This article’s framing and title are odd. The author, in fact, found no bugs or errors in the proven code. She says so at the end of the article:
> The two bugs that were found both sat outside the boundary of what the proofs cover. The denial-of-service was a missing specification. The heap overflow was a deeper issue in the trusted computing base, the C++ runtime that the entire proof edifice assumes is correct.
Still an interesting and useful result to find a bug in the Lean runtime, but I’d argue that doesn’t justify the title. Or the claim that “the entire proof edifice” is somehow shaky.
It’s important to note that this is the Lean runtime that has a bug, not the Lean kernel, which is the part that actually does the verification (aka proving). [1] So it’s not even immediately clear what this bug would really apply to, since obviously no one’s running any compiled Lean code in any kind of production hot path.
Repeating myself, when we speak of bugs in a verified software system, I think it's fair to consider the entire binary a fair target.
If a buffer overflow causes the system to be exploited and all your bitcoins to be stolen, I don't think the fact that the bug being in the language runtime is going to be much consolation. Especially if the software you were running was advertised as formally verified as free of bugs.
Second, there was a bug in the code. Maybe not a functional correctness bug, but I, along with many and most end users, would consider a crashing program buggy. Maybe we just have different tastes or different standards on what we consider an acceptable level of software quality.
W.r.t people running Lean in production, you'd be surprised...
We're not speaking about bugs in a verified system so much as writing articles making specific claims about that. Surely if we're at the level of precision of formal verification, it's incumbent upon us to be precise about the nature of a problem with it, no? "Lean proved this program correct and then I found a bug" heavily implies a flaw in the proof, not a flaw in the runtime (which to my mind would also be a compelling statement, for the reasons you describe).
Or it implies a bug in the specification. The spec differing from the intent is a frequent source of bugs, it doesn't matter what language the spec is written in. Most people have experience with (or have seen news stories about) specification bugs in natural-language specifications: legal loopholes!
This is the biggest risk with the rejuvenated interest in formal proof. That LLMs can generate proofs is useful. Proof assistants that can check them (Lean/FStar/Isabelle/...) similarly so.
But it just moves the question to whether the theorems covered in the proof are sufficient. Underlying it all is a simple question:
Does the system meet its intended purpose?
To which the next question is:
What is the intended purpose?
Describing that is the holy grail of requirements specification. Natural language, behaviour-driven development, test-driven development and a host of other approaches attempt to bridge the gap between implicit purpose and explicit specification. Proof assistants are another tool in that box.
It's also one of the key motivators for iterative development: putting software in front of users (or their proxies) is still the primary means of validation for a large class of systems.
None of which is implied criticism of any of those approaches. Equally, none completely solves the problem. There is a risk that formal proofs, combined with proof assistants, are trumpeted as "the way" to mitigate the risk that LLM-developed apps don't perform as intended.
They might help. They can show that code is correct with respect to some specification, and that the specification is self-consistent. They cannot prove that the specification is complete with regards its intended purpose.
Sorry, I'm not sure I follow. We are talking about bugs in a verified system, that is, in this case, a verified implementation of a zlib-based compression tool. Did it have bugs? yes. Several in fact. I'd recommend reading the article for a detailed listing of the bugs in the tool.
> The most substantial finding was a heap buffer overflow! but, not in lean-zip's code, but in the Lean runtime itself. (emphasis mine)
> The OOM denial-of-service is straightforward: the archive parser was never verified. (me again)
"Lean proved this program correct" vs "I found bugs in the parts that Lean didn't prove was correct". The failure was not in Lean's proof (which as I said is heavily implied by the title), but in ancillary or unverified code.
Do I misunderstand how Lean works? I am by no means an expert (or even an amateur) on Lean or formal systems in general. Surely the first class of bug could be found in any code that uses the framework, and the second class of bug could happen to any system that isn't proven? Does that make sense? Otherwise where's the boundary? If you find a bug in the OS, does that mean Lean failed somehow? How about the hardware? If your definition of a 'formally verified system' goes beyond the code being verified and the most important thing is whether or not you can make it crash, then the OS and the hardware are also part of the system.
Of course bugs are important to users regardless of the cause, but the audience for your article seems to be software engineers and as a software engineer, your article was interesting and you found something useful, but the title was misleading; that's all I'm saying.
Further to my earlier reply - a more succinct way to look at it might be:
- When they fix the run time, bug A goes away. So the proof still holds and the zlib code is still correct.
