Tuesday, October 21, 2014

Yosemite Developer Documentation

Monday, October 20, 2014

The Gentleman Who Made Scholar

Steven Levy:

Some people have never heard of this service, which treats publications from scholarly and professional journals as a separate corpus and makes it easy to find otherwise elusive information. Others have seen it occasionally when a result pops up on their search activity, and may even know enough to use it for a specific task, like digging into medical journals to gather information on a specific ailment. But for a significant and extremely impactful slice of the population: researchers, scientists, academics, lawyers, and students training in those fields — Scholar is a vital part of online existence, a lifeline to critical information, and an indispensable means of getting their work exposed to those who most need it.

The iPad’s Future

Ben Thompson:

This is certainly a big comedown from the sky-high expectations that followed the iPad’s explosive growth in 2010 and especially in 2011, when many conjectured that the iPad business would ultimately be bigger than the iPhone. The question, though, is if the decline in the iPad’s fortunes is simply the natural order of things, Apple cannibalizing itself before others have the chance, or a missed opportunity.

I think that it’s all three.

[…]

The problem is that must-have apps are exactly what the iPad needs to become indispensable. And sadly, while Apple seemed to shrug off much of that 1997 paranoia at this year’s WWDC, they didn’t make any real changes to the App Store policies around trials and upgrades that would truly make a difference. Truth be told, though, this year’s WWDC was likely already too late. By then iPad sales had already started to decline on an annual basis, giving developers even less incentive to focus on the iPad.

Jean-Louis Gassée:

Indeed, after growing faster than anything in tech history, tablets have stalled. For the past three quarters unit sales have plummeted: iPad sales fell by 2.29% in the first (calendar) quarter of 2014 versus the same quarter in 2013, and they fell by 9% in Q2.

[…]

I once thought the mini was the “real” iPad because I could carry it everywhere in a jacket pocket. But about two weeks ago I bought an iPhone 6 Plus, and I haven’t touched my mini since. (As punishment for my sin, I found 52 apps awaiting an update when I finally turned on the mini this morning…) Now I have an “iPad micro” in my (front) jeans pocket…and it makes phone calls.

Trusting iCloud

Nate Boateng:

Signing out and back into iCloud deleted the last 3 years of vacation shared photo streams I had…

To be clear, signing out and back into iCloud today broke nearly every piece of it. Photo Stream, Family Sharing, iCloud Drive. All of it.

Via Joe Steel:

The truly disturbing thing about what happened to Nate was that he didn’t trust Apple, and had a backup of everything. I don’t trust Apple, and I have a backup of everything. At what point is distrust a sign of a problem, and not just paranoia? Even Dan Moren, doing some Color Commentary™ on Thurday’s Apple Event seemed a little scared of the “Public Beta” moniker on iCloud Photo Library.

Andreas Zeitler (via John Gordon):

On iOS 8, the previous fix still works, but now this “fix” has to be applied for each app individually. One app stops syncing? Reboot the device!

I reboot my device about three times a day now, just to get iCloud syncing back, just for one specific app. If that doesn’t fix it, well, users report that you can delete the app and install it again, then sometimes iCloud does seem to come back. If not, well, try installing the app again. If that doesn’t fix it, you can always restore the device, which usually fixes the problem.

Sunday, October 19, 2014

1pass

1pass is an open-source Python library for reading 1Password’s .agilekeychain file format (via Jonathan Wight).

Spotlight Suggestions and Privacy

fix macosx (via Landon Fuller):

If you’ve upgraded to Mac OS X Yosemite (10.10) and you’re using the default settings, each time you start typing in Spotlight (to open an application or search for a file on your computer), your local search terms and location are sent to Apple and third parties (including Microsoft).

Mac OS X has always respected user privacy by default, and Mac OS X Yosemite should too. Since it doesn’t, you can use the code to the left to disable the parts of Mac OS X which are invasive to your privacy.

I think previous versions of Mac OS X did have Safari send partial searches to Google by default. However, Spotlight searches have not previously left your Mac.

Update (2014-10-19): To be clear, you don’t need this script to improve your privacy. The Spotlight Suggestions and Bing Web Searches boxes are readily uncheckable in System Preferences. Rather:

There’s no single “local search only” toggle, and you have to cross-reference the documentation provided in System Preferences against the list of “Search Results” to figure out which of the options actually sends your queries to Apple.

I wanted something simple, that I knew worked, and I could just tell family to run themselves, so I put this together. It’s a convenient way to apply the settings, a jumping-off point for a more involved effort to resolve some of the other remaining privacy issues on Yosemite, and a handy way to get the privacy message across.

Since Apple hasn’t provided a single switch, it makes sense to have a single script that can be kept up-to-date.

Update (2014-10-19): There is also another checkbox called “Include Spotlight Suggestions” in Safari’s preferences.

Update (2014-10-20): Ashkan Soltani and Craig Timberg:

Apple officials said Monday that the data collection is intended only to improve the quality of searches conducted through Spotlight, a standard feature on both Mac computers and Apple’s mobile devices, such as the iPhone and iPad. The user identification number rotates after 15 minutes to a new identifier, they said, and the location and search query information is not used to create profiles of users or to deliver targeted advertising.

[…]

Testing by The Washington Post found that the locations revealed in Spotlight searches can be strikingly precise, placing a user within a particular building in Washington, D.C., even though the disclosure box on Spotlight refers to collecting “your approximate location.”

Update (2014-10-21): John Gruber:

The only thing Apple could do differently is make this another one of the you-have-to-explicitly-opt-in stages when you first upgrade to Yosemite or create an account on a new Mac.

New iWork File Formats

The new versions of the iWork apps change the file formats again, but it’s not as drastic a change as last year. Numbers 3.2.2 created a package folder with some metadata and a ZIP archive containing the .iwa files. Numbers 3.5 seems to use the same structure except that the .numbers file itself is the ZIP archive.

