My view so far:

I haven't done a brand new install in a few years, but it's possible to run macos (not ios) without an account. You can't use the store, but it doesn't try to sell you things all the time either. Siri can be disabled. I don't think you can know how much it leaks and where.

You can install real software pretty much freely, but some of it may pop up with a dialog saying it was downloaded from the internet (OMG!) or that it doesn't pass a signature check. First one is a warning, the second disables the program. There's a workaround. That'll work as long as it works.

Brew still exists and is still terrible, but seems to still be the most common way and has a ton of things and updates pretty frequently. I think there's also Nix and some other things but I don't know how common "mac" software is on those.

And you can run VM's with pretty full real environments if you like. Also the OS itself has come a long way since the first os X releases. Nearly usable apart from the GUI stuff. Installing a real OS instead only works on M1/M2 and there's no sign of things getting better.

M chips and Retina screens (apart from the old 5k weirdo) are pretty damn nice.

Yes, yes, and yes.

Those should be defaults in npm.

Really silly, when you buy "AI PC" with "AI CPU" and still run any "GenAI" related stuff in the cloud.

Out of the frying pan into the fire?

Just use HTML and CSS, ignore javascript.

There are technical limitations. What I want to do is now requiring JavaScript. I dislike JS, but I have maxed the ability's of the HTTP POST method.

How about YouTube RSS feed, where description contains summary from video in text format? Imagine how much time could be saved because TL;DW. Of course, Google would never do such a thing.

I would like to see all "desktop" applications that use Electron listed and how big of a Chromium drift is there, especially how many applications are shipping runtimes with unfixed vulnerabilities.

We did a study of this a few years ago[1] and the code for the instrumentation is available on github[2], the data is dated but you can see a cross section of popular apps and how far behind they were lagging over a 3 year period on page 11 of the pdf. Re: child comment, our main concern in this research was patched vulnerabilities persisting in electron apps and how damaging that could be. Details in the paper :)

1. https://www.usenix.org/system/files/usenixsecurity24-ali.pdf 2. https://github.com/masood/inspectron

Study URL leads to a dead page

I've been working on this over the years. WIP is here: https://github.com/captn3m0/electron-survey, and it doesn't look good.

I keep getting distracted by side-quests. The last one was building an Electron Zoo, and the current one is doing accurate SBOMs for each electron version.

I imagine that looks pretty bad. On the other hand, Electron apps often aren't running untrusted code, which makes it quite a bit harder to exploit.

Yep. JavaScript VM breakout, Sandbox breakout and spectre/meltdown side channel leaks are all tracked as vulnerabilities towards Electron while ordinary apps don't even have such security features.

I guess an elephant-sized exception to this are the popular code editors that support extensions? Or perhaps such editors’ extensions typically aren’t constrained at all anyway.

The last one. It would make sense to have a sandbox system, but they don’t.

Didn't some get exploited early on because electron made it trivial to load third party websites without any kind of XSS protection?

Isn’t the threat model for these desktop apps entirely different?

Thanks for reminding about missing transparency. I think seeing those games in emulator with transparency support had almost same impression as running Need for Speed III with 3dfx card for the first time :)

I see libsteam plugin in archive. Are they planning to release it on Steam?

Are there any emulators on steam? I only remember the chaos that was Dolphin. Maybe its for the fancy controller?