- When they add a system of proofs for the parser and modify that, then bug B goes away. So the proof still holds and the zlib code is still correct; and now more of the library is proven correct.
The formulation of the title is "I was told X but that's not true"... but that's not true. You were told X, and X is true, but you found Y and Z which are also important.
There are two different answers to this question, and which one is "correct" depends entirely on the context of who is asking it.
1. It's the code that is specific to this program that sits above the run-time layer (internal view, that most programmers would take).
2. It's the code in the binary that is executed (external view, that most users would take).
The key question does not seem to be "was the proof correct", rather "did the proof cover everything in the program". The answer depends on whether you are looking at it from the perspective of a programmer, or a user. Given the overly strong framing that the article is responding to - highlighting the difference in this way does seem to be useful. The title is correct from the perspective that most users would take.
Yes but, without wishing to be snarky, did you read the article? There is no program as such, in either sense - the announcement from Lean only mentions "a C compression library" (zlib). Not only that, but since we're talking about formal verification, a programmer would likely understand that that is about proving a bounded, specific codebase at source code level, and not operating on a binary along with its associated dependencies (again caveat my limited understanding of these things).
My feeling is that if you told the average non-technical user that some person/organisation had produced a formally verified version of a C compression library, you would likely get a blank look, so I think it's reasonable to assume that both Lean's intended audience, and the audience of the blog post linked here, correspond with number 1. in your list.
I am pretty sure you could tell a teenager "there's a ZIP compression program that's scientifically proven to have no bugs" and they'd understand you. People don't have to be CS experts to understand that. (Technically it's Gzip but that's mostly irrelevant to understanding the claim here)
The article describes fuzzing the library, this execution requires a program to be compiled. Typically fuzzing involves a minimal harness around the payload (a single call into the library in this case). There is clearly a bug in this program, and it does not exist in the minimal harness. It must be in the library code, which was covered by the proof.
The bounded, specific codebase that you refer to is typically the library *and all of its dependencies*, which in this case includes the Lean runtime. This is why formal verification is difficult: the proof chain needs to extend all the way down to the foundations. In this case the original gushing claim that everything was verified is incorrect and premature. The article seems like a good exposition of why.
Thank you, I understand what fuzzing is; that test harness was presumably provided either by the blog post author or generated by Claude somehow, and therefore would not have been part of the proven code, nor part of the original claim by the Lean devs. That's what I meant by saying there is no program as such.
> The bounded, specific codebase that you refer to is typically the library and all of its dependencies, which in this case includes the Lean runtime.
How does that work? I thought the main idea is to write code in the Lean language which has some specific shape conducive to mathematical analysis, along with mathematical proofs that operate on that code. How then does a system like this handle a third party dependency? I've searched around and I can't find any information about how it works. I assumed that the boundary of the proof was the source code - surely they can't also be proving things like, say, DirectX?
> This is why formal verification is difficult: the proof chain needs to extend all the way down to the foundations.
The difficulty is not in explosions of computational complexity due to problems of incompleteness, decidability, the halting problem, those kinds of things? As I said this is not something I know much about but it's surprising to me if 'analysing all the code' is really the difficult bit.
There are standard convex assumptions to handle incompleteness, decidability etc, i.e. the results are an over-approximation that terminates. Picking a approximation that is precise enough in the properties that you care about is part of the challenge, but it is an in-band problem. There are no hard edges between the theory and reality.
As with most engineering problems the out-of-band issues tend to be the hardest to solve. Models of the part underneath the interesting part need to be complete/accurate enough to make the results useful. Compare it to crypto where people do not usually try to break the scheme - they try to break the specific implementation of the scheme because the weakest points will be at the interface between the theoretical construction and the actual concrete instantiation of the device that it will run on.
Gentle reminder about this excerpt from HN Guidelines:
> Please don't comment on whether someone read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that".
Say you study some piece of software. And it happens that it has an automated suite of tests. And it happens that some files aren't covered by the test suite. And you happen to find a bug in one of those files that were not covered.
Would you publish a blog post titled "the XXX test suite proved there was no bug. And then I found one"?
These were my thoughts as well and it's nothing new, I think, regarding testing altogether:
- testing libraries (and in this case - language itself) can have bugs
- what is not covered by tests can have bugs
Additionally would add that tests verify the assumptions of coder, not expectations of the business.
