Archive for March 2021

Wednesday, March 31, 2021

Goodbye, Cortana

Tim Hardwick:

Microsoft today discontinued its Cortana mobile app. As a result, the company has ended all support for third-party Cortana skills and eliminated the Cortana app for iOS and Android devices.


The eponymous mobile app was originally launched in November 2018, but apparently never gained a user base big enough in its short lifetime for Microsoft to consider it worth maintaining.


Update (2021-03-31): Tanner Bennett:

Not that I would have even used it, but Cortana as an app could never compete with the built in virtual assistant. It’s a shame regulatory action hasn’t ever been taken to force Apple to allow us to set a default assistant.

Subscribing to Updated Blog Posts

Readers of this blog have been asking for an RSS feed for the recently Recently Updated page. I have not figured out how to do this with WordPress yet. However, with NetNewsWire 6 it is now possible to subscribe to a Twitter search of the #mjtsaiupdate tweets that I post.


How to Set Up Core Data and CloudKit

Becky Hansmeyer (tweet):

Turns out, if you want to sync Core Data-backed data between devices and have those changes reflected in your UI in a timely manner, you have some more work to do. To figure out what that work is, you can’t look at Apple’s Core Data templates. You have to look at their sample code.


Don’t be like me: make sure your schema is deployed.

After launch, remember that you still have to do this every time you change your Core Data model, before you release your update to testers or the App Store. If your production CloudKit schema doesn’t properly correspond to your production Core Data model, syncing is going to break in all kinds of terrifying ways.


Making NSFetchRequest.fetchBatchSize Work With Swift

Apple Frameworks Engineer:

Set in Swift is an immutable value type. We do not recommend making Core Data relationships typed this way despite the obvious convenience. Core Data makes heavy use of Futures, especially for relationship values. These are reference types expressed as NSSet. The concrete instance is a future subclass however. This lets us optimize memory and performance across your object graph. Declaring an accessor as Set forces an immediate copy of the entire relationship so it can be an immutable Swift Set. This loads the entire relationship up front and fulfills the Future all the time, immediately. You probably do not want that.

It’s so convenient, though, and often it doesn’t matter because it’s a small relationship or one that you will be fully accessing anyway. Perhaps the answer is to provide a duplicate set of NSSet accessors for use when you want the lazy behavior enabled by the class cluster.

Similarly for fetch requests with batching enabled, you do not want a Swift Array but instead an NSArray to avoid making an immediate copy of the future.

Needless to say, the documentation doesn’t mention this, but it does do a good job of explaining what fetchBatchSize does:

If you set a nonzero batch size, the collection of objects returned when an instance of NSFetchRequest is executed is broken into batches. When the fetch is executed, the entire request is evaluated and the identities of all matching objects recorded, but only data for objects up to the batchSize will be fetched from the persistent store at a time. The array returned from executing the request is a proxy object that transparently faults batches on demand. (In database terms, this is an in-memory cursor.)

You can use this feature to restrict the working set of data in your application. In combination with fetchLimit, you can create a subrange of an arbitrary result set.

Under the hood, this works by eagerly fetching the object IDs and lazily fetching and caching the objects, in batches, as they are accessed. The implementation is more optimized than what you could implement yourself, passing the object IDs to SQLite via temporary tables rather than as parameters to the SQL statement. There are some caveats to be aware of:

So, how do you get the optimized fetchBatchSize behavior when using Swift? The Apple engineer suggests using an NSArray, which I take to mean casting the result of the fetch via as NSArray to disabling automatic bridging and give your Swift code the original NSArray. However, my experience is that this doesn’t work. All the objects get fetched before your code even accesses the array. I think it’s because the special as behavior is for disabling bridging when calling Objective-C APIs from Swift, but NSManagedObjectContext.fetch(_:) is an overlay method implemented in Swift, not just a renaming of -[NSManagedObjectContext executeFetchRequest:error:].

This can be worked around by using an Objective-C category to expose the original method:

@interface NSManagedObjectContext (MJT)
- (nullable NSArray *)mjtExecuteFetchRequest:(NSFetchRequest *)request error:(NSError **)error;

@implementation NSManagedObjectContext (MJT)
- (nullable NSArray *)mjtExecuteFetchRequest:(NSFetchRequest *)request error:(NSError **)error {
    return [self executeFetchRequest:request error:error];

Then you can implement a fetching method that preserves the batching behavior:

public extension NSManagedObjectContext {
    func fetchNSArray<T: NSManagedObject>(_ request: NSFetchRequest<T>) throws -> NSArray {
        // @SwiftIssue: Doesn't seem like this cast should be necessary.
        let protocolRequest = request as! NSFetchRequest<NSFetchRequestResult>        
        return try mjtExecute(protocolRequest) as NSArray

    func fetch<T: NSManagedObject>(_ request: NSFetchRequest<T>,
                                   batchSize: Int) throws -> MJTBatchFaultingCollection<T> {
        request.fetchBatchSize = batchSize
        return MJTBatchFaultingCollection(array: try fetchNSArray(request))

The first method gives you the NSArray, but that is not very ergonomic to use from Swift. First, you have to cast the objects back to your NSManagedObject subclass. Second, it doesn’t behave well when an object is deleted (or some other SQLite error occurs) between your fetch and when Core Data tries to fulfill the fault.

If you’re using Swift, you can’t catch the NSObjectInaccessibleException, so you should be using context.shouldDeleteInaccessibleFaults = true. This means that instead of an exception you get a sort of tombstone object that’s of the right class, but with all its properties erased.

