Comment by xfactorial
10 hours ago
I think the idea is wonderful, but a not-audited application that uses things like the camera is a “no go” for me.
Get it notorized and ask for some money! I will gladly pay it (and I hope others will do it as well).
Awesome concept: ergonomics and/or posture monitoring is a market opportunity for heavy users.
Notarization is mostly a glorified malware scan. There's no Apple engineer auditing what's being sent for notarization. Even clever malware can evade notarization scans and be distributed as a notarized binary, it has happened in the past [0]
There's no better way for auditing such an app than having the code easily available and looking through it, and compiling it yourself. Which is already the case here.
[0] https://thehackernews.com/2025/12/new-macsync-macos-stealer-...
Your link says that Apple revoked the certificate used to sign the malware by the time the story was published.
It's literally a single .swift file. Ask your LLM to audit it.
then I need to get someone to audit the LLM, which is considerably more difficult
Do you expect this programmer is in cahoots with Anthropic?
1 reply →
While I disagree with you, thank you for sharing your decision-making process: you're probably not the only one who thinks this way.
In general, would you pay for a notorised build of free software, if you had use for that software, even if an un-notorised build or the source code were available?
I seriously doubt that he actually would. And in that unlikely event he'd be in a miniscule minority. Not a good open source monetisation strategy.
Posturr is now notarized!
Are you serious? It's open source. And there's less than 1000 lines total. Get Codex or Claude to review it if you're paranoid.
The thing is that how do you know at the end of the day that the compiled binary hasn't been tampered with "extra code" besides what's in the repo?
I don't even think notarization gets rid of this problem neither, so the best you can do for this is compile it yourself. Maybe I'm wrong!
Compiling it yourself is the best/only thing you can do if you really want to know what code went into a binary.
What prevents you from compiling it if it is open-source?
That's what I do with every project delivered as docker image. I rebuild the app and the image.
Go easy on the guy. Mac users are so used to overpaying for trivial functionality.