To give benefit to the author - I'd read the article as: having tests for given thing ensures that it does the thing that you built the tests for. This doesn't mean that your application is free of bugs (unless you have 100% coverage, can control entire state of the system, etc) nor that it does the right thing (or that it does the thing the right way)
I like to differentiate between coverage by lines and semantic coverage: sometimes you need to exercise a single line multiple times to get full semantic coverage, and better semantic coverage usually beats larger line coverage for detecting problems and preventing regressions.
Yes, mutation testing and similar techniques like fuzzing can help with it, but sometimes you want to be more deterministic: there are usually a lot of hidden side effects that are not obvious, and probably a source of majority of software bugs today.
Eg. something as simple as
function foo(url) {
data = fetch(url);
return data;
}
has a bunch of exceptions that can happen in fetch() not covered with your tests, yet you can get 100% line coverage with a single deterministic happy path test.
Basically, any non-functional side-effect behavior is a source of semantic "hiding" when measuring test coverage by lines being executed, and there is usually a lot of it (logging is another common source of side-effects not tested well). Some languages can handle this better with their typing approaches, but ultimately, there will be things that can behave differently depending on external circumstances (even bit flips, OOMs, full disk...) that were not planned for and do not flow from the code itself.
You're technically right, but what things are versus how they're promoted or understood by most people (rightfully or not) often diverges, and therefore such "grounding" articles are useful, even if the wording addresses the perceived rather than the factual reality.
By way of analogy, if there was an article saying "I bought a 1Tb drive and it only came with 0.91 terabits", I think if you started explaining that technically the problem is the confusion between SI vs binary units and the title should really be "I bought a 0.91 terabit drive and was disappointed it didn't have more capacity", technically you'd be right, but people would rightfully eyeroll at you.
To be clear, I think the article was fine and the author did some useful work (finding a bug in the runtime of a supposedly provably correct system is indeed a valuable contribution!). I don't agree that it's pedantic to explain why the title feels like a bait-and-switch (and thus does a disservice to the article itself). It's just a bit of feedback for future reference.
I take some comfort from being technically correct though; it's widely accepted by all of us pedants that that is the best kind of correct ;-)
> Repeating myself, when we speak of bugs in a verified software system, I think it's fair to consider the entire binary a fair target.
Yes, and that would be relevant if this was a verified software system. But it wasn't: the system consisted of a verified X and unverified Y, and there were issues in the unverified Y.
The article explicitly acknowledges this: "The two bugs that were found both sat outside the boundary of what the proofs cover."
1/ lean-zip is open source so it's much easier to have more Claude's eyes looking at it
2/ I don't think Claude could prove anything substantial about the zip algorithm. That's what lean is for. On the other side, lean could not prove much about what's around the zip algorithm but Claude can be useful there.
> I don't think the fact that the bug being in the language runtime is going to be much consolation. Especially if the software you were running was advertised as formally verified as free of bugs.
Reminds of what some people in the Rust community do: they fight how safe this is or not. I always challenge that the code is composed of layers, from which unsafe is going to be one. So yes, you are righ to say that. Unsafe means unsafe, safe means safe and we should respect the meaning of those words instead of twisting the meaning for marketing (though I must say I heard this from people in the community, not from the authors themselves, ever).
Totally agreed. For instance that's why sel4 just throws the whole binary at the proof engine. That takes any runtime (minimal in sel4's case) and compiler (not nearly as minimal) out of the TCB.
Hi Kiran, thanks for following up. FWIW, I enjoy your blog and your work. And I do think it was a valuable bug you found; also nice to see how quickly Henrik fixed it.
Say more about people running Lean in production. I haven’t run into any. I know of examples of people using Lean to help verify other code (Cedar and Aeneas being the most prominent examples), but not the actual runtime being employed.
I took a quick scan of lean-lang.org just now, and, other than the two examples I mentioned, didn’t see a single reference to anything other than proving math.
I’m sure you’re in the Lean Zulup, based on what you’ve been up to. Are you seeing people talk about anything other than math? I’m not, but maybe I’m missing it.
Yes, here's a concrete example: https://github.com/leanprover/SampCert This is an implementation of a verified sampler, in lean. Not an embedding in some other language. The implementation itself is in lean, and a python ffi is used to call into the verified implementation. I don't know if AWS is big enough for your standards, but here is at least one example. Besides that, I'm more reporting on the general vibe I have observed from numerous talks at AI4maths workshops at Neurips, at the DARPA AI4Math ExpMath kickoff, etc. People are considering Lean as a serious programming language. Maybe that's surprising to the mathematicians, but as a PL person, I find the language really nicely designed and I can understand why people want to write in it.
