Attack vector requires local execution access and allows for escaping limited privileges like non-root user accounts and breaking out of (some?) namespace jails used by containers and sandboxing systems.

than disable that specific functionality until you can make the framework instead of throwing out the whole thing in a tempter tantrum?

The third-party browser could just have its own prompt until Apple delivers their API, no?

On macOS, I already have to both grant Firefox permission to access camera, and then Firefox asks me about every website trying to access it individually, using their own UI.

So you want to hand over control of who has access to the camera, microphone, photos, contacts to random browsers.

Or to companies like Google and Meta for advertising purposes.

Did you read my comment? You still need to grant the permission to the browser in the first place.

This isn't any different from how it works already for all kinds of apps: If you grant Zoom the permission to access your camera, you do that once, and have to trust it on a per-call basis to not turn on your camera without your explicit consent.

If you don't trust your third-party browser to respect your choice as to which websites you want to grant access to your sensitive data, you probably shouldn't be using it, or at least not grant it access to that data in turn.

Websites today don't have access to my contacts, messages, photos etc.

And you may be happy changing the status quo to allow that but I think it is a terrifying proposition.

How would websites get access to your contacts? Just don't grant access to your contacts to your browser, whatever it is, problem solved!

The same applies to photos. iOS even has an API to let you pick a single photo to upload/share with an app that doesn't grant any access beyond that. And for messages there isn't even an API in the iOS sandbox.

Maybe you could clarify your concern; as far as I understand it, nothing whatsoever is changing on iOS due to the DMA in this regard (and I wouldn't want it to).

I think the concern/problem is you might want a pwa to have access to contacts, but you don’t want to provide contact access to the entire browser in this scenario since you may not trust the browser/other websites.

I do not like being dependent on having a working phone to log in to my digital life.

Any break in my phone will take weeks for me to be able to afford to replace, meanwhile what? Im locked out of everything?

Why would I risk that?

Phone battery is dead so I got to wait 5 minutes to log into my forums while it charges enough to allow me to boot it and then boots?

Might as well move purely to yubikey in that case.

The whole point of using authy was the reliability of cloneable auth tokens between my desktop, laptop (desktop os) and phone.

3 piece holy trinity.

and what? you want to move that down to one?

Even if its backed up, what do I do while it is stolen or off for repairs?

The ENTIRE point of using authy over any other solution was that its wide app base made it more reliable.

They adversely selected for the userbase that would get mad over this

you picked up the wrong definition of "free".

They meant free as in freedom.

a man raping a man is rape in most jurisdictions, its only when women rape men does it become sexual assault or "other sexual violence".

Nobody outside of the uk knows what a "consumer unit" is. that sounds to me like you can't touch the breaker panel which is what you have to touch to wire in a new circuit.

I think you might be missing their concern.

The concern is that google basically funds firefox, and can choose to revoke that funding at the most inconvenient time for mozilla, risking bankruptcy. Companies ebb and flow on cash flow, and a unexpected drop at the exact wrong moment can cripple even the most well funded ones.

Or just threaten to do so to exert pressure.

Giving poor people a thousand a month caused them to get more jobs. Giving them 6k up front caused them to get even more jobs.[0] Author's argument is invalid.

Percentage of Participants Working Full-time, Enrollment and 6-month Follow-up:[1]

Group A (1000usd/m): 18% -> 25%

Group B (6500usd one time + 500usd/m): 21% -> 35%

Group C (50usd/m): 22% -> 22%

[0]: https://news.ycombinator.com/item?id=37836296

[1]: https://drive.google.com/file/d/1gqtOfZG2sSanWgUdzn-lx-pwSXZ... page 22 (pdf page 23) figure 9

The issue isn't tech debt, its tech interest.

Looking at the historical maintenance cost of the stacks when choosing them and prioritizing ones with a better history of backwards and forwards compatibility in their ecosystem does far more to prevent tech debt pile up than trying to reach a strict habit of bending over backwards to update dependencies.

Everybody points to uber but uber won against taxis because they had an app and taxis had a phone number that often wouldn't even accept a downtown cross st.

As a seattlite who got tired of hunting for a building that still had a street number just to get a cab on 5th and Jackson or what ever I'm glad uber killed taxis

This is exactly it.

It would be like if no pizza place had mobile ordering and a new one started that had it; that was the killer feature.

Everything else (I personally believe) was hyped up by Uber so that the taxis wouldn't realize what the real competitor was until too late.

Now there may be taxi hailing apps, but nobody knows the name of them, and they're different for every city.

In Austin ~2012-ish, we had Austin Cab.

It had an app. It was like Uber, but worse in every way you can possibly imagine and outrageously priced.

I don't like an Uber monopoly either, but it doesn't mean the status quo was better before.