I repeated my CSV file import test from last year, and I don’t see any speed or size changes between the two versions of Numbers.

Aperture Import Plug-in for Lightroom

Adobe:

As promised in a blog post here, we are proud to introduce the Aperture and iPhoto import plugin for Lightroom 5. The plugin allows Aperture and iPhoto customers to migrate their images and key metadata (such as keywords, events, project structure) into Lightroom catalogs in a seamless way.

The problem remains that I don’t really want to use Lightroom. Also, it is significant that image adjustments and stacks don’t import.

It’s About the Encryption Keys

Stefan Reitshamer:

There’s a lot of talk on the interwebs about encryption. Encryption is a necessary but not sufficient condition for maintaining control of your data. Controlling access to the encryption key is just as important.

Lots of articles that reference encryption fail to mention this, and that’s confusing for people who are not crypto experts.

The iPad Zombie

Allen Pike (via John Gruber):

Apple still sells the original iPad mini. Today, they announced that not only would they continue to sell it, but cut the price to $249, making it the cheapest iPad ever. If they follow their usual pattern of leaving the iPad line as-is until next fall, the iPad 2’s internals will live on for 4.5 years.

[…]

We already see this pain on the App Store, especially with games. There is no mechanism to specify on the App Store which CPU is required for your app.

Yosemite’s Speakable Scripts

Christopher Breen:

In Yosemite, Speakable Items are gone. Their functionality has been merged with the Dictation architecture of the OS and morphed into a new feature called Dictation Commands. But unlike Speakable Items, Dictation Commands are not separate from the rest of the speech architecture. Turn on Dictation and you automatically gain access to Dictation Commands. At any time—even during a dictation session—you can speak the title of a command to have it recognized and executed.

[…]

When you launch the Automator application in Yosemite, the workflow template chooser offers a new option: Dictation Command. Using this new workflow template you can create a system Dictation Command that automates any process or task that Automator is capable of performing.

Daniel Jalkut:

It seems the scripts are run not as the streamlined items that they are but are instead sort of wrapped in an automator action and run. It’s nice that you don’t have to go out of your way to translate a script into an Automator Workflow, but unfortunately this means that “Speakable Scripts” do put up the little Automator gear icon in the menu bar, and are probably ultimately slowed down at least a bit by being run as a full-on workflow.

I wonder if saving a script as an application would work any better.

Update (2014-10-19): Daniel Jalkut:

Wait a minute, maybe it is running them as native scripts. There’s just a change on OS X Yosemite with how the system runs scripts, such that they always show an Automator-style progress indicator in the menu bar. I find this pretty irksome as a default behavior because for example short-lived scripts don’t need progress to be indicated at all.

Mutable Collections in Swift

Mike R. Manzano:

How do you create an var that holds an immutable Array? As in a var that you can assign different immutable Arrays to?

BJ Homer:

Because Swift arrays and dictionaries can never be shared, there is no distinction between mutating an existing collection and re-assigning a new collection. The behavior of the code is exactly the same. In either case, the owner’s setter method is called whenever the array is modified.

So to answer the original question, there is no syntax to specify a variable that holds an immutable array because there is nothing that such syntax would add. Swift addresses the issues that made NSArray and NSMutableArray necessary in the first place. If you need a shared array, you can still use the Cocoa types. In every other case, Swift’s solution is safer, simpler, and more concise.

On the whole, I think this is probably a good direction. The downsides would seem to be that the performance model is less clear and that it’s more work to write your own data types as struct-class pairs.

One somewhat common pattern in my Objective-C code is a (often recursive) method that takes a mutable array or dictionary as a parameter and builds it up. You can’t do this with var in Swift because that only lets you modify the collection within the method. However, you can use inout to have Swift “return” the last value to the caller.

This is not the same as passing around an NSMutableArray, though. For example, consider what would happen if there were multiple threads involved. Also, inout only lasts for the duration of the method; the collection cannot (as far as I know) be stashed in another object and then mutated (back in the caller) later.

Update (2014-10-19): Christoffer Lernö responds via Twitter.

Friday, October 17, 2014

AVFoundation in Yosemite

Philip Hodgetts:

There is a lot of new audio functions. A lot, as in heaps.

[…]

We’ve had AVAssets and AVCompositions in AVFoundation up until now, which do not support reference movies. It seems a reasonable inference that an AVFragmentedMovie is what we’d have called a QT Reference movie in the past.

Update (2014-10-18): Mike Ash:

I was excited to try AVAudioEngine now that 10.10 is here. But it’s just sadness and silent failures and mysterious crashes. Sigh.

Yosemite Observations

Trying not to repeat the work of the reviewers, here is a running list of my personal observations after using pre-release versions all summer but only updating my main Mac this morning:

Update (2014-10-18):

Update (2014-10-19):

Update (2014-10-20):

Update (2014-10-21):

Yosemite Reviews

Update (2014-10-19):

Wednesday, October 15, 2014

POODLE

Daniel Fox Franke (via Hacker News):

This post is meant to be a “simple as possible, but no simpler” explanation of POODLE. I’ve tried to make it accessible to as many readers as possible and yet still go into full and accurate technical detail and provide complete citations. However, as the title implies, I have a second goal, which is to explain not merely how POODLE works, but the historical mistakes which allow it to work: mistakes that are still with us even though we’ve known better for over a decade.

[…]

The problem stems from browser vendors’ desire to be able to cope with buggy servers and middleboxes which advertise a protocol version that they can’t actually support. To work around such broken behavior, when an SSL handshake fails most browsers (all but Opera[5]) will fall back to an earlier protocol version and retry. This browser behavior, called the “downgrade dance”, makes it trivially vulnerable to downgrade attacks.

[…]

This is the basis of the Vaudenay padding-oracle attack. An attacker who can get the server to reveal whether a ciphertext decrypts to something with valid padding or not, can then guess the contents of any block of plaintext one character at a time, and get confirmation when the guess is correct.