You’re right, I should have been more careful in my reference to AWS. No need to be snarky about it.
Let me rephrase: aside from that one example from a couple years ago, I haven’t seen any examples of production code written in Lean. I’d be very interested in being proven wrong, this isn’t something I desire, just what I’ve observed. Have you seen any others?
More generally, you implicitly make a good point: writing important libraries in Lean and calling in from another language is probably the most likely use case. So not programs / apps / binaries written in Lean, but small critical components.
> if the software you were running was advertised as formally verified as free of bugs.
Nobody should be advertising that. Even ignoring the possibility of bugs in the runtime, there could also be bugs in the verifier and bugs or omissions in the specification. Formally verified never means guaranteed to be free of bugs.
Yeah, the title made me think the author found a bug in the Lean kernel, thus making an invalid proof pass Lean's checks. The article instead uncovers bugs in the Lean runtime and lean-zip, but these bugs are less damning than e.g. the kernel, which must be trusted to be correct, or else you can't trust any proof in Lean.
When the Lean runtime has bugs, all Lean applications using the Lean runtime also have those bugs. I can’t understand people trying to make a distinction here. Is your intent to have a bug free application or to just show the Lean proof kernel is solid?? The latter is only useful to Lean developers, end users should only care about the former!
The intent is to have a proof of some proposition. The Lean runtime crashing doesn't stop the lean-zip developers from formally modelling zlib and proving certain correctness statements under this model. On the other hand, the Lean kernel having a bug would mean we may discover entire classes of proofs that were just wrong; if those statements were used as corollaries/lemmas/etc. for other proofs, then we'd be in a lot of trouble.
When I see a title transitioning from "Lean said this proof is okay" to "I found a bug in Lean", I'm intuitively going to think the author just found a soundness (or consistency) issue in Lean.
There are no Lean applications other than Lean. This is an important point most of the comments are missing. Lean is for proving math. Yes, you can use it for other things; but no, no one is.
Still good to have found, but drawing conclusions past “someone could cheat at proving the continuum hypothesis” isn’t really warranted.
A missing specification in the proof of lean-zip, a lean component, is a real problem to the philosophy and practice of software verification.
To illustrate, let's say you want to verify a "Hello world" program. You'd think a verification involves checking that it outputs "Hello, world!".
However, if a contractor or AI hands you a binary, what do you need to verify? You will need to verify that it does exactly print "Hello, world!", no more, no less. It should write to stdout not stderr. It shouldn't somehow hold a lock on a system resource that it can't clean up. It cannot secretly install a root-kit. It cannot try to read your credentials and send it somewhere. So you will need to specify the proof to a sufficient level of detail to capture those potential deviations.
Broadly, with both bugs, you need to ask a question: does this bug actually invalidate my belief that the program is "good"? And here you are pulling up a fact that the bug isn't found in the Lean kernel, which makes an assumption that there's no side-effect that bleeds over the abstraction boundary between the runtime and the kernel that affects the correctness of the proof; that safety guarantee is probably true 99.99% of the time - but if the bug causes a memory corruption, you'd be much less confident in that guarantee.
If you're really serious about verifying an unknown program, you will really think hard "what is missing from my spec"? And the answer will depend on things that are fuzzier than the Lean proof.
Now, pragmatically, there many ways a proof of correctness adds a lot of value. If you have the source code of a program, and you control the compiler, you can check the source code doesn't have weird imports ("why do I need kernel networking headers in this dumb calculator program?"), so the scope of the proof will be smaller, and you can write a small specification to prove it and the proof will be pretty convincing.
All in all, this is a toy problem that tells you : you can't verify what you don't know you should verify, and what you need to verify depends on the prior distribution of what the program is that you need to verify, so that conditional on the proof you have, the probability of correctness is sufficiently close to 1. There's a lesson to learn here, even if we deem Lean is still a good thing to use.
> A missing specification in the proof of lean-zip, a lean component, is a real problem to the philosophy and practice of software verification.
Every time someone makes this point, I feel obliged to point out that all alternatives to software verification have this exact same problem, AND many, many more.
To me, saying that there is a bug in the lean runtime means lean-zip has a bug is like saying a bug in JRE means a Java app that uses the runtime has a bug, even though the Java app code itself does have a bug. It seems like the author is being intentionally misleading about his findings.
