[R-SIG-Mac] R 3.5.3 macOS binary not signed?

Luis Puerto |u|@@@puerto @end|ng |rom gm@||@com
Thu Mar 14 17:14:41 CET 2019


I agree more or less with both of you in this take! 

I really appreciate Apple effort for keep users safe and this is one the reasons I'm choosing Apple. 

However, one not always can install signed software and that doesn't mean you are directly at risk. You just have to know what are you doing. 

Luckily even if you disabling Gatekeeper <https://en.wikipedia.org/wiki/Gatekeeper_(macOS)> you still get a warning every time you install something out of App Store of some place that isn't in the safe list. 

Warnings are great, but prohibitions can go south quickly. I think we can all remember the problems some Windows system got in the past by warning and asking for the password too much. Users finally logged as root to avoid the nuance, thus making the system insecure. 


> On 14 Mar 2019, at 16:45, Simon Urbanek <simon.urbanek using R-project.org> wrote:
> 
> My point of objection was the disabling all checks in a blanket manner. Since this forum is read by many people, not everyone may realize the very harmful implications of that single command.
> If you know what you're doing, that's fine, but then you also know that you can simply use Open and acknowledge that you want to install anyway which is much safer way that to disable all checks systemwide.
> 
> Same goes with SIP - for 99.99% of users it protects them and for a very good reason. If you need to modify system files, you better know what you're doing and take all the responsibility. There is also a very good reason why you need to go to Recovery to do that - it wouldn't make any sense otherwise ;).
> 
> Cheers,
> Simon
> 
> 
>> On Mar 14, 2019, at 10:19 AM, Dr Eberhard W Lisse <el using lisse.NA> wrote:
>> 
>> 
>> Not Really.
>> 
>> I have been loading R binaries for almost 10 years from CRAN, if not
>> longer.  If the SHA is ok, I don't care about Apple's Nanny mechanism.
>> 
>> And, it still warns on the first run, whether you really want to run a
>> program downloaded from the Internet.
>> 
>> The correct statement wouldhave been, something like: "Be careful when
>> you do that and only load binaries from reputable sources such as CRAN"
>> 
>> I really, really, really do not understand, after almost 40 years of
>> doing this (sendmail anyone?), why Apple wants to make an automated
>> start of Postfix requiring the SIP to be disabled off of the Recovery
>> Boot for a simple change of the launch control files.
>> 
>> el
>> 
>> On 2019-03-14 22:37 , Simon Urbanek wrote:
>>> Very, very, very bad idea - never ever do that unless you're really
>>> happy to infest your machine with nice viruses and ransomware.
>>> 
>>> Cheers,
>>> Simon
>>> 
>>> 
>>>> On Mar 14, 2019, at 8:43 AM, Dr Eberhard W Lisse <el using lisse.NA> wrote:
>>>> 
>>>> Try from the commandline
>>>> 
>>>> sudo spctl --master-disable
>>>> 
>>>> and then install the package
>>>> 
>>>> el
>> 
>> _______________________________________________
>> R-SIG-Mac mailing list
>> R-SIG-Mac using r-project.org
>> https://stat.ethz.ch/mailman/listinfo/r-sig-mac
> 
> _______________________________________________
> R-SIG-Mac mailing list
> R-SIG-Mac using r-project.org
> https://stat.ethz.ch/mailman/listinfo/r-sig-mac


	[[alternative HTML version deleted]]



More information about the R-SIG-Mac mailing list