounts are the default, and even if you went out of your way to avoid one, you'd be unable to, for example, install Photoshop.

I wish that is the problem Apple had solved! Instead of introducing an entirely new layer on top of the UNIX security model, make non-admin accounts the default setting for new users, and then make those accounts a tad more capable (and lean on Adobe to stop being awful).

Reply View 7 replies
  • latexr 2 days ago

    There is also another layer: when SIPS was introduced, there were tons of articles and videos teaching people to turn it off when they shouldn’t. This ranged from uninformed social media “developers” who confidently spewed dangerous bad advice, to outright bad actors trying to compromise your machine. Non-savvy users could still break their own systems by disabling these features easily.

    But largely I agree with you. I wish Apple had taken longer to fully develop a robust solution from the ground up instead of the status quo of piling on year after year to a semi-broken system.

    Reply View 6 replies
    • Wowfunhappy 2 days ago

      > There is also another layer: when SIPS was introduced, there were tons of articles and videos teaching people to turn it off when they shouldn’t.

      ...see, I actually had the opposite frustration with SIP. So many people were so hesitant to turn it off, even when they had a clear use case.

      This is where the argument looses me. I agree that it's good to protect people from screwing up by accident. But if someone has taken the time to reboot their computer into recovery mode, find the Terminal app, and run a very specific command, that is not an accident! That is a user clearly requesting that the training wheels be removed. And sure, maybe the user was following bad advice, but it wasn't an accident!

      People are allowed to do stupid things, that's how we learn. Again, it's great to have guardrails for people who want them, and it's great to have those guardrails on by default for people who don't want to think about them or even know they exist. But deciding which users are savvy enough to be worthy of disabling SIP feels Gatekeepy to me.

      Reply View 4 replies
    • andyzweb 2 days ago

      Correction: SIPS is the scriptable image processing system, SIP is system integrity protection.

      Reply View 0 replies