But it’s hard to remember to check for that each time you use one of the objects in the NSArray, and you probably don’t want to accidentally operate on the empty properties. So the second method uses a helper type to try to make the abstraction less leaky, always giving you either a valid, non-fault object or nil:

public struct MJTBatchFaultingCollection<T: NSManagedObject> {
    let array: NSArray
    let bounds: Range<Int>

    // array is presumed to be a _PFBatchFaultingArray from a fetch request
    // using fetchBatchSize.
    public init(array: NSArray, bounds: Range<Int>? = nil) {
        self.array = array
        self.bounds = bounds ?? 0..<array.count

extension MJTBatchFaultingCollection: RandomAccessCollection {
    public typealias Element = T?
    public typealias Index = Int
    public typealias SubSequence = MJTBatchFaultingCollection<T>
    public typealias Indices = Range<Int>
    public var startIndex: Int { bounds.lowerBound }
    public var endIndex: Int { bounds.upperBound }
    public subscript(position: Index) -> T? {
            let possibleFault = array[position] as? T,
            let context = possibleFault.managedObjectContext,
            // Unfault so that isDeleted will detect an inaccessible object.
            let object = try? context.existingObject(with: possibleFault.objectID),
            let t = object as? T else { return nil }
        return t.isDeleted ? nil : t

    public subscript(bounds: Range<Index>) -> SubSequence {
        MJTBatchFaultingCollection<T>(array: array, bounds: bounds)

extension MJTBatchFaultingCollection: CustomStringConvertible {
    public var description: String {
        // The default implementation would realize all the objects by printing
        // the underlying NSArray.
        return "<MJTBatchFaultingCollection<\(T.self)> bounds: \(bounds)>"

It’s still a bit leaky, because you have to be careful to only access the collection from the context’s queue. But this is somewhat obvious because it has a separate type, so you’ll get an error if you try to pass it to a method that takes an Array.

The batch faulting behavior and batch size are preserved if you iterate over the collection or slice it. (When iterating the NSArray directly, small batch sizes don’t work as expected because NSFastEnumerationIterator will always load at least 16 objects at a time.)


Replacing vs. Migrating Core Data Stores

Apple Frameworks Engineer:

Additionally you should almost never use NSPersistentStoreCoordinator’s migratePersistentStore method but instead use the newer replacePersistentStoreAtURL. (you can replace emptiness to make a copy). The former loads the store into memory so you can do fairly radical things like write it out as a different store type. It pre-dates iOS. The latter will perform an APFS clone where possible.

Tom Harrington:

[This] method is almost totally undocumented, so you’re on your own working out how to use it. The dev forums post mentioned above is from summer 2020. The replacePersistentStore(...) method was introduced five years earlier in iOS 9, but the forum post was the first time most of the information appeared.

[This] is the first suggestion I’ve seen that migratePersistentStore(...) might not be a good idea anymore. It’s not deprecated and I haven’t seen any previous source recommending against its use.

There are some comments in the header.

Incidentally you won’t find this if you’re using Swift and ⌘-click on the function name. You need to find the Objective-C header. One way to do this in Xcode is to press ⌘-shift-O and start typing the class name.


Its declaration says it can throw. I tried intentionally causing some errors but it never threw. For example, what if sourceURL points to a nonexistent file? That seems like it would throw, especially since the function doesn’t return anything to indicate success or failure. It doesn’t throw, although there’s a console message reading Restore error: invalidSource("Source URL must exist").

He’s figured out a lot, though other important details like the APFS support remain a mystery.

Tom Harrington:

The demo app I’ve been using is now on GitHub. You can take a look here. Or go directly to the diff of replacing migrate with replace here.


The backup process is simpler than it used to be, because replace doesn’t have the same side-effect that migrate did of unloading the persistent store.


Even though the migrate and replace methods seem pretty similar, the semantics are slightly different when the destination is a currently-loaded store. My new restore code reflects that.


Tuesday, March 30, 2021

More Apple Repair Providers and Lobbying

Apple (MacRumors, Hacker News):

Apple’s Independent Repair Provider program will soon be available in more than 200 countries, nearly every country where Apple products are sold. Launched originally in 2019 and expanded to Europe and Canada last year, the program enables repair providers of all sizes access to genuine Apple parts, tools, repair manuals, and diagnostics to offer safe and reliable repairs for Apple products. There are now more than 1,500 Independent Repair Provider locations serving customers across the US, Canada, and Europe.

Sami Fathi (tweet):

Apple, HP, and Honeywell are lobbying against a bill in the Nevada statehouse that would require electronic hardware manufacturers to provide device schematics, device parts, and instructions to third-party repair shops for device repairs, according to the Associated Press.


The bill aims to remove the requirement for customers to go to authorized dealers for repairs by allowing them to use smaller independent repair shops as well. Apple has long faced pressure to expand accessibility to device parts and schematics, and it’s previously put up battles to maintain its tight control over device repairs.

Cameron Demetre, the regional executive director of TechNet, a trading group representing Apple, HP, and Honeywell in committee hearings on the bill, says that his clients are concerned about the potential exposure that third-party repair shops will have to personal users’ data when repairing devices.

I get that Apple repeats the word “privacy” a lot, but is there actually any reason to believe that its repair subcontrators are more likely to treat users’ data well? And we already know that it requires its IRPs to report customers’ personal data back to the mothership.


WWDC 2021 Announced and New Developer App


Apple today announced it will host its annual Worldwide Developers Conference (WWDC) June 7 through 11, in an all-online format. Free for all developers, WWDC21 will offer unique insight into the future of iOS, iPadOS, macOS, watchOS, and tvOS.


We’ve made improvements to the look and feel of the Developer app across iPhone, iPad, and Mac to help you enjoy articles, videos, news and announcements, and past WWDC content. You can browse content more easily on iPad with a new sidebar (iPadOS 14 or later), enjoy fullscreen video content on larger Mac displays, and discover content to watch and read using the new Search area.

John Voorhees (also: MacRumors):

The sidebar of Developer is now easier to navigate. On the iPhone and iPad, content categories, such as Design, Frameworks, and Graphics and Games, can now be collapsed, greatly reducing the amount of vertical scrolling when browsing news and sessions. The iPhone and iPad versions of the app use a more compact, tile-based layout for the Discover tab, which allows for more items to be featured too. The design works well on the smaller screen of the iPhone, but where it really shines is on the iPad and Mac’s larger screens.

The Mac version crashes at launch on Catalina. I also tried it on Big Sur, where it’s better than before but still just a bad app. This is Apple’s example to developers of how to make a universal app using Catalyst. It’s been almost two years now since Craig Federighi said the Catalyst apps were going to get “really good.” Are any of them good now? I see Maps praised a lot, but the arrow keys don’t work properly in its sidebar, and its preferences look funny.