No. It would be like finding a memory unsafe caused bug in a Java application that is due to a bug in the JRE. That would absolutely warrant a title like “I found memory unsafe bug in my Java code” when everyone expects Java code to be memory safe, which is analogous to the article in question.
I do not think you are completely grasping what you are talking about (what is a 'memory unsafe bug'?). Even in the example you give, that title would be literally wrong, as there will be no bug in your Java code; there would be a bug in the execution due to a deviation in the runtime executing your program.
>I think it's ambiguous and fair game for the idea of answering the question "if we write programs in this manner, will there be exploitable bugs?
You're strawmanning the original authors' argument. The creator of lean-zip said that they proved there are no implementation bugs in the lean-zip program. A bug in lean-runtime does not contradict this claim.
> obviously no one’s running any compiled Lean code in any kind of production hot path
Ignorant question: why not? Is there an unacceptable performance penalty? And what's the recommended way in that case to make use of proven Lean code in production that keeps the same guarantees?
You’re right, there is that one example. Feels like we’re in exception that proves the rule territory. But I’d be very interested in being proven wrong! This isn’t a desire of mine, just what I’ve seen. Do you have other examples?
Also, part of my confidence comes from both having been a professional programmer for decades, across many languages, and also having programmed in Lean. It’s a great language for math, perhaps the best choice right now. But as a general purpose language it’s incredibly quirky.
> It’s important to note that this is the Lean runtime that has a bug, not the Lean kernel, which is the part that actually does the verification (aka proving). [1] So it’s not even immediately clear what this bug would really apply to
Well, Lean is written in Lean, so I am pretty sure a runtime bug like this could be exploited to prove `False`. Yes, since the kernel is written in C++, technically it's not the part affected by this bug, but since you cannot use the Lean kernel without the Lean compiler, this difference does not matter.
Sure, but are you worried about someone cheating on their arXiv submission by exploiting a buffer overflow? It’s a real bug, it’s just not very important.
This looks cool enough, but it’s starting to drive me crazy how people are in such a rush to put out their macOS apps they can’t be bothered to get a developer account and run a one line command. It’s not hard.
I used to be sympathetic to complaints about not wanting to pay the developer account fee. But when you’re vibe coding, you’re probably paying a good chunk of change to your LLM supplier of choice every month, and the yearly developer account fee seems minor in comparison
Also, it’s just such a bad security precedent. This page describes the error you get as “the typical macOS Gatekeeper warning”, as though it were just another piece of corporate silliness, like clicking through a EULA.
If you don't want your name, address, phone number on public display you need to either set up a company or set up some forwarding. If you set up a company, you'll need to get a DUNS number. If you haven't done it before and don't know about the secret shortcut way to do that, it is very annoying to get one.
Anyway, I don't see a problem with getting it out the door. People can just choose not to install it if they don't like it. I mean that's the whole idea of being early anyway, isn't it? Don't like a crappy bodged together UI? Don't like a lack of support? Don't like an unsigned app? You can wait until it has those things according to your preferences. In the meantime, the creator gets real users and feedback ASAP.
Thank you for saying this! As stated on the website, this is a pre-release. Those who are not sure, absolutely do not have to install this and can wait for the official, notarized release. In the meantime, the app gets tested in the real world.
It's free so why not just publish it on github then so that people could read the code and compile it themselves.
Right now it's closed source binary with a big fat "DOWNLOAD FOR FREE" button and instructions casually telling you to disable the last barrier between your system and persistent malware. Nobody should recommend this to anybody
"don't know about the secret shortcut way to do that, it is very annoying to get one"
Is that a US thing? Because in the UK you just get one for free - Companies House sends the info over to them, and a couple of days later it is available to search
This article[0] provides some details. Basically if you go through the lookup process on Apple's website and you don't have an existing D-U-N-S number, you can request one from D&B for free via Apple.
I don't know how obvious it is these days, but the default path through D&B's website is the terrible one. They will try to extract money from you and harass you forever. You had to find Apple's own embedded form for it by using their search and going through some flow.
I’ve done it! I’ve gone through the D&B website years ago and i remember it sucking. Don’t know when I’ll need to do it again but this is good to know. Thank you!
I just recently did all of this but the experience was not as bad as you are describing here. I got my DUNS number in 10 minutes. The only challenging part was using a Google Voice number for the account because there was an issue with the way I had created the business Apple account.
The way I read that question was: where can other people see this information about me once I’ve published the app? i.e. say I just published an app, where would you navigate to find this info?