[…]

Vaudenay also originally believed that the fact that TLS treats all padding errors as fatal, shutting the connection and discarding the session key, meant that the full attack wasn’t possible: that the attacker got to take one guess at one byte and nothing more. POODLE, using ideas already foreshadowed by BEAST, shows that in the browser context, this isn’t necessarily so.

[…]

Within the confines of SSL v3.0, POODLE cannot be fixed. However, the downgrade dance which enables it can be.

[…]

Now, though, I am going to step onto my soapbox and say: disabling SSL v3.0 does not go far enough. It is time to aggressively deprecate as many old versions of TLS as possible.

Matthew Green:

The rough summary of POODLE is this: it allows a clever attacker who can (a) control the Internet connection between your browser and the server, and (b) run some code (e.g., script) in your browser to potentially decrypt authentication cookies for sites such as Google, Yahoo and your bank. This is obviously not a good thing, and unfortunately the attack is more practical than you might think. You should probably disable SSLv3 everywhere you can. Sadly, that’s not so easy for the average end user.

Update (2014-10-15): Poodlebleed:

The below form can be used to test if your server is running with SSL 3.0 enabled. Although disabling SSL 3.0 may cause failed connections to your ssl service for small portion of users running older browsers, this action prevents the large portion of modern browsers from being eavesdropped while attempting to access your services in a secure manner.

Update (2014-10-19): Glenn Fleischman:

Poodle may finally put IE6 to death, because IE6 can’t use modern web security protocols. […] Despite the introduction of TLS in 1999 and the fact that the last version of SSL (SSLv3) was released in 1996, web servers generally have continued to support SSLv3 to this day because it’s the latest version that IE6 supports.

Remembering Macworld Expo

Christopher Breen:

In its early and middle years, Macworld Expo was, in some ways, the world’s greatest Mac user group gathering. As the World Wide Web had yet to become the source of the globe’s information, Mac users depended on books; publications such as Macworld, MacUser, and MacWEEK; and, importantly, face-to-face interaction with other enthusiasts for their Apple fix. While users groups served this latter need on a local level, if you wanted to be surrounded by others of your ilk from across the country (and world), you went to Expo.

Adam C. Engst:

With this announcement coming on the heels of Macworld putting its print edition to rest, it has never been more clear that the massive changes engendered by the Internet have reshaped the world we live in. While at the Çingleton conference last weekend, I was reminiscing about my first Boston Macworld Expo in 1989 and the many pounds of paper I collected. Picking up brochures and handouts from every vendor was an essential task back then, since it was the only way to create a reference database of product information. When Tonya and I moved to Seattle in 1991, we brought four file drawers full of paper with us; when we returned to Ithaca in 2001, we didn’t even bring the empty filing cabinets back.

[…]

The other sea change that hurt Macworld Expo is one that I still don’t fully understand. In the early days of the show, money flowed like water. Big companies paid tens of thousands of dollars for spacious booths and flashy parties, and while products cost significantly more back then, the overall market was far smaller. Now, even with Apple posting record profits every quarter and hundreds of millions of people using Apple devices, few Apple developers approach the size of the firms that filled multiple exhibition halls during the biannual Macworld Expos. The parties dried up even earlier, and while I can’t say that a party or even a booth was a worthwhile marketing expense, clearly people thought so back in the day.

I attended the East Coast ones from (I think) 1993 through 1999. Here are some old ATPM reports from Macworld Expo:

Invisible iOS Home Screen Icons

David Smith:

Since getting my iPhone 6 a few weeks ago I’ve been continuously trying to optimize the configuration of my home screen. The larger screen means that I now have an extra row of icons to fit onto the screen, but the physical size of device means that I can’t actually comfortably reach them.

Since you can’t arbitrarily place icons on your home screen this means the situation is actually worse. I now have to fill in the top row of icons with ‘stuff’ just so that I can easily reach my main icons without stretching.

Begemann’s Backblaze Review

Ole Begemann (Twitter comments):

There is this saying that a backup system that requires manual work is not a reliable backup. That’s Backblaze if you have to deal with external drives.

[…]

The Backblaze client has no restore functionality. All restores (be it a single file or your entire archive) start on the website and require you to send your private passphrase to Backblaze’s servers where the data will be decrypted before you can download it. Needless to say, this is not at all ideal from a security perspective.

[…]

This may sound like an obscure limitation that is largely irrelevant in real life, but it means you won’t be able to move data between drives without risking the loss of your backup state for weeks or potentially months (until the initial backup is complete).

Also, it sounds like moving a file causes its backup history to be lost, which is not the case with CrashPlan or Arq.

Tuesday, October 14, 2014

Patterns to Avoid Massive View Controllers

Soroush Khanlou:

Historically, Apple’s SDKs only contain the bare minimum of components, and those APIs push you towards Massive View Controller. By tracking down the responsibilities of your view controllers, separating the abstractions out, and creating true single-responsibility objects, we can begin to reign those gnarly classes in and make them managable again.

iOS App Postmortem

Nat!:

The project started out on iOS 5, which was quickly succeeded by iOS 6. I would have been extremely surprised at the beginning, if someone had told me, that at the time of iOS 8s release our app still wouldn’t be done yet. But here is a recollection of all my faults: why it took way too long.

[…]

I bought AppCode solely to run “Inspect Code…”. The results returned are quite a bit more helpful than what Xcode Analyzer returns.

[…]

I probably wrote a hundred little apps, that tested out some feature, or started coding a subview with it. When the code was complete I moved it into the main app, deleted the original files and then symlinked the files from the main app in the test app. This way, I could go back to the test app to tweak something, when it didn’t work out in the main app. Needless to say being able to focus on just a small piece of code in a controlled environment is much more convenient.