Update (2021-04-16): Russell Ivanovic:

Mac development must be so damn hard. Not even Apple can get a simple view resize to work without animation glitches. Where did those black flying tiles come from, where are they going? Who knows? 🙃

Also, the sidebar doesn’t animate when you change the font size, like in regular Mac apps.

The app now works on Catalina.

Update (2021-06-18): Tom Harrington:

Apple’s Developer app has a feature called “copy code” for some videos that displays code used in the video. Despite the name, there’s not actually any way to copy the code. I don’t know why it’s called that.

You also can’t copy text from the Code tab, and other text in the app is not selectable or copyable. Additionally, there’s no way to select or download more than one video at a time.

Sparse Files Are Common in APFS

Howard Oakley:

Increasing numbers of files written by all sorts of different apps and services consist of large voids, between islands of meaningful data. Storing lots of void data is wasteful, so what APFS tries to do is store only the real data.


Sparse files are kept in sparse format as much as possible, and when copied or duplicated within the same volume should be kept in sparse format. Copying them between different volumes and disks isn’t so predictable, and sometimes leads to them ‘exploding’ to full size. That is normal when they’re copied to file systems like HFS+ which don’t support sparse files, and to iCloud.

You should expect all sparse files to be expanded fully when they’re backed up to HFS+ disks, as with Time Machine prior to Big Sur, which may not estimate their expanded size correctly either, as I have described. Expansion takes place at the source of a copy: for example, if you copy a sparse file from your internal APFS disk to an external disk in HFS+ format, the full expanded size of data will have to be copied across to the external disk.


Throughout my quest for these elusive sparse files, I had assumed that only certain apps could create them. That isn’t true: macOS now defaults to creating all files in sparse format when certain conditions are met.


When you use the FileHandle class to create a new write handle, a sparse file is created automatically. For example, if you write a block of data, then seek one block by calling seek(toFileOffset:), and then write another block, the data stored on disk is organized as follows:

ExpanDrive and File Provider Framework

Jason Snell:

Long-time Mac storage utility maker ExpanDrive has launched StrongSync, a $50 utility that… sort of does what ExpanDrive already does? Like its big brother, StrongSync allows you to view cloud storage services as if they were hard drives mounted on your Mac.


For storage providers the alternative to using kernel extensions is macOS Big Sur’s File Provider framework. This framework basically allows third-party apps to provide a bridge between the Mac’s filesystem and their cloud-storage providers of choice.


What this means for you: files get downloaded and open when you need them. They don't suck up any free space while not in use. It is fast as if it was local, because it's all on your SSD - not network drive or kernel extension. Strongsync support Sharepoint, OneDrive for Business, Google Drive and Google Workspace, Box with more clouds (Dropbox!) coming soon.

There’s also an S3 Pro app.


Monday, March 29, 2021

How to Stop Mac App Store Notifications

Jeff Johnson:

Notifications Preferences lists apps in alphabetical order, but it’s missing A! Can you say App Store, kids?


Enter the following command.

defaults write LastUpdateNotification -date "2029-12-12 12:00:00 +0000"


Update (2021-05-24): Tanner Bennett:

This may just finally put an end to my suffering. Now… how do we clear the badge?

PHP’s Git Server Compromised

Nikita Popov (via Hacker News):

Yesterday (2021-03-28) two malicious commits were pushed to the php-src repo from the names of Rasmus Lerdorf and myself. We don’t yet know how exactly this happened, but everything points towards a compromise of the server (rather than a compromise of an individual git account).

While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical.


Update (2021-04-07): Nikita Popov (via Hacker News):

We no longer believe the server has been compromised. However, it is possible that the user database leaked.

c0design Checker


Wrapper for codesign, spctl & stapler to check code signing and notarisation of individual or all non system applications.

NetNewsWire 6.0 for Mac

Brent Simmons (tweet):

Changes since 5.1.3:

  • Big Sur app icon
  • Big Sur UI (when running on Big Sur)
  • App is now sandboxed
  • Apple Silicon native code
  • Syncing via iCloud
  • Syncing via BazQux, Inoreader, NewsBlur, The Old Reader, and FreshRSS
  • Share extension, so you can send URLs to NetNewsWire
  • Special support for Twitter and Reddit feeds
  • Sidebar contextual menu commands for turning on and off Reader View and for notifications
  • High resolution icons in the sidebar (when available)
  • External link, when available, shows in article view
  • Preference to change article text size
  • Preference to set preferred browser

The new iCloud syncing works well in my experience. But be careful to only move feeds to iCloud that you’ve caught up on—older articles are not transferred.

The Twitter support is also interesting. In addition to subscribing to a screen name (e.g. to avoid missing certain tweets or having them fall off the view of your Twitter client if you get behind), you can also subscribe to mentions and searches.


Medium Buyouts and Leadership Change

Casey Newton (Hacker News):

In a blog post, billionaire Medium founder Ev Williams announced the latest pivot for the nearly nine-year old company. Just over two years into an effort to create a subscription-based bundle of publications committed to high-quality original journalism — and in the immediate aftermath of a bruising labor battle that had seen its workers fall one vote short of forming a union — Williams offered buyouts to all of its roughly 75 editorial employees.


Medium entered the year with more than 700,000 paid subscriptions, putting it on track for more than $35 million in revenue, according to two people familiar with the matter. That’s a healthy sum for a media company. But it represents a weak outcome for Williams, who previously sold Blogger to Google and co-founded Twitter, which eventually went public and today has a market capitalization of more than $50 billion.

Medium has raised $132 million in venture capital, but its last funding came in 2016. Williams has been funding the company out of his own pocket since then, sources said.

Ev Williams:

To be clear, we had no illusion these publications were going to pay for themselves in the short term. The bet was that we could develop these brands, and they would develop loyal audiences that would grow the overall Medium subscriber base. What’s happened, though, is the Medium subscriber base has continued to grow, while our publication’s audiences haven’t.