If you sign an app your legal name gets embedded into the .app bundle. You can use e.g. `codesign` in the terminal to read it back, or if you publish to the App Store it will be in the UI, along with the others.
I've seen individual developer's names in the App Store, but the parent comment is also claiming that Address and Phone number is published. I've done a bit of digging, and can't seem to confirm this.
I haven't done it in a while, so didn't want to give out possibly wrong directions, but:
> I don't know how obvious it is these days, but the default path through D&B's website is the terrible one. They will try to extract money from you and harass you forever. You had to find Apple's own embedded form for it by using their search and going through some flow.
I think your information is very much outdated. You apply for DUNS number with Apple. I didn't have to go to D&B's website nor I had to pay anything to anyone for it.
Gatekeeper and notarization are not silliness. They exist for a reason. I thought it would be a good idea to release the app during development when I am sure that it works correctly and then maybe get some feedback from early users.
I just downloaded your app and ran it through hopper. There is a LOT of embedded Apple Script. I would never run an app like this with SIP disabled or without an active network blocker.
Your app requires direct access to major OS components: code signing, even during alpha should be a requirement.
The truth is that Gatekeeper should go the way of the devil.
It is my machine and I paid for it, why does the OS care about what I do with it? The only thing this leads to is making sure your customers grow into good little lemmings.
You can do whatever you want if you are a power user, the tools are there to get around Gatekeeper.
For everyone else it's probably sane to have it, works as a decent filter so someone not tech-savvy don't get hurt by installing malware disguised as an app, one would just need to state incredible features that almost any normal user would like to have, and make them click to install. Gatekeeper diminishes that risk by a lot unless you learn how to bypass it, which requires you having decent skills and probably wouldn't fall for the bullshit that malware apps try to bait people with.
So that you don't accidentally run malware. MacOS is not iOS, you can run unsigned code if you really want to, but it will make you jump through a few hoops.
How is this better than trying to eliminate the problem between the keyboard and the computer? The user won't learn if the computer handholds them through everything.
Because the vast majority of users have no interest in learning how to safely vet apps and just want to easily use their computers and not worry about malware.
Full stop. I still talk to people every working day who don't realize that rebooting a computer is actually a real troubleshooting step. They seem to think it's bunk tech support mumbo jumbo rather than a genuinely useful step. It's 2026 and they're still surprised when that works.
> They seem to think it's bunk tech support mumbo jumbo
It indeed is. It's a way of coping with systems that are fundamentally illegible and unpredictable. If you have full rights over your machine and you're not running extremely shoddy software, you should never have to reboot your computer to make an issue go away. And rebooting your computer often guarantees that you'll never actually understand whatever issue is plaguing you.
Encouraging people to reboot their computers is promoting a fundamentally superstitious mode of engagement with machines that are generally reliable and predictable, instead of approaching them in terms of cause and effect. At best, it's the tired point-and-click sysadmin's workaround for not knowing what their system is doing.
Maybe for overwhelmed IT departments running half-baked operating systems loaded to the gills with invasive and meddlesome corporate spyware suites so inherently complex and complicated in their interactions with each other that the system itself is rendered more or less incomprehensible (even to the people administering it), just asking users to reboot is the right play to write in the tech support playbook. Maybe it's got the right ROI for a geek reluctantly roped into giving free tech support for a relative. But it's absolutely mumbo-jumbo and a sign that the "troubleshooter" is probably either ill-equipped to understand what's going on or just not interested.
Sure, if you have full rights. I run my computer for weeks at a time without rebooting. However, at my employer, where there is very little control, it’s a different story.
About two weeks ago, some Adobe Acrobat update introduced a hang that results in “Acrobat won’t open.” Open Task Manager and there’s four to eight stuck processes. Kill them and it works again most of the time, but once in ten it simply doesn’t recover.
Adobe acknowledged the issue to someone on my team. There’s no need for me to understand further; telling the user that a reboot will solve it is prudent advice. It’s on Adobe to fix it. You made assumptions about the environment where I tell people to reboot without understanding the conditions and I have an immediate real world case demonstrating why your statements don’t apply.
The user also shouldn't need to potentially suffer massive financial impacts from not being good enough at using a computer... Even more if it's a problem that can be solved by the computer itself as it's done already.
It's like you are saying that potentially dangerous tools shouldn't have safety guards whenever possible, with little impact for the common use of the tool. Kinda absurd to think that way... If some advanced use-cases require safety guards to be removed that's when the user should be trained enough to know the risks.
