Archive for July 23, 2019

Tuesday, July 23, 2019

xattr Flags and iCloud Drive

Howard Oakley:

If you work with xattrs, you’ve probably already seen this in xattrs whose name ends with a hash # then one or more characters: that’s actually the flags, not part of the name, what Apple refers to as a ‘property list’. To avoid confusion I won’t use that term here, but refer to them as xattr flags. A common example of this is, which is seen quite widely.

Flags can be upper or lower case letters C, N, P and S, and invariably follow the # separator, which is presumably otherwise forbidden from use in a xattr’s name. Upper case sets (enables) that property, whilst lower case clears (disables) that property.


The sought-for ‘whitelist’ is actually baked into the xattr flag code, where as of 2013 the following default flags are set for different types of xattr[…]


If you want a xattr preserved when it passes through iCloud, you therefore need to give it a name which ends in the xattr flag S, such as co.eclecticlight.MyTest#S.

This is like filename extensions all over again, cramming two pieces of data into the same field. If you have an app that uses xattrs (maybe even from before iCloud Drive was introduced), you need to migrate all your metadata (and forever check the old xattrs when reading a file) if you want to set the “flags” for proper iCloud treatment.


Update (2019-07-24): Howard Oakley:

Thus the S flag preserved all the xattrs containing Skim’s annotations, but when that file was opened in Skim, it was unable to read them because it doesn’t strip the xattr flags from their names when reading xattrs. And that is the problem with this technique: although the xattrs are, in general, preserved, because most apps don’t expect to have to handle xattr flags appended to their names, the preserved xattrs aren’t used – after all that.

The solution therefore is for all apps which access xattrs by name to drop any xattr flags from the names before using them. This demonstrates the cost of this elegant kludge. As this isn’t handled transparently in calls such as getxattr() which access xattrs, every app is left to its own devices to handle xattr flags appended to xattr names, which is inefficient and encourages inconsistencies between apps.

Update (2019-07-25): Pierre Habouzit:

In general xattrs are a difficult challenge to sync because of the fact that it’s a thing that has no meaning for the end user, and the problem it’s trying to solve is that xattr serve very different purposes, some are metadata for the document (XATTR_FLAG_SYNCABLE), some are about metadata tied to the machine you’re on and make no sense on another machine (XATTR_FLAG_NO_EXPORT), or is privacy sensitive.

The two motivations FWIW are completely for good user experience for 3 reasons:

  • privacy
  • not blowing up your data plan because you have an xattr used for indexing e.g. that keeps being updated
  • avoiding fake “conflicts” in the sync UI that would be extremely confusing.

is it more work for developers? yes.

but this is to eventually get a better user experience. syncing everything by default, because the sync engine cannot understand what is a meaningful change and what isn’t, would pop up the user due to conflicts on xattrs ALL THE F-ing time.

so instead we rely on developers to tell us what is really important to sync for the document to be whole (and in general we prefer packages with metadata in a plist inside the document or in a Resource/ subdir of the bundle).

To be clear, I think the flags seem to do a good job of solving real problems. I just don’t think their existence was communicated very well, and the implementation—combining them with the name—is not very friendly to pre-existing data (or xattrs that need to change flags later).

Update (2019-07-26): Howard Oakley:

Jonathan Levin – who of course does know all about these, and has now added a short section about them to volume I of his reference books on Apple’s operating systems – points out that xattr flags only affect copy behaviour under the copyfile(3) API. That means that copies made using the Finder will respect them, and will strip xattrs where so instructed, but cp in Terminal doesn’t, and preserves all xattrs regardless of their flags. That can of course be a mixed blessing.

Trusting iCloud Drive

Dave Verwer:

I’d be much, much happier with the weird situation where one part of the system says it’s full, while another says there is 5Gb free if I was constantly being shown error messages. In that case, it’d just be a bug with the amount of space being shown in some places, I’d know I was really out of space and I’d upgrade.

No, it’s the silent failure and the fact that a file that seems to be synced with no errors, but actually isn’t that is so troubling. Unless something really major changes, I don’t think I’ll ever be able to trust iCloud Drive with my critical files.

Something to consider if you’re thinking of switching from Dropbox.

Tony Arnold:

Narrator: this did not end well.

Git repos stores in iCloud Drive die a horrible death if you try to actually interact with them.

Meek Geek:

I’ve tried moving a Git repo into iCloud Drive. It spun for a while, then flat out stopped syncing everything on the Mac after that. Such is a feature instead of a product, eh?

Cédric Luthi:

I can see my document in iCloud Drive but every time I try to recover it, I get a “Download Error”. SO UNRELIABLE.


Annoying Catalina Security Features

Jason Snell:

After 24 hours of trying to use Catalina in earnest with all my data and apps intact, the new security features are incredibly annoying. Apps constantly asking for permission to see various folders, lots of relaunches and trips to System Preferences. It’s really unpleasant.

At WWDC Apple’s presenters said they would not prevent you from running software you wanted to run on your Mac, but these interface choices are disaffecting. It feels like my Mac is fighting my choices every step of the way, and there’s not even a button to turn it all off.

Erik Schwiebert:

Apple is going to end up learning the lesson Microsoft did with Vista’s UAC prompts. Users end up getting conditioned to blindly click OK because the “security” just gets in their way. It’s a mess.

Mark Hougaard Jensen:

I, apparently as the only one, think it’s great. I found out for instance that Google’s “backup from this Mac” app wants to log all of my keystrokes. I’d never have known if Catalina didn’t tell me.

[Update (2019-07-26): I’m not sure what this is referring to, as apps such as TextExpander and Dash that need to monitor which keys you type have long needed to ask for accessibility access. There’s speculation that the warning is about registering a global hotkey, in which case it sounds like it’s misleading or was misinterpreted by Jensen.]

Kyle Howells:

They won’t actually prevent you from the running software. They’ll just limit how much they can do and make what they still can do impossibly annoying to use until you voluntarily give up and stop using them.

Bryan Jones:

Agreed. It also irritates me that GateKeeper is automatically re-enabled periodically.

I constantly have to turn it off in Terminal just to open a bash script marked as executable in a text editor.

Brad Brown:

The worst so far for me is that all my QuickLook plugins are blocked, and while permission dialogs are annoying for other things, I can’t even find a way to whitelist those plugins anywhere.

John Gruber:

I sincerely think Apple should add a single “expert mode” preference to OK all of this at once. Maybe even make it something you have to type in Terminal, to discourage looky-loos, but something you only have to do once.

Peter N Lewis:

I think the security preferences needs to be flipped over, so applications are listed, and then permissions associated with them, with a big red switch at the top for “allow all”.

Daniel Kennett:

Modern Mac development! \o/

James Thomson:

Honestly, this is all part of my decision not to rewrite DragThing. The writing is on the wall for system level utilities, even if it’s tolerated currently...

Peter N Lewis:

[It] is clear Apple wants to stop all levels of unapproved workflow apps, despite it being essential both for business and even more so for accessibility assistance.


Transmit 5.5.2, released today, will be the last version to support the current iteration of Transmit Disk. To prepare Transmit 5.6 for Catalina, we must support hardened runtime, which means dropping Transmit Disk and OS X El Capitan (10.11).

Wil Shipley:

App sandboxing has set app development back more than anything else. I love security but it was designed wrong from the beginning. Should have just replaced the system calls instead of trying to be invisible and magic.


It wouldn’t have been trivial to create a new set of API calls that were secure and remove access to the old ones, but it would have been a billion times better for developers and users than the current hyperlink nightmare.

Daniel Jalkut (tweet):

The Catalina 10.15 public beta identifies software that has not been notarized as potentially risky because it “cannot be scanned for malware.”

Peter N Lewis:

And the (“cannot be scanned for malware.”) is such a lie, since Apple could clearly just check it at that point - why not just add a Scan button, and have it scan using the same process. Why? Because Notarisation is about controlling developers, not about security.

macOS doesn’t even tell you that there’s a way to bypass the check by using the Open command in the contextual menu.


Update (2019-07-24): Kyle Howells:

“Locking everything down that they can” is exactly what they are doing. And it’s killing the mac. If you lock everything down, you no longer have a powerful computer capable of anything I want to do, you have an iOS device with a different UI.

Dave Mark:

Disheartening. This is the first Mac beta I can remember that didn’t call to me. 🙁

Peter N Lewis:

This is the first OS X where I really really don’t want to upgrade for reasons other than concern about bugs. This drops support for 32-bit, breaking lots of old games and tools, and adds a whole bunch of security theatre road blocks.

Shawn King:

Same here. This is the first OS X version I won’t upgrade until I’m forced to.

See also: The Talk Show.

Update (2019-07-26): Martin Pilkington:

I think the first time I encountered it was opening an Xcode project from the desktop. Understandable if wanting to access the desktop directly without any user input, but seems a tad overkill for those cases where I explicitly tell an app “open something in ~/Desktop/Foo/”

Rosyna Keller:

Yes, that is supposed to be inferred access. Through the betas, inference is getting much, much better.

See also: Reddit.

Update (2019-07-29): Peter Steinberger:

Anyone seen that one yet? App doesn’t start anymore, no idea how to fix.

Message from debugger: Error 1

The fix:

sudo DevToolsSecurity -enable

Finding that took me 3 hours. Yay.

Update (2019-08-13): Craig Hockenberry:

This constant barrage of security permission dialogs on Catalina would be a lot less distasteful if a modicum of thought went into the user experience. Everything about the flow, including help that’s incorrect when you click on ?, is about accessibility, not the user’s goals.

Update (2019-08-16): Joe Barbour:

Could you explain why @sip_app wants to record my entire screen? No where in your terms of service does it state you will record the users screen, this is illegal.

Paulo Andrade:

Sip is a color picker. The warning in Catalina makes its users feel insecure...

See also: The Talk Show.

Update (2019-08-20): Paul Kim:

In case you haven’t figured it out yet, third-party System Preference panes on Catalina are loaded into a separate “legacyLoader” process. Can’t find any mention of this and had to find out through back channels. This is also responsible for all sorts of display bugs. Lovely.

Update (2019-12-20): John Gruber:

I have not touched the Simulator in about 24 hours. I just got this alert while I was typing in MarsEdit and really in the flow. The modality of the alert interrupted me mid-sentence.

Update (2020-01-30): Steve Troughton-Smith:

Speaking of Catalina and its dialogs, this daily popup drives me crazy. No indication what causes it, and if I don’t enter my password I can’t continue using the machine. Checking Activity Monitor suggests it’s Mail-related

How Many Gold Apple Watches Were Sold?

Joe Rossignol:

As for the $10,000-plus, 18-karat gold Apple Watch Edition, the report claims Apple’s sales were “in the low tens of thousands” of units, with “few after the first two weeks.” The line was discontinued in September 2016 after just 16 months and, humorously, the gold models are now stuck on watchOS 4 and below.

Nick Heer:

Even with the lowest possible numbers within this framing — 10,000 units sold of a minimum $10,000 product — that still means Apple made a hundred million dollars on the first-generation Edition. I’m not making a judgement on whether this is good, obviously, but it’s noteworthy.


App Store Takedown Demands by Governments

Juli Clover (Hacker News):

Apple received a total of 80 requests from 11 countries to remove 634 apps from various App Stores in different countries. While Apple did not provide specific details on which apps it was asked to pull, requests from China made up the bulk of total takedown requests.

China asked Apple to remove 626 apps, and Apple ultimately pulled 526 of those. Apple also pulled a smaller number of apps at the request of Vietnam, Austria, Kuwait, Lebanon, the Netherlands, Norway, Russia, Saudi Arabia, Switzerland, and Turkey.

The transparency report, from the second half 2018, is here.