[racket-dev] OS X 10.8 includes new restrictions on running apps

From: Norman Gray (norman at astro.gla.ac.uk)
Date: Wed Feb 22 16:05:15 EST 2012


On 2012 Feb 22, at 20:03, Jens Axel Søgaard wrote:

> The tech press reports that the default is to "medium" i.e. applications
> downloaded from the mac app store and from identified developers (that is
> signed applications) are allowed to run.

For those who haven't chased this up already (I haven't gone into much detail), there are some interesting links at Daring Fireball[1], including a piece which highlights some of the likely problems[2].

The short version appears to be that, as Jens says, Gatekeeper will by default run in a mode which enforces MAC on applications, and the principal problem -- voiced at length and at high volume -- is that the currently available set of 'entitlements' (where the application declares what set of resources it wishes to have access to) is too small for a significant minority of applications.

For what it's worth, it seems to me that MAC is a Good Thing for me as a user -- there are some applications that really have no business wandering all over my system, poking around (no, you may _not_ have access to my address book!) -- but I can see this potentially being a right pain in the tender bits for me as a developer, and a user of scripting environments such as Racket.  It all depends on the details of the entitlements DSL, and who gets to declare what, when.

All the best,

(currently with no plans to move from 10.6)

[1] http://daringfireball.net/linked/2012/02/21/sandboxing
[2] http://www.red-sweater.com/blog/2324/fix-the-sandbox

Norman Gray  :  http://nxg.me.uk
SUPA School of Physics and Astronomy, University of Glasgow, UK

Posted on the dev mailing list.