Edward Ongweso Jr.:

In his email, Williams announced that the company’s editorial strategy would be shifting away from a focus on publications, seeking to support some “more focused, high-affinity publications” as part of focusing on “supporting independent voices on our platform.”


The move feels in some ways to emulate parts of the individual-based strategy that Substack has championed in the past few months, offering to showcase individual writers and provide them with deals and some support.

Dave Winer:

Medium has been around since 2011, getting pretty close to ten years, and in that time, they have switched business strategies many times. The appear to have done it again yesterday. So here’s another opportunity to take stock of writing on the web, and where we have been and what could change.

Adam Chandler:

I don’t really care if Medium survives or doesn’t but let’s think of the writers here. I’m not talking about the major media blogs who hung up their CMS and identities and moved all-in to Medium for the convenience or desperation but let’s talk about the people my size who published to Medium. They took hours out of their week to publish on Medium and the site will die and take their stories with it.


It is a shame how things went for Medium but like Blogger and eventually, WordPress, these products will die and your data will die with it. This is why owning your data is so important and only using services that support data portability, open source and standards is always going to win on an infinite timescale.

$35 million in revenue should be plenty to keep the lights on, so I don’t think there’s an immediate risk of losing what you’ve posted. But the trajectory of changes is not looking good, and without support for custom domains your links are guaranteed to break if you ever have to move.


Saturday, March 27, 2021

Firefox’s SmartBlock

Thomas Wisniewski (via Hacker News):

In building these extra-strong privacy protections in Private Browsing windows and Strict Mode, we have been confronted with a fundamental problem: introducing a policy that outright blocks trackers on the web inevitably risks blocking components that are essential for some websites to function properly. This can result in images not appearing, features not working, poor performance, or even the entire page not loading at all.


To reduce this breakage, Firefox 87 is now introducing a new privacy feature we are calling SmartBlock. SmartBlock intelligently fixes up web pages that are broken by our tracking protections, without compromising user privacy.

SmartBlock does this by providing local stand-ins for blocked third-party tracking scripts. These stand-in scripts behave just enough like the original ones to make sure that the website works properly. They allow broken sites relying on the original scripts to load with their functionality intact.

This sounds like quite a different approach from Safari’s Intelligent Tracking Prevention. SmartBlock apparently uses a static list of trackers, whereas Safari tries to learn (on device) what to block. So Firefox may be more reliable with known bad actors, whereas Safari may catch more of the long tail but be less consistent from one device to another. SmartBlock tries to prevent breaking sites by substituting stand-in scripts, whereas Safari loads the trackers but segregates the data. So it’s possible that Firefox will break some sites if the stand-in scripts don’t behave properly, but it should provide better performance and use less bandwidth. On the other hand, some sites don’t work in Safari unless you turn off ITP.


Multiple Alternative Channels

Asha Barbaschow (MacRumors, Slashdot):

Apple has responded further to the Australian consumer watchdog’s probe of app marketplaces, this time rejecting characterisation that the Apple App Store is the most dominant app marketplace and saying there are other options for iOS users, such as by going to a website.

“Apple perceives and treats other distributors of apps, for platforms other than iOS, as significant competitors whose pricing and policies constrain Apple’s ability to exercise power over developers,” the iPhone maker said in a submission [PDF] to the Australian Competition & Consumer Commission (ACCC)


“Apple faces competitive constraints from distribution alternatives within the iOS ecosystem (including developer websites and other outlets through which consumers may obtain third party apps and use them on their iOS devices) and outside iOS,” it said.

Which developer sites are distributing iOS apps? Is Apple actually citing competition from jailbreak apps?

“Even if a user only owns iOS-based devices, distribution is far from limited to the Apple App Store because developers have multiple alternative channels to reach that user.

“The whole web is available to them, and iOS devices have unrestricted and uncontrolled access to it. One common approach is for users to purchase and consume digital content or services on a website.”

Ah, yes, the sweet solution.

Dan Masters:

This smacks of disingenuousness.

Marco Arment:



A whole list of relatively unimportant apis turn up but PWAs seem to be deliberately restricted.

Kosta Eleftheriou:

brb, implementing my Apple Watch keyboard as a web app.

Colin Cornaby:

Apple: We have to be the only source of apps on the iPhone to keep users and the network safe

Also Apple: What do you mean we’re the only source of apps

Mike Rockwell:

But we all know — including the folks at Apple — that this is pretty lame. Web apps are not even close to being in the same league as native apps.

There should be a way to distribute apps outside of the App Store. The absence of this capability is holding the platform back.

Nick Heer:

Regardless of whether I would personally prefer more flexibility with my own devices, it is frustrating that I cannot decide that without switching to a worse platform that has generally lower-quality apps.


I wish apps did not individually handle updates in their own way on my Mac. I wish that all of them could tie into a universal software update mechanism, so my apps are always up to date no matter whether I got them from the App Store or elsewhere. I appreciate Sparkle for what it is, but I prefer silent updates done in the background.

Apple certainly could make it possible for a universal update mechanism to work with apps not sold through the App Store. It even used to maintain a MacUpdate-style list of Mac apps, with direct download links. It’s just that it doesn’t consider this a high priority and, as with security, wants people to ascribe the benefits to the App Store itself.


Wednesday, March 24, 2021

Mac OS X at 20

Juli Clover (tweet):

On March 24, 2001, a Saturday, Apple began allowing customers to purchase Mac OS X, the successor to the classic Mac OS. The first version of Mac OS X, “Cheetah,” was famous for its “Aqua” interface with a water bubble-style design for everything from windows to buttons.

Jason Snell (tweet):

I’ve written a lot about Mac OS X over the years. Compiling that timeline reminded me of that. I was a features editor at Macworld when Apple began shipping OS X precursors, and so I edited most of our early coverage. Beginning with Mac OS X 10.1, I wrote most of Macworld’s big feature stories covering each release.


(While I wrote shorter reviews for Macworld, John Siracusa was always reviewing OS X at length for Ars Technica. Here’s a list of all his reviews.)

