top | item 46755267

(no title)

I think the idea is wonderful, but a not-audited application that uses things like the camera is a “no go” for me.

Get it notorized and ask for some money! I will gladly pay it (and I hope others will do it as well).

Awesome concept: ergonomics and/or posture monitoring is a market opportunity for heavy users.

discuss

alin23|1 month ago

Notarization is mostly a glorified malware scan. There's no Apple engineer auditing what's being sent for notarization. Even clever malware can evade notarization scans and be distributed as a notarized binary, it has happened in the past [0]

There's no better way for auditing such an app than having the code easily available and looking through it, and compiling it yourself. Which is already the case here.

[0] https://thehackernews.com/2025/12/new-macsync-macos-stealer-...

burnerthrow008|1 month ago

Your link says that Apple revoked the certificate used to sign the malware by the time the story was published.

xpasky|1 month ago

It's literally a single .swift file. Ask your LLM to audit it.

micromacrofoot|1 month ago

then I need to get someone to audit the LLM, which is considerably more difficult

wizzwizz4|1 month ago

While I disagree with you, thank you for sharing your decision-making process: you're probably not the only one who thinks this way.

In general, would you pay for a notorised build of free software, if you had use for that software, even if an un-notorised build or the source code were available?

xfactorial|1 month ago

It depends: having it notarized is a way to show someone with a certain reputation of "Hey! This is my code, this is me, if something happens, you can kill the switch".

If notarisation requires you some kind of payment, I would be okay with you charging me some money, if I obviously find your code has a good value for me.

I read comments around here about "Well: you can compile it yourself" or "it's open source! You can check the code by yourself".

And, while all of those arguments are accurate and valid, the point is "I do not feel like it" or, a little reminder, "The Great Suspender" was an example of a beautiful open source little app to suspend tabs on Google Chrome that, one glorious day, switched hands and, suddenly, after some time, someone noticed the repository and the code from the add-in were different, and those changes were made with nefarious intent.

Luckily, somehow found out, but some people do not have the time or the will to be playing that game.

A piece of code that requires access to my camera, regardless of size (<1000 lines of code) or build, it's something I just don't put on my computer without thinking it twice.

Thank you for the tone: I hope I responded to your question :)

IshKebab|1 month ago

I seriously doubt that he actually would. And in that unlikely event he'd be in a miniscule minority. Not a good open source monetisation strategy.

tjohnell|1 month ago

Posturr is now notarized!

tananaev|1 month ago

Are you serious? It's open source. And there's less than 1000 lines total. Get Codex or Claude to review it if you're paranoid.

encom|1 month ago

Go easy on the guy. Mac users are so used to overpaying for trivial functionality.

Alejandro9R|1 month ago

The thing is that how do you know at the end of the day that the compiled binary hasn't been tampered with "extra code" besides what's in the repo?

I don't even think notarization gets rid of this problem neither, so the best you can do for this is compile it yourself. Maybe I'm wrong!