[…]

This unfortunately means, that I am almost invariably are going to hit a brick wall at some point in time. For example, I spent way, way more time dicking around with UIScrollView than I eventually needed to code my own custom UIScrollView. The opacity of the iOS libraries means, that I always have to guess, how it’s really implemented, guess how it could break in the next iOS version and also guess beforehand, if everything is exposed like I will eventually need it.

[…]

Subclassing CoreData classes or overriding CoreData accessors is a path to misery, where I am unfortunately still traveling on. I am not 100% sure, but I would probably have been better off, either just going sqlite-direct or to use a stripped down MulleEOF for Dienstag.

[…]

It was interesting, because “naive code” only suffered a factor 2 ARC penalty, whereas “clever code” suffered a factor 10 ARC penalty. So ARC seems to be a great programmer equalizer in that respect. I didn’t investigate other “patterns”, but I also continued not using ARC. Less magic, less pain.

Hypothetical Objective-C 3.0

Christoffer Lernö:

Many had expected Swift to be more an Objective-C 3.0 than it turned out to be. But what could we have expected such a hypothetical language to look like?

Christoffer Lernö (comments):

This list is actually just a sample to get the ideas flowing, and to illustrate how some of the hurdles with ObjC 2.0 can be overcome by a successor that breaks syntax with the past, but still retains full backward compatibility.

David Owens:

I think the biggest disservice we can do to the Cocoa developer community is remove the underpinnings of the ObjC runtime. It is the language’s, and I truly believe, the platforms’ greatest strength.

I believe if we hide the complexities of C from our source code and focus on letting the power of the ObjC runtime shine through in our code, we can create a new language that provides of the great flexibility of the ObjC runtime while still accomplishing many of the goals that Swift is attempting to solve - namely safer code by default.

Consider how much progress could have been made with Objective-C had the resources from the Swift project been applied to it instead. Swift is an immensely complicated language that still needs a long time to mature. Objective-C is a much smaller language with a solid core and seemingly a lot of low-hanging fruit (syntax improvements, increased safety).

For example, a better blocks syntax and support for Python-style comprehensions in Objective-C would do a lot for me today, making my code more concise and readable. Swift’s generics feature was likely more difficult to implement, and it arguably makes the code less readable and for dubious benefits.

Additionally, an improved Objective-C could in many cases compile down to binaries that work smoothly with existing code and older OS versions. It could still use the same runtime. With Swift, Apple is instead dropping some of the benefits of the Objective-C runtime and creating migration issues because some Swift elements don’t interoperate with Objective-C, and others bridge but with performance penalties. We’ve only seen the tip of the interoperability iceberg because so far all of Apple’s APIs are native Objective-C.

Apple seems to be betting that the benefits for making a whole new language will be worth the migration costs and the stagnation of the language that most of us are actually using. I’m not convinced because most of my favorite Swift features seem like they could have fit into an Objective-C 3.0.

Mac Vibrancy Tips

Brent Simmons:

For one of my projects I’m working with NSVisualEffectView and behind-window blending.

[…]

There may be other gotchas, of course, but these are what I’ve found so far.

The State of iOS 8 on the iPad

Mikhail Madnani:

I assumed iOS 8 would offer a good experience on the iPad Air, but after playing with it as well as the iPad mini with Retina display, it’s clear that iOS 8 on iPads is clearly far from ready. Although there are loads of bugs and performance issues that currently exist on iOS 8, this post is not for those. Instead, let’s talk about some of the interface issues, design oddities that are seen on iOS 8 and how the iPad’s potential is being wasted by not taking advantage of the larger canvas.

iOS 8 Accessibility Regressions

Chris Hofstader:

For the past few years, based on what I’ve written in this blog and elsewhere, blind enthusiasts of the Android platform have labeled me as an Apple fanboy. It is true that I use Apple devices and that I applaud Apple for its outstanding out-of-the-box accessibility in iOS/7 and the pretty good version of the same on OS X.

[…]

So, it remains that iOS/7 is the all time out-of-the-box accessibility champion. As iOS/7 can no longer be purchased from Apple, this also means that the most accessible solution for mobile computing is now a thing of the past. We’ve regressed in iOS/8 and Apple must be taken to task for such.

[…]

Apple is doing something different and dangerous with their accessibility strategy. By choosing to release iOS/8 with so many glaringly obvious bugs, they have allowed accessibility regressions to vastly overshadow any improvements in such in iOS/8. My personal conclusion is that this is the result of a failure by the Apple competitors, most notably Google and Microsoft, to actually compete in this space. Apple released iOS/7 with a 100% accessibility API compatibility rating, the only out-of-the-box solution that has even tried to achieve such. Apple is still the clear leader in accessibility in the mobile computing arena but has proven that they can disappoint as well as surprise this community with their accessibility efforts.

AppleVis:

Detailed in this post are possible accessibility bugs which members of the AppleVis Editorial Team have identified during their testing of iOS 8. If you have not already updated your iDevice to iOS 8, we strongly recommend that you read through this post and any comments before doing so, as we believe that there are a number of bugs in this release which might have a significant impact on the user experience for some blind and low vision users.

Update (2014-10-20): AppleVis:

Based upon what we have typically come to expect from a full point release of iOS, it is likely that some will be disappointed to see that this update does not include more fixes for the accessibility-related bugs that were introduced in iOS 8.0. However, it is worth noting that iOS 8.1 comes just a month after iOS 8.0, and that Apple appears to be working on a very different version schedule to what we have typically seen in the past.

[…]

Here are the fixes and improvements that we have found in our initial testing of iOS 8.1.

Backtrace Album Released

James Dempsey and the Breakpoints (iTunes):

Backtrace steps through fourteen years of Mac and iOS development tunes, taking you on a musical journey into the biggest album release in iOS and Mac programming history.

From the driving beat of Goto Fail to the memory management oldie Hold Me, Use Me, Release Me every song is here. From crowd favorites to deep cuts, each track melds music with humor-filled tech lyrics, welcoming you to a sonic wonderland of geektastic amusement.

Monday, October 13, 2014

SQLite.swift

Stephen Celis’s SQLite.swift is a pure Swift wrapper for SQLite. There are also several other projects that do this, listed at the bottom of the page. As with JSON, I think database access is a fertile area for case studies about Swift’s type system.

NSCoder, NSArchiver, and NSKeyedArchiver

Nat!:

If I chain 40000 Foo objects together, all NSCoders crash on archiving, keyed or unkeyed, because of stack exhaustion. Surprising!

[…]

There are likely very few applications, where it pays off to use NSKeyedArchiver to cache an object graph. It’s neither a compact format, nor a fast coding method. You might be better off just reparsing the source. I parse my templates just about as fast as NSArchiver can unarchive. I can see where the added compression and the lack of need for extra I/O to read included files may give NSArchiver an advantage. NSKeyedArchiver though, just makes everything worse for me.

It looks like FastCoding is subject to the same stack limitation.

Sunday, October 12, 2014

BBEdit Leaving the Mac App Store

Jason Snell:

On Saturday Rich Siegel of Bare Bones Software gave a presentation in which he announced that the next version of BBEdit would not be sold in the Mac App Store. (The existing version will remain, and existing Mac App Store customers can upgrade to the next version directly with Bare Bones.)

Siegel’s talk was notable for its restraint and care. This was not a scorched-earth denouncement of the Mac App Store. […] But, of course, all of these frustrations were cumulative. And, Siegel said, many of those frustrations occur at the very end of the development cycle, when the final code is being shipped and the marketing plan is being executed. He likened it to Max Q, the aeronautical term for the period of maximum atmospheric stress on a flying vehicle.

See also: Mark Pavlidis, Scott Morrison, Jason Snell, Marko Karppinen, Paul Haddad.

Update (2014-10-13): Federico Viticci:

The departure of BBEdit from the Mac App Store is yet another example of the platform’s limitations and it’s sad, but it’s probably for the best and everything will be okay. The Mac App Store isn’t meant for apps like TextExpander or BBEdit, and Apple doesn’t seem to be willing to change its underlying nature.

Joe Steel:

The decay of the Mac App Store over the last few years is pretty subtle. Developers are not leaving en masse, all at once. One by one, as new updates are being developed, they weigh the pros and cons for them, and their customers, and they pull out.

Just look at the main page of the store’s app and you’ll see bric-á-brac. of apps. They’re showcasing the Twitter Mac app right now. Yes, hey everyone, drop everything and check out this crazy thing called Twitter! The best part is the little bit of text. “New Features Added” — A.K.A. We totally don’t care about marketing at this point.

Update (2014-10-14): Milen Dzhumerov (comments):

The Mac App Store was released in January 2011 and it marked the beginning of a great new distribution channel. Even though it lacked some bells and whistles, the developer community was hopeful the problems would be addressed in due course. Unfortunately, it has been years and there’s no evidence that the core issues would be addressed in the future, at all. When notable developers are abandoning your platform, cannot do the right thing for their customers and are delaying their MAS submission, something is very, very broken. I believe that the inaction is harmful to the whole Mac community, affecting consumers and developers alike.

Let me make it absolutely clear why I’m writing this. First and foremost, it’s because I deeply care about the Mac platform and its future, it pains me to see developers abandoning it. The Mac App Store can be so much better, it can sustain businesses and foster an ecosystem that values and rewards innovation and high quality software. But if you talk to developers behind the scenes or explore the Mac App Store, you’ll find something completely different.

Kirk McElhearn:

I’ve heard similar stories from lots of other developers. The entire process – from submission to approval – is fraught with difficulties, with seemingly arbitrary rules that are applied at random. […] This is especially problematic for small developers, who only have one or two people to do all the work, and end up wasting far too much time on problems that shouldn’t exist.

Update (2014-10-15): John Gruber:

The one that gets me, and which seems under-remarked-upon, is how Apple’s own apps in the App Store are exempt from sandbox restrictions. Third-party apps are never on equal footing with Apple’s, but with sandboxing, it’s almost absurd.

Update (2014-10-16): Myke Hurley and Jason Snell discuss BBEdit and the Mac App Store.

Update (2014-10-17): Drew McCormack offers a contrary take. I’ve never understood his aversion to trials, using words such as “ransom” and “blackmail”; why he is so concerned that upgrades couldn’t “inject” releases when that isn’t possible now, anyway; or why he thinks Apple is providing sandbox exceptions, when the abandoned and withdrawn apps tell a different story. Of course, it would be nice if Apple dropped its cut to 15%, but I doubt that would make most developer’s top five list of changes they want to see.

A Guide to NSButton Styles

Jakub Suder (via Jonathan Willing):

I figured I could prepare a kind of cheat sheet that collects all this information in one place. The list below describes the button styles in the same order as in the Xcode panel, and for each button it includes: the Xcode name, the constant name, screenshots of how it looks on Yosemite (on the left) and on Mavericks (on the right), and some guidelines I found about how it’s supposed to be used, or how it’s actually used by Apple in their apps. (I’ve even checked the system apps with Interface Inspector to see what controls are actually used where.)

Implementing Re-entrant Parsers in Bison and Flex

Eric Raymond:

That rebarbative old interface generally broke a lot of rules about program structure and information hiding that we now accept as givens (to be fair, most of those had barely been invented at the time it was written in 1970 and were still pretty novel). It becomes a particular problem if you want to run multiple instances of your generated parser (or, heaven forfend, multiple parsers with different grammars) in the same binary without having them interfere with each other.

But it can be done. I’m going to describe how because (a) it’s difficult to extract from the documentation, and (b) right now (that is, using Bison 3.0.2 and Flex 2.5.35) the interface is in fact slightly broken and there’s a workaround you need to know.

Xcode’s built-in support breaks every few versions, so I recommend creating a Makefile to run your parser generator and adding the generated files to your project. Another advantage to this approach is that you can specify per-file flags such as -Wno-conversion to the compiler to silence warnings that you can’t do anything about.