Joachim Fornallaz:

Fun fact: Mac OS X required a Mac with at least 128 MB of RAM, the same amount the original iPhone shipped with 6 years later.

Steve Troughton-Smith:

Unless you have an old PowerMac lying around, the only way for you to run this today is via emulation, in qemu-system-ppc. If that’s a rabbit hole you want to jump into today, check out the Emaculation wiki.


Update (2021-07-03): Ken Case:

Here’s what the @OmniGroup home page looked like when Mac OS X shipped 20 years ago

Armin Briegel:

Back then, it was essential that Apple move forward from ‘classic’ Mac OS. Protected memory, multi-user setups, and support for multiple applications running safely side-by-side were the main advantages of Mac OS X over Mac OS 9. But Mac OS X also brought with it the Unix core (and shell), a new display technology, and the Cocoa frameworks.

The transition was rough for the existing Mac users. The early versions were not as complete and stable as one would have hoped. The processing requirements of early Mac OS X pushed existing Mac hardware to their limits. Many application vendors dragged their feet adopting Mac OS X and the new technologies and features available.

But Mac OS X made the Mac interesting for a whole new group of people. It was the only platform at then time that they had Microsoft and Adobe productivity app as well as the Unix shell and tools available. This was a huge bonus for web designers and developers, but also for scientists.

Tony Fadell:

Coincidentally, 20 years ago today, Stan Ng (Marketing), Jeff Robbin (iTunes) & I pitched Steve Jobs the P68 Dulcimer project.

8 months later that project became the iPod.

John Gruber:

I suspect the pitching for P68 took place on March 23 (a Friday), but (a) maybe those folks really were working six days a week, and (b) there’s no question Apple was truly firing on all cylinders in 2001.

Ng and Robbin are still at Apple. Ng has led Apple Watch product marketing since it debuted, and Robbin is still in charge of Apple’s Music apps (and I think apps like TV and Podcasts too — anything derived from SoundJam iTunes).

Joe Cieplinski:

Looking back, I have to say the Dock and Column View are the two most significant UI enhancements OS X brought to my world. Nothing has changed my daily desktop computing habits more in the 20 years since.

Riccardo Mori:

While I’m working on a proper article to celebrate 20 years of Mac OS X, here’s a brief visual tour of Mac OS X 10.0.3 I published back in 2008 on my other blog, System Folder.

Basic Apple Guy:

20 Years in the “evolution” of System Preferences on Mac OS X

John Siracusa:

If you’d like to look back at my writing on the subject, here’s a collection of links.

James Dempsey:

Twenty years ago, I was working in Apple Technical Training getting Mac OS X development and system administration courses out into the world.

What an amazing couple of decades!

Ken Harris:

For the Mac OS X anniversary, one of my first experiences with it:

Adobe Illustrator 10 claimed to support Mac OS X. It shipped just after Mac OS X 10.1, and did technically run on that OS — but its installer did not.

Maybe they assumed everyone would install on OS 9 and then upgrade the OS.

After a few hours on the phone with Adobe tech support, I think they finally came up with some way to muck with the installer files to allow it to complete on X.

Josh Centers:

I started out writing about the 20th anniversary of Mac OS X and accidentally wrote a love letter to Gil Amelio. Purchasing NeXT was like a season of nothing but strike-outs except for a home run that won the World Series.

Rui Carmo:

Strange to think that these days I have plenty more UNIX-centric options and yet there is no real (user-friendly, end-to-end) equivalent to it and its ecosystem (although WSL is tipping the scales heavily, no form of Linux is truly equivalent).

Stephen Hackett:

All of that eye candy came at a cost, though. Performance in the early versions of Mac OS X was notoriously bad as the hardware caught up. By the time most users were ready to switch from Mac OS 8 or 9, OS X was in pretty decent shape.

If you want to learn more about Mac OS X, I’ve rounded up some links for you[…]

John Voorhees:

Today, with Mac OS X gone and Intel chipsets not far behind, I thought it would be fun to look back at OS X and the transition to it compared to the recent switch to macOS 11 Big Sur.

Howard Oakley:

One thing I do remember repeatedly is the persistent flakiness of the Mac’s file system. Despite the promise of Mac OS X to protect the operating system from the effects of other software crashing, a lot of effort had to be put into preventing HFS+ from developing serious errors. Yet it wasn’t until Mac OS X 10.2.2 in 2002 that Apple introduced journalling to work around those problems, to a degree. Even then, after any serious crash, the cautious Mac user restarted their Mac to ensure that its file system didn’t slide steadily down the slippery slope to serious faults. Whole products like DiskWarrior were built on this lasting Achilles heel, and some days I seemed to be forever fscking around in Single-User Mode.

Just four years ago yesterday (27 March) – with iOS 10.3 – Apple introduced its replacement, APFS. Since then, this new file system has come to epitomise Apple, its strengths, endearing features, and flaws.

Chris Hynes:

Steve Jobs got up on stage at MacWorld New York in the summer of 2000 to tell everyone the progress of Mac OS X. A round of applause followed him saying that everything was on schedule.


He said they were going to change the name of the releases. The fall 2000 release would now be Public Beta and the final release would be in the spring of 2001.


Hardly. That’s what you call a final release that is 6 months away.

But he got away with it.

Shared Shortcuts URLs Broken

Matthew Cassinelli (tweet, Reddit, Federico Viticci):

Hello all – we’re currently experiencing a fairly major outage for iCloud links related to Shortcuts, and at the moment almost every shortcut that has been shared in the past cannot be installed.


This is still developing and, while it does seem like it’s possible to resolve, I shared a thread where I highlighted how major issues like this are eroding the larger trust in Shortcuts, especially outside the current community – this is a crisis moment for Shortcuts.

I hope Apple is able to dedicate resources to fully overcoming the technical debt accrued inside the Shortcuts ecosystem, as well as restoring trust in the community – the people who are in this community and our ideas for how to use shortcuts are stronger than ever, but we’re constantly trying to stand on uneven ground.

Update (2021-07-02): Mike Rockwell:

It would be cool if you could still add .shortcut files instead of fully relying on iCloud links.

