alt Hacker NewsThis is that false dichotomy.
You can turn off all protection, as you point out. So who Apple markets Neo's to isn't a factor.
> Apple’s fault if nobody else decided to make their own trust repositories and the only alternative on the market is to have no safeguard at all.
Does Apple provide a means for enabling third party trust systems, without disabling Apple's protections in general? If not, that is a serious problem of Apple's choosing. Nobody (to a first order approximation) want's to dispense with Apple's protection, or re-implement it, but to be able to carve out exceptions for specific classes of software.
Replies
If you can enable a third party trust system you completely open it up for abuse. If I put my threat actor hat on, I love your idea because now I have an alternative codepath to try and exploit (where you do store third-party trusted roots for code-signing/notarization evaluations that cannot be tampered with, how do you load them, verify them, etc), but now instead of having to dance around bypassing Gatekeeper, I can just try and convince the user to install my certificates and voila, my malware behaves like a legitimate app.
Apple's root of trust for the OS and thus anything that passes AMFI/Gatekeeper scans is built into the hardware. There is no safe mechanism for introducing other roots of trust that is worth the effort.
If you don't trust Apple, why the hell are you buying their computers at all?
Sounds like you should pick something other than MacOS.