Saturday, October 11, 2014

Belkin Thunderbolt 2 Express Dock HD

Susie Ochs:

Connecting to your Mac’s Thunderbolt or Thunderbolt 2 port, it puts two Thunderbolt 2 ports in easy reach, as well as three USB 3.0 ports, one HDMI 1.4b, one Gigabit Ethernet, an audio output in the back for speakers, and a headphone jack in the front.

Why can’t someone make a dock with a lot more ports? If you connect the Belkin to a MacBook Air, a display, and a single drive dock, you’re already out of Thunderbolt ports. And three USB ports is barely any. I’m currently using a 9-port Anker USB 3.0 hub (Amazon) and a 7-port USB 2.0 hub. This sort of product would be a lot more interesting if it could cut down on the number of hubs, power adapters, and daisy-chained cables in my office. Otherwise, it is essentially $300 to add a single Thunderbolt port.

Update (2014-10-11): After chatting with Belkin’s support person (see comments below), I learned that there are in fact only two Thunderbolt ports total. So this product does not add any Thunderbolt ports; it only offers a passthrough.

Sunsetting

Geoffrey Goetz:

In November of 2010 .Mac HomePages gave way to MobileMe Web Galleries. Then in June of 2012, MobileMe Web Galleries ceased to exist as iCloud came online. Now the most recent successor, iPhoto Web journals, is being shut down, or at least that is how it appears. With each transition, users of the previous online journaling feature really had little to no options available when it came to migration to a new or replacement feature.

[…]

The problem this time around is that there was very little notice and there really is no recourse or action that can be taken to preserve your iPhoto projects. And unfortunately there is no easy fix for this. According to Apple’s own support page concerning the migration, “Photo Books, Web Journals, and Slideshows are converted into regular albums in Photos. Text and layouts are not preserved.” And thats it, no more iCloud scrapbooking per Apple.

John Gordon:

I expect Apple to screw up anything related to long term data management, but this is extreme even by their standards. GigaOm, in language restrained by fear of Apple, tells us of another Apple datacide and botched product transition.

[…]

Apple is a bit of a serial data killer -- usually with no public response. I still miss the comments I'd attached to iPhoto albums that were lost in the transition to Aperture.

David Sobatta:

Part of the problem is that Apple introduces software and kills it off. The list goes back many years and includes software from Apple's application company Claris. Claris emailer was a good program as was Claris Works. Aperture was well thought of by some users and I was a fan of iDVD. All those programs are gone.

Then there is the iWork series that languished until recently when Apple brought out Pages 5 which creates all sorts of formatting problems when moving back and forth between it and Pages 09. People would not have to move back and forth if Apple had maintained feature parity with the old version.

Word might be bloated and not much fun to use, but it does a much better job moving between platforms and versions. Apple just does not seem to care.

Brent Simmons:

The beauty of indie software is that many apps don’t make financial sense for a larger company, but they make great sense for a small shop. So you can have sustainable apps such as Capo, Acorn, and MarsEdit that you wouldn’t get without indies. And you can also be sure those apps won’t get shut down on some manager’s whim.

[…]

But relying on any software or service, from anybody, is a risk. Always.

Update (2014-10-14): Nick Heer:

Apple is also dropping support for their printed products with Photos for OS X. My dad is a goldsmith, and he uses iPhoto photo books for his portfolio — they’re well-printed, nicely-bound hardcover books that he can lay out himself and order on demand for a reasonable price. I told him that these products would no longer be available; he’s gutted.

What’s Really Happening With iOS 8 MAC Address Randomization

Nick Arnott:

Initially it looked as if MAC randomization didn’t work at all, which was confusing because Apple has made a point to publicize this feature.

After a lot of digging and a lot of late nights monitoring Wireshark captures, it looks like Apple has shipped this feature as advertised, but not quite as expected. In the WWDC session on user privacy, the slide said “The MAC address used for Wi-Fi scans may not always be the device’s real (universal) address”. They didn’t say it would never be a device’s real MAC, only that it may not always be.

[…]

Unfortunately, the requirement of the phone being asleep makes this feature nearly useless, albeit within the description of what Apple advertised at WWDC. In order to get random MACs to be used I had to turn off notifications for multiple apps, turn off push email, and stay up late at night when there was a greater chance of my phone getting to sleep, uninterrupted, for more than a minute or two. Even under these circumstances, I would only encounter one or two rounds of probe beacons (which seem go to out every couple of minutes) with a random MAC before seeing my phone blast a bunch of probes with my real MAC.

Previously: iOS 8 MAC Address Randomization.

Adobe Spying on Users, Collecting Data on Their Libraries

Nate Hoffelder:

Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what order. All of this data, including the title, publisher, and other metadata for the book is being sent to Adobe’s server in clear text.

[…]

The first file proves that Adobe is tracking users in the app, while the second one shows that Adobe is indexing my ebook collection.

The above two files were generated using data collected by an app called Wireshark. This nifty little app can be used to log all of the information that is sent or received by your computer over a network.

Apple’s Software Quality Decline

Russell Ivanovic:

I just wish that Apple would slow down their breakneck pace and spend the time required to build stable software that their hardware so desperately needs. The yearly release cycles of OS X, iOS, iPhone & iPad are resulting in too many things seeing the light of day that aren’t finished yet. Perhaps the world wouldn’t let them, perhaps the expectations are now too high, but I’d kill for Snow iOS 8 and Snow Yosemite next year. I’m fairly confident I’m not alone in that feeling.

John Gruber:

From the outside, it seems like Apple’s software teams can’t keep up with the pace of the hardware teams. Major new versions of iOS aren’t released “when they’re ready”, they’re released when the new iPhone hardware ships. […] Just today: My iPhone 6 rebooted after I changed the home screen wallpaper. Tapped a new image in the wallpaper settings, and poof, it rebooted. Worse, it never stopped rebooting. Endless reboot cycle.