Federico Viticci:

I wrote this about Shortcuts and sharing in 2019. I’m just going to leave it here.

Nick Heer:

This has been all over my Twitter timeline for hours, but Apple’s iCloud status webpage is still all green — everything is apparently just fine with Shortcuts.

Juli Clover:

Apple has now fixed the problem, and links to Shortcuts on the web should be largely functional again.

Big Sur’s Sidebar Translucency

Nick Heer (tweet):

But, screen fidelity aside, it was clear after a day that using Catalina felt cramped and messy. Icons and text in the menu bar were not as well-aligned. Rows in the Finder were squished together like every pixel on the display remained precious real estate.

Big Sur changed all of that for the better. There is subtly more space around many interface elements, and there is a clearer sense of structure. But it also introduced problems for readability, many of which are the result of an obsession with translucency and brightness.


That is dark grey text atop a mid-grey button texture in a light grey sidebar. Subjectively, I find it unpleasant to look at; more objectively, it has insufficient contrast. It is the same with the Search field located in an application’s Help menu[…]


Nevertheless, the rest of the system behaves as though the foreground window is comprised of panes of glass, and the background windows are made of solid plastic. Often, this means background windows actually have better contrast than windows in the foreground. […] Several MacOS apps are similarly more legible when they are in the background: Music, Contacts, Calendar’s single day view, Dictionary, and Voice Memos — to name a handful.


Big Sur’s Gray Menu Keyboard Shortcuts

Dr. Drang:

The M1 MacBook Air is the only machine I have running Big Sur, and for the first few days I kept wondering why certain commands were disabled. They weren’t—I was confused about their status because the gray keyboard shortcut was catching my eye and the black command name wasn’t. It wasn’t until I slowed down and looked at the menus carefully that I noticed the contradictory text coloring.

I’ve been using Macs since 1985, and gray text in a menu item has always meant “disabled.” This was true even though early Macs didn’t have true gray. Among Mac users, “grayed out” is a synonym for “disabled” and has been for ages. Now, because looking cool is taking precedence over clear communication, we have menu items that tell us the command is available but the keyboard shortcut isn’t.

Nick Heer:

The presentation of keyboard shortcuts is in that same vein: by making them grey, the thinking presumably went, the command becomes more prominent and indicates availability, while the keyboard shortcut is still shown for those who need it. But is this a problem that needs solving? Are even the pickiest designers bothered by the apparent clutter of keyboard shortcuts in menus? If you want to consider it a problem, this solution means that the keyboard shortcut is hard to read and the meaning of grey text is ambiguous.

Oh, and for extra measure, it is compounded by physical keyboards that do not share the same markings.

Jason Snell:

I always sensed that something was wrong in Big Sur’s menus, but I thought it was the strange decision to have curved edges on the top portions of the drop-down, which breaks the metaphor that they’re connected to the solid edge of the menu bar. But graying out (and that is absolutely what I call it) keyboard shortcuts is also weird and wrong.


Tuesday, March 23, 2021

Xcode Tips

Jesse Squires:

I started saving links and planned to add a new “Xcode tips” section to my TIL repo on GitHub to reference later. But as I started, I realized that the resulting markdown file would not be easily discoverable or shareable. I thought, wouldn’t it be nice if the iOS and macOS developer community had a single place to find and share Xcode tips?

So, that is what I did instead! Say hello to Xcode Tips, a resource for the community to find and share their Xcode workflows, tips, tricks, and optimizations. The code for the site is on GitHub under the Xcode-Tips organization.

Paul Kim:

Looking at my build logs in Xcode (which helpfully show the time for each step), I noticed that code signing was taking up a significant amount of time. Around 3-8 seconds each occurrence, even for standalone binaries. I have quite a few of these as well as frameworks so that time adds up. Note that for debug builds, I had the —timestamp=none option set so that was not the culprit in this case.

Poking around, I came across this thread. While I didn’t have the main problem described there of duplicate certificates, buried in that thread was the following advice: trim ~/Library/Preferences/


Apparently, there’s a hidden setting in your project.pbxproj file for copying frameworks where you can specify whether headers get copied over. This is not exposed anywhere in Xcode’s UI, as far as I can tell. It’s also a mystery why it gets set on some targets and not others. The only way to enable/disable this is to edit the project.pbxproj by hand.

Michał Januszewski:

TIL: if your Xcode freezes a lot - unpair all devices (Window/Devices and Simulators)


ProtonVPN Security Updates Rejected Due to Previously Approved App Description

Andy Yen (Hacker News, MacRumors, 9to5Mac):

ProtonMail is not the only Proton app being used by activists and protesters in Myanmar. For the past month, the Myanmar military has forced the national telecom companies to regularly shut down the internet and block access to social media to prevent damaging evidence from getting out.


On the same day the UN recommended Proton apps, Apple suddenly rejected important updates to our ProtonVPN iOS app. These updates include security enhancements designed to further improve safeguards against account takeover attempts which could compromise privacy.

Apple says it blocked our security updates because our app description in the App Store, which we have used without issue for months, mentions ProtonVPN is a tool to “challenge governments… and bring online freedom to people around the world”. Given the current context, Apple’s actions could not be more insensitive.

Apple says that the description violates section 5.4 of the guidelines, but that section doesn’t say anything about how the app is presented:

Apps offering VPN services must utilize the NEVPNManager API and may only be offered by developers enrolled as an organization. You must make a clear declaration of what user data will be collected and how it will be used on an app screen prior to any user action to purchase or otherwise use the service. Apps offering VPN services may not sell, use, or disclose to third parties any data for any purpose, and must commit to this in their privacy policy. VPN apps must not violate local laws, and if you choose to make your VPN app available in a territory that requires a VPN license, you must provide your license information in the App Review Notes field. Parental control, content blocking, and security apps, among others, from approved providers may also use the NEVPNManager API. Apps that do not comply with this guideline will be removed from the App Store and you may be removed from the Apple Developer Program.

Apple does not allege that the app violates local laws. Furthermore, if there’s no legal issue, the app should be approved based on the August 2020 rule that updates aren’t delayed over guidelines violations.