People want to use a computer for their tasks, the whole motto of Apple was to make technology accessible to normal people without requiring them to be tech-savvy, what you want goes in complete opposition to that mission.
I really don't understand what the issue is? Gatekeeper is merely a warning that introduces a minimal friction if what are you trying to run is created by an entity that chose not to present itself. It only happens once per application, not per launch. I've spent more time reading this thread than I have removing quarantine flags in the last five years.
Apple has a lot to be criticized for but gatekeeper (and SIP) isn't that.
It's fine as long as both exist and third parties are not allowed to know which one you're running.
Otherwise, you have banks and MAFIAA and others off-loading their own security and compliance costs to users by flat out discriminating based on the status of the sandbox.
Exactly. We won't have "hardware integrity" and other such freedom-limiting factors going the way of the dodo anytime soon if we keep handing the organizations trying to estabilish those systems ourselves lubed and ready to go.
Perhaps the feeling is (at least sometimes, if not here) mutual. Some free software developers make apps for themselves and don't particularly want users (and least of all non-technical users that they'll be expected to support). They may not be interested in participating in Apple's system of obstructing software installation, especially if they just write their software for themselves.
I've never ended up with undesired software on my system except for under two circumstances: either (a) it's installed by the OS vendor, or (b) some proprietary indie software I used got bought by a shady company who now wants to spy on me and sell my data. Systems like Gatekeeper don't protect against either.
> Also, it’s just such a bad security precedent. This page describes the error you get as “the typical macOS Gatekeeper warning”, as though it were just another piece of corporate silliness, like clicking through a EULA.
It mostly is another piece of corporate silliness. For most people it rarely does something useful. But I agree; if you're courting normie users you should just pony up and get your code signed and notarized. Otherwise just tell people that if they don't already know what Gatekeeper is and understand the risks of bypassing it as well as how to do so, your software isn't for them.
The fewer apps make me depend on proprietary app stores the better. Just make it a homebrew cask and you're good to go. If I were to develop macOS apps (vibed or not, whatever) I wouldn't want to pay Apple either nor jump through KYC and review hoops.
Totally agree. There are significantly more new apps being released. I've been visiting the /r/macapps subreddit and they're having trouble filtering new submissions. I generally like the direction that they're taking https://www.reddit.com/r/macapps/comments/1ryaeex/rmacapps_m...
Even though it's more troublesome to submit apps to App Store, it's one signal that the app is not a malware.
Wow, this subreddit looks like the apocalypse of vibe coded projects/apps. Kind of similar to what happened to "show HN". Too many ideas, not enough problems to solve, and likely bad implementations. The result is that nobody uses any of the apps.
In AI conversations, people often forget that at the end of a day, an actual human needs to use your stuff.
Gatekeeper is a travesty and assault on user freedom. Apple should not be in charge of what you run on your computer, at all. Any exception to this should be opt in. If a user wants to insert a third party between themselves and a programmer they can elect to do that.
Let’s not forget when Apple’s certificate server was down and suddenly you couldn’t launch apps on macOS, to say nothing of the abuse of user rights.
> they can’t be bothered to get a developer account and run a one line command
I applaud that they didn't kowtow to Apple's attempt to exercise control over their app and extort money from them. Why should we accede to policies that are designed to exploit us developers?
We developers add the real value to a platform. Don't believe me? Look up on how popular Sailfish OS or Windows Mobile OS is and why they failed or struggle. Apple should be grateful to this developer that they seek to add value to their platform instead of trying to figure out money grubbing ways on how to control and exploit them. (Of course, ultimately it is the users of the platform who are exploited - all charges by Apple are ultimately bore by them when they purchase an app through the App Store).
It's just sad that whether you are a user or a developer, Apple Fanbois would rather (ignorantly) place Apple's interest over their own consumer rights.
> It's just sad that whether you are a user or a developer, Apple Fanbois would rather (ignorantly) place Apple's interest over their own consumer rights.
You think notarizing an app is "placing Apple's interest over" our own?
Yes, how notarisation works currently on the Apple platforms is designed more for Apple's benefits than an Apple developer's or user's interest. When notarization can only be done through Apple, they have undue control - for e.g. they can ban any app that you create on their platform. Bad for malwares for sure, but not good when some government or Apple decides they don't like your app. Remember that all App Stores apps are ultimately signed by Apple, not by the developer who creates it (the developer signs and uploads the app, and Apple replaces the signature with its own). Self-signing an app also require you to get a "free" developer certificate through Apple by first signing up to their developer program and agreeing to all their overbearing terms (which they use to force themselves as a middle-man, to exploit both their developers and users). A self-signed notarized apps generates two sets of hashes - one which is stored in the app and one in Apple databases for "verification".
Thus, notarization also acts as a way for Apple to spy on its user and determine what apps they run - both when you install from the App Store or when you install it from outside the App Store. The way the whole process works, open source softwares (which are popular and compete with Apple's own app and other paid apps but often cannot bear the unnecessary burden of jumping through Apple's hoops) are also tarnished with all the popups about security threats, thus discouraging their use amongst non-technical users. This is great for Apple ofcourse because they can't make money of free open source developers (unless of course, they use their code to make their own applications, which they have no qualms about).
Imagine this too - How would you like it if Apple allowed you to view websites in Safari (or other macOS browsers) only if they had an SSL certificate from Apple?
So it is a disingenuous argument that people here are being "stupid" for complaining about Notarization. It's Apple forcing itself as the middle-man here and then exploiting its developers and users that's the issue.
A bunch of things break when you do that, though I do run my osx machine that way. The point is that it shouldn't be the default, it's the end of personal computing.
Except it is just another piece of corporate silliness.
Why don’t you purchase your own developer account and sign it yourself if you trust it? Or are you saying them paying Apple $100/yr in perpetuity is what will make you trust it?
A signed executable isn't for trusting the app. It's for knowing the provenance of the app. Sure, there are some application checks that happen before listing a store app, but those checks are minimal.
I find both to be true. I use Claude for most of the implementation, and Codex always catches mistakes. Always. But both of them benefit from being asked if they’re sure they did everything.
To be clear, for those reading these comments and thinking “oh no Azure”, this is an addition to the list of cloud companies that provide “cloud infrastructure worldwide” for “all products”. Alongside GCP and AWS. This is not a GitHub style announcement that they’ve moved all operations to Azure.
It's also down for me here in Brazil. Getting overloaded errors for about one hour now. It's been happening a lot this week. Is this normal for Anthropic?
It's down for me too. A colleague says it's up though - it's possible they're shedding different groups of users (he has the Max subscription, I don't).
They absolutely do. In this case litellm 1.82.8 had been out for at least a week (can’t recall the exact date offhand). The compromised version was a replacement.
It actually wasn't. That was one of the reasons why I looked into what was changed. Even 1.82.6 is only at an RC release on github since just before the incident.
So the fact that 1.82.7 and then 1.82.8 were released within an hour of each other was highly suspicious.
> PyPI does not allow for a filename to be reused, even once a project has been deleted and recreated...
> This ensures that a given distribution for a given release for a given project will always resolve to the same file, and cannot be surreptitiously changed one day by the projects maintainer or a malicious party (it can only be removed).
I think you’re confusing capital c Claude Code, the desktop Electron app, and lowercase c `claude`, the command line tool with an interactive TUI. They’re both TypeScript under the hood, but the latter is React + Ink rendered into the terminal.
The redraw glitches you’re referring to are actually signs of what I consider to be a pretty major feature, a reason to use `claude` instead of `codex` or `opencode`: `claude` doesn’t use the alternate screen, whereas the other two do. Meaning that it uses the standard screen buffer, meaning that your chat history is in the terminal (or multiplexer) scrollback. I much prefer that, and I totally get why they’ve put so much effort into getting it to work well.
In that context handling SIGWINCH has some issues and trickiness. Well worth the tradeoff, imo.
Codex is using its app server protocol to build a nice client/server separation that I enjoy on top of the predictable Rust performance.
You can run a codex instance on machine A and connect the TUI to it from machine B. The same open source core and protocol is shared between the Codex app, VS Code and Xcode.
That's the same reason I don't like Opencode, but Codex doesn't use the alternate screen. I remember it did when it was very very new, but now it doesn't.
Ah nice, good to know. I hadn’t used codex in a while. I actually really like opencode and its ui, just wish it didn’t clear the screen on exit. It could at least redraw whatever was last in the chat, that would be better than nothing.
I had a nasty slow claude code startup time at one point something like 8s, a clean install sorts it all out. Back up your mcp config and skills and you're good.
I’ve looked at that a bit. Roff and mandoc etc have specialized tagging that’s not easily representable in markdown. You’d wind up with a lot of boilerplate or special non-standard markup, which would undermine the point.
The LLMs are super good at doing that translation, though. They can write those formats no problem.
reply