Tim Schmitz:

One thing that’s striking is how many of Apple’s troubles are self-inflicted. Gone are the days when Apple planned product announcements around conferences like Macworld Expo. That the company controls its whole ecosystem, from hardware to software to services, is supposed to be a strength. Controlling everything should mean that you can get all your ducks in a row before pulling back the curtain. The only thing that Apple is truly constrained by are its own self-imposed deadlines. The problem is, Apple keeps shooting itself in the foot. Rather than waiting until a new version of iOS is fully finished, for example, they rush an update out the door to coincide with the release of new iPhones.

Kirk McElhearn:

I recently wrote about Apple’s string of bad luck, with bad press, a bad keynote stream, the U2 album spamming fiasco, and, above all, the iOS 8.0.1 update that bricked a lot of users’ iPhones. If I were to go back in the archives of this website, I’d find other, similar articles about blunders when a new OS was released requiring an update quickly for some embarrassing problems, or when hardware issues that shouldn’t have happened plagued many users. […] I’ve increasingly had the feeling that Apple is finding it difficult to keep up with all these releases, and that quality is slipping.

Matthias Plappert:

Apple: “We cannot keep up with developing stable software for OS X and iOS, so let’s have a new programming language and create a watch OS.”

Caitlin McGarry:

Apple’s having a tough time. Its annual one-two punch of an iPhone launch plus an iOS upgrade—usually a time for celebration—has been followed this year by a compounding series of embarrassments.

Daniel Jalkut:

The biggest/richest company in the world, already staffed with many of the smartest and most creative people, shouldn’t get so many passes.

Tim Burks:

The Swift language project has been a major distraction for the development community and much more importantly for Apple’s internal focus on providing quality developer tools.

Justin Duke:

The review process and walled garden model, which was specifically designed to prevent bad customer experiences like upgrading to an app that breaks immediately, failed to keep out apps that literally cannot make it past the launch screen.

Fraser Speirs:

The iOS 7 and now iOS 8 rollouts have simply not been up to the quality of earlier releases. […] We have seen issues with crashing, devices rebooting, rotation glitches, keyboards playing up, touch screens not responding. Indeed I’m typing this while babysitting the full restore of an iPad that one pupil “broke” - through no fault of their own - while updating to iOS 8.

Gus Mueller:

There’s been a bit more grumbling than usual about the quality of Apple’s software recently. And I can’t help but feel like things have changed for the worse. Random crashes, system instability, background processes crashing and having to reboot to fix things. I’m sure I’ve said it before, but I really think Apple is trying to move too fast.

Mark Crump:

In hindsight, the trouble began in 2012. That’s when Apple moved OS X to the same yearly release cycle as iOS. Since OS X has always been the Peter that Apple robbed to pay Paul (the iOS release cycle), I was concerned Apple would be writing checks it couldn’t cash. […] All of these show systemic failure in Apple’s beta testing. It’s inexcusable for a major new feature like HealthKit to be pulled right after launch due to missed bugs. It’s even worse when an update makes your phone unable to make calls.

Clark Goble:

Apple’s been at a breakneck pace to compete with Google. However the time really has come to slow down a bit. The OS is mature. Yet the apis have been changing so fast it’s hard to keep up with what one is supposed to do.

Brent Simmons:

These days, programmers spend hours and days and weeks working very hard, and usually unsatisfactorily, on getting around bugs in their platform.

Michael Yacavone:

The hard edge of the watch image is an homage to the state of modern software development tools, exemplified by the typical developer experience of everything working fine, and then one day looking up to find a new language, 1,500 new APIs, yet another beta version of the IDE, your old code not working properly in the new SDK, a supposed “GM” release that is more buggy than the last beta, an end-user release recalled in hours, an update for a shell exploit dormant since the ’90s, as well as a wide variety of application interaction WTF, all marching toward a ship schedule so disconnected from quality, stability, and reliability it’s like walking off a cliff.

Kristopher Johnson:

Apple’s operating systems, applications, services, and development tools are all pretty janky. I hope someone at Apple worries about that.

I didn’t think yearly OS releases would be good for quality, and I continue to believe that Apple is trying to move too fast.

Update (2014-10-11): John Gruber and Guy English discuss this issue on The Talk Show.

Update (2014-10-12): Collin Allen:

There are so many bugs in iOS 8. How did this ever get through testing? Frustrating.

Landon Fuller:

For Apple to fix quality, it seems like they’d have to step back from deeply embedded process/cultural changes that arose with iOS’ success.

There are lots of comments on Reddit.

Update (2014-10-14): There are more comments at MacRumors.

Update (2014-10-15): Rob Griffiths writes what he would like Tim Cook to say about all this.

Update (2014-10-16): TUAW (comments):

With engineers at Apple working at full throttle to keep new updates coming down the pipeline, some have started to wonder if Apple’s resources are being stretched too thin. Especially for a company like Apple which tends to have leaner teams, some have voiced the opinion that Apple needs to take its foot off of the gas just a bit to help ensure that future software releases have the level of polish longtime Mac and iOS users are accustomed to.

Update (2014-10-18): Brian Pollack (via Dave Verwer):

Unfortunately, despite the awareness of these daily challenges, it is unclear what is being done to improve upon them. This brings me to my next point. Although Apple has nearly limitless financial resources, I found the company to be incredibly reactive. Eagerly throwing resources into addressing the current biggest user facing issue rather than building the necessary tooling and testing needed to prevent those in the future.

[…]

When project managers start tracking bug numbers upon nearing release dates, tactics or tricks are often used to hide or kill bugs in order to meet milestones. One common tactic was to simply make further investigation so onerous on the person who filed it that they give up and kill the bug, marking it as “not enough information to resolve”.

Update (2014-10-19): Nick Heer:

Apple’s been busy this year. But, as Michael Tsai’s quote roundup reveals, it hasn’t been smooth sailing — the buggy yearly iOS and OS X releases, in particular, have revealed a very rushed schedule. […] That Apple is working on yet another OS — Watch OS — isn’t a free pass for their declining software quality, however. While they were never perfect, the company has long been revered for its consistently-high quality bar. Now? Certainly not as much.

An Aging Collection of Unix Tools

Rob Griffiths:

So while Apple has patched bash, this version of the shell is simply ancient. Just how old is it? bash 3.2.53(1) is roughly seven years behind the current version, 4.3.25. Seven years is like, well, forever, in Internet time!

With that bash age gap in mind, I took at look at a number of common Unix apps—in both Mavericks and Yosemite—to see which versions were in use. Then I checked the same apps in MacPorts, a tool that makes it simple to install many Unix apps.

[…]

The results were interesting, to say the least—many of the core Unix utilities in OS X are years and multiple versions behind their open source, er, sources. You can thank GPL v3 for that, as noted above (and covered in more detail below).

Move Fast and Break Nothing

Zach Holman:

What happens is this: a request will come in as usual and run the existing (old) code. At the same time (or just right after it executes), we’ll also run the new code that we think will be better/faster/harder/stronger (pick one). Once all that’s done, return whatever the existing (old) code returns. So, from the user’s perspective, nothing has changed. They don’t see the effects of the new code at all.

[…]

Science (and its sister library, github/dat-analysis) can generate a graph of the number of times the code was run (the top blue bar to the left) and compare it to the number of mismatches between the control and the candidate (in red, on the bottom). In this case you see a downward trend: the developer saw that their initial deploy might have missed a couple use cases, and over subsequent deploys and fixes the mismatches decreased to near-zero, meaning that the new code is matching production’s behavior in almost all cases.

[…]

All of this gives you evidence to prove the safety of your code before you deploy it to your entire userbase. Sometimes we’ll run these experiments for weeks or months as we widdle down all the — sometimes tricky — edge cases. All the while, we can deploy quickly and iteratively with a pace we’ve grown accustomed to, even on dicey code. It’s a really nice balance of speed and safety.

This is the sort of thing that’s easier to do with hosted software. But it can be applied to apps as well: for example, a debug version of SpamSieve that runs both the old and new e-mail parsers and logs any differences in output.

Shellshock Security Bug in Bash

Huzaifa Sidhpurwala:

[…] the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the Bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents.

[…]

Bash has functions, though in a somewhat limited implementation, and it is possible to put these Bash functions into environment variables. This flaw is triggered when extra code is added to the end of these function definitions (inside the environment variable).

Troy Hunt:

Imagine an HTTP request like this:

target = 0.0.0.0/0
port = 80
banners = true
http-user-agent = shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)
http-header = Cookie:() { :; }; ping -c 3 209.126.230.74
http-header = Host:() { :; }; ping -c 3 209.126.230.74
http-header = Referer:() { :; }; ping -c 3 209.126.230.74

[…]

Put succinctly, Robert has just orchestrated a bunch of external machines to ping him simply by issuing a carefully crafted request over the web. What’s really worrying is that he has effectively caused these machines to issue an arbitrary command (albeit a rather benign ping) and that opens up a whole world of very serious possibilities.

[…]

The headlines state everything through 4.3 or in other words, about 25 years’ worth of Bash versions. Given everyone keeps comparing this to Heartbleed, consider that the impacted versions of OpenSSL spanned a mere two years which is a drop in the ocean compared to Shellshock.

Alastair Houghton:

Put another way, unless you have very old code running on your web servers, and unless you are doing something like running a public SSH server that allows restricted log-ins (e.g. to run Git or Subversion via SSH, but nothing else), the chances are that you aren’t vulnerable to remote exploits based on this. You should check, but you should not panic.

Future South Technologies (via Mike Rundle):

While watching their activities, I noticed something very odd. All of the hosts that appeared to be running their perl script were pretty high profile. Not just random web servers around the web, though they do have a separate channel for that. But this channel had a lot of domains sitting in it that would have most you your jaws dropped. The most prevalent of the two being lycos.com and – wait for it – yahoo.com.

Robert Graham:

The theory is the claim promoted by open-source advocates that “many eyes makes bugs shallow”, the theory that open-source will have fewer bugs (and fewer security problems) since anyone can look at the code.

What we’ve seen is that, in fact, very few people ever read code, even when it’s open-source.

Rich Mogull:

Not only is nearly every version of Unix vulnerable, including Linux and OS X, but most of the initial patches are not completely effective at blocking the hole. It’s a near-worst-case scenario where we have a piece of software on nearly every non-Windows server on the Internet — and plenty of personal computers thanks to Apple’s market growth — that is vulnerable to multiple kinds of remote attacks, all capable of completely taking over the system, with no way to stop it completely.

Apple’s OS X bash Update 1.0:

This update fixes a security flaw in the bash UNIX shell.

Straight to Windows 10

The Economist:

The replacement for its widely disparaged Windows 8 operating system turned out to be not Windows 9, as expected, but Windows 10. No explanation, other than marketing waffle, was given as to why the company should skip a release number.

[…]

Or was it, as several software developers tweeted, because so many legacy applications first check whether the computer being used is running a version of Windows beginning with number nine (as in Windows 95 or Windows 98). Had Microsoft’s new operating system been called Windows 9, it was argued, serious compatibility issues could have arisen.

Code such as OpenJDK 1.7 (via @newsoft):

if (osName.startsWith("Windows")) {
    isWindows = true;
    if (osName.startsWith("Windows 9") ||
        osName.startsWith("Windows Me"))
    return; // win9x/Me cannot handle long paths
}

Similar version number comparison problems also show up with Java for Mac.

Update (2014-10-12): Jason Snell:

This sounds ridiculous enough to be an Internet hoax, yet it appears to be real. And it led to a pretty funny joke from Ray Ozzie, developer of the ancient Windows program Lotus Notes.