Tim Sweeney:

Apple: We need an absolute monopoly on app distribution to protect security.

Apple: <blocks security updates because a developer speaks about human rights>

Francisco Tolmasky:

The future is more cases like & ProtonVPN. This is the real issue w/the @AppStore: Apple has chosen to put itself at the center of every international issue. If iOS had side-loading, they could say “you can still ship, it doesn’t have to be in our store.


Apple and Tim Cook can wax poetic about values during keynotes all they want, but the actions they take represent their true values. And the @AppStore creates a clear and undeniable binary demarcation of what they approve of and what they don’t.


Update (2021-04-16): John Gruber:

Nothing to do with Myanmar — this spat is entirely about the phrase “challenging governments”. Again, I think it’s a bit silly for Apple to have rejected the update to ProtonVPN over that phrase.


Seems to me that the ProtonVPN update should have been approved, and the dispute over the app description settled afterward. Is the phrase “challenging governments” a “legal issue”? It certainly isn’t a legal issue in most countries. So Proton has legitimate gripes here.

Jesse Squires:

While I am willing to give Apple the benefit of the doubt and consider this an inconvenient coincidence, I would not be surprised if this were a deliberate move. After all, Apple has pulled VPN apps from the App Store before. For now, we can assume (as Gruber highlights) that this is yet another issue with Apple’s poorly executed app review process where its so-called rules are applied arbitrarily.

However, there is still reason to be concerned, because Apple does not have a laudable record when it comes to cooperating with authoritarian governments. Below is a brief history of events that I have been tracking so far.

See also: Hacker News.

Sami Fathi:

Apple says it approved ProtonVPN’s latest App Store update on March 19 and says, correctly, that Proton published the update to users two days later, on March 21. ProtonVPN, another two days later, published a blog post correlating the rejection to Apple limiting free speech and human rights in Myanmar.

I don’t think this proves anything about Apple’s motivations because the situation in Myanmar was already developing, with the UN recommending the app, before Apple’s initial rejection.

Substack’s Subscription Form vs. 1Password Autofill

Timmy O’Mahony (via Hacker News):

To state the obvious: there is no $2,023 plan here. There is a “founding member” option, but I’m sure I didn’t click that?

Wait, what did I do? I’m certain I selected “monthly $10", then I opened 1Password and clicked my saved card details. Then I hit “Subscribe”.


When I’ve clicked my card details in 1Password, it’s entered my expiry year in the hidden, custom subscription amount box[…]. Because this box has now changed value, the Substack UI has automatically selected this option. I’ve then hit “Subscribe” before I had time to notice and 💸 $2,023.


Closing Web Browser Windows Doesn’t Close Connections

Jeff Johnson (tweet, Hacker News):

That’s too much a coincidence to be a bug, right? Could it be that web browsers are keeping open connections after windows are closed on purpose?


Closing the private window closed the connections associated with the window, in every browser. Thus, it seems pretty clear that this behavior must be intentional.


I feel that many decisions made by web browser developers in the past — sometimes more than a decade ago — need to be reevaluated now that browsers are finally starting to care about user privacy. The browser vendors have always loved to compete and brag about whose browser loads pages faster, but the pursuit of speed at all costs can lead to compromises in other areas, such as privacy.


Monday, March 22, 2021

Firefox’s New Referrer Policy

Sergiu Gatlan:

The new user privacy protection feature against accidental leaking of sensitive user data will be introduced in Firefox 87.

Once updated, the web browser will automatically trim user-sensitive information like path and query string information accessible from the Referrer URL.


Butterfly Keyboard Class Action Lawsuit

Juli Clover (tweet):

Apple customers unhappy with the butterfly keyboards used in MacBook models from 2015 on will be able to proceed with a lawsuit against the Cupertino company, as the judge overseeing the case has given it class action status [PDF]. The suit covers anyone who purchased a MacBook with a butterfly keyboard in California, New York, Florida, Illinois, New Jersey, Washington, and Michigan.

Adi Robertson:

This suit claims Apple knew for years that its butterfly switches were defective — and that its incremental changes weren’t fixing the core problem. It cites internal communications inside Apple, including an executive who wrote that “no matter how much lipstick you try to put on this pig [referring to the butterfly keyboard]…it’s still ugly.”

See also: TidBITS.


Update (2021-03-23): Nick Heer:

A document (PDF) filed in this lawsuit in August last year suggests — if you read between the heavy redactions — that Apple was aware of its poorer performance as far back as June 2013[…] But I am more curious about why it took so long to address these glaring problems. Why did this seem, from an outsider’s perspective, to not be among the highest priorities in the company? Why not, after the first year, stick the guts of the newer MacBook Pro model into a revised version of the old case? The question for me is not as much why did Apple try this keyboard in the first place? as it is why did it continue selling Macs with this keyboard? — that, for me, is a greater concern.

See also: Hacker News.


Update (2021-11-15): Adi Robertson:

Sadly, I got the MacBook during Apple’s bad keyboard years, and I guess it couldn’t handle my typing volume and intensity. I’ve broken so many keys on butterfly keyboards that I gave up on getting them repaired and stacked a Bluetooth keyboard on my laptop with a cardboard separator.

How NetNewsWire Handles Threading

Brent Simmons (Hacker News):

Every notification and every callback happens on the main thread.

Though a given object (or small system) may use a serial queue internally, it never, ever lets that fact leak out beyond its own boundaries.


Some developers I’ve known seem to think that being good at concurrency makes them badass. Others seem to think that senior developers must be great at concurrency, and so they should be too.

But what senior developers are good at is eliminating concurrency as much as possible by developing a simple, easy, consistent model to follow for the app and its components.


I know you’re worried about blocking the main thread. But consider this: it’s way easier to fix a main-thread-blocker than it is to fix a weird, intermittent bug or crash due to threading.

Brent Simmons:

It also improves the experience of our developers, who can concentrate on the feature they’re working on instead of on how the feature can live safely in a multithreaded universe.

Best of all: nobody is spending time tracking down a maddening threading bug that never happens on their machine, and then implementing a speculative fix — only to find later that it’s not the fix but now, actually, there’s a new crashing bug, which might have been triggered by that “fix”… and so on, forever.

Developer morale is important!


Backblaze B2 Leaks Metadata to Facebook

Ben Cox (Hacker News):

@backblaze’s B2 web UI seems to submit all of the names and sizes of my files in my B2 bucket to facebook. I noticed because I saw “waiting for” at the bottom while trying to download a backup…


I even opted out of their tracking widget thing!


Believe that’s the Facebook pixel we use for tracking, we’ve forwarded to our web team for review in case that is not intended behavior.


An update on the fix we pushed: we removed the offending code from the logged in web pages.


The pixels we use are primarily for audience building when we advertise on other platforms like Facebook for example. You can read about it in our terms[…]

Adam Brown:

The “Advertising Cookies” section says that you don’t use them. Then in the FB section, you say that it’s so people can easily share pages and content the user finds interesting. Then you slip in a catch-all “we may use it for advertising”.

Tomáš Kafka:

I hope you realise this isn’t a ‘frontend issue’, but a security breach. As a customer with sensitive data, I don’t want you ‘pushing a fix’, I want you to do a full review of how this happened, and a process to not let 3rd party trackers access user data ever again.

Colin Snover:

Regrettably, this is just another example of Backblaze’s inability/unwillingness to follow basic software development best practices. To those saying “they should notify all users”: they should, and they probably won’t, because they haven’t before.

There is a long history of engineering problems. Just one example: it seems to still be the case that the Backblaze client reports files as successfully backed up as many as eight hours before they are actually committed to the server. If something happens to your Mac in the interim, you won’t be able to restore them.


Update (2021-03-23): Backblaze:

We take the privacy of our customers’ data and personal information very seriously and have made completing the root cause analysis a top priority. Our Engineering, Security, and Compliance/Privacy teams—as well as other staff—are continuing to investigate the cause and working on steps to help ensure this doesn’t happen again. We will update this post as we have more information to share.


Sami Fathi:

In September of last year, the Australian Competition and Consumer Commission (ACCC) launched an investigation into Apple’s App Store and Google’s Play Store to examine the experiences of consumers, suppliers, and developers in Australia.


In a submission to the commission, Apple says that it’s “surprised to hear that developers have legitimate concerns about their ability to engage with Apple in the app review process,” and that it “invests significant time and resources in engaging with developers directly” to ensure the quality of apps on the platform.

Mark Gurman:

Apple’s 20-year developer relations chief and VP Ron Okamoto (who oversaw App Store review, policies, organizing of WWDC, developer communications, awards, SDK distribution and more) has retired. He’s been replaced by longtime marketing exec Susan Prescott.

See also: Andy Lee.


Friday, March 19, 2021

Mac Analytics on App Store Connect


App Analytics now provides usage metrics for Mac apps, including data on installations, sessions, active devices, crashes, and deletions. And now you can measure user retention to see how often users return to your app after downloading it.

Note that this is just the basic app lifecycle metrics. MetricKit is still iOS-only.


Setting macOS Defaults via Script

Hacker News is calling this Bash script by Mathias Bynens “Sensible macOS Defaults.” I don’t agree that these are necessarily the particular settings anyone should use, but I endorse the idea of collecting the preferences that one frequently modifies (system and otherwise) into a script. This one has some good examples of how that can be done and also illustrates some settings that are hidden.


XcodeSpy Malware

Phil Stokes (via Patrick Wardle, MacRumors):

Threat actors are abusing the Run Script feature in Apple’s Xcode IDE to infect unsuspecting Apple Developers via shared Xcode Projects.

XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor on the developer’s macOS computer along with a persistence mechanism.

The backdoor has functionality for recording the victim’s microphone, camera and keyboard, as well as the ability to upload and download files.


The sample we analyzed used a copy of a legitimate open-source project that can be found on Github called TabBarInteraction.

Jonathan Zdziarski (in 2015, via mikey):

Early this morning, The Intercept posted several documents pertaining to CIA’s research into compromising iOS devices (along with other things) through Sandia National Laboratories, a major research and development contractor to the government. The documents outlined a number of project talks taking place at a closed government conference referred to as the Jamboree in 2012.


Strawhorse, a malicious implementation of Xcode, where App Store developers (likely not suspected of any crimes) would be targeted, and their dev machines backdoored to give CIA injection capabilities into compiled applications. The malicious Xcode variant was capable of stealing the developer’s private codesign keys, which would be smuggled out with compiled binaries. It would also disable securityd so that it would not warn the developer that this was happening. The stolen keys could later be used to inject and sign payloads into the developer’s own products without their permission or knowledge, which could then be widely disseminated through the App Store channels. This could include trojans or watermarks, as the document suggests. With the developer keys extracted, binary modifications could also be made at a later time, if such an injection framework existed.

In spite of what The Intercept wrote, there is no evidence that Strawhorse was slated for use en masse, or that it even reached an operational phase.


Kensington StudioDock for iPad

Federico Viticci:

I’ve spent the past 24 hours testing Kensington’s long-anticipated StudioDock, a $400 docking station that aims to turn the iPad Pro into a desktop workstation with support for display rotation, expansion via USB-C, USB-A, and SD card slots, and integrated Qi charging for iPhone and AirPods. And just like last year, I find myself torn between appreciating the potential of this product and concerned about its timing given rumors of an impending iPad Pro refresh just around the corner.


The StudioDock is a stand that lets you dock the iPad at your desk by attaching it to a magnetic panel that can be rotated to landscape or portrait mode and tilted from 0 to 120 degrees to adjust its viewing angle. Visually, the StudioDock looks like a “mini iMac” where the iPad Pro becomes the display and the “foot” of the stand has a built-in Qi charging pad split into two areas for iPhones and AirPods (or any other device that supports wireless charging and fits on the pad). What makes the StudioDock unique – and, arguably, explains its price – is that, in addition to Qi charging, the stand itself packs a variety of ports to extend the iPad Pro’s I/O options.


Thursday, March 18, 2021

FlickType Developer Sues Apple

Nick Statt (tweet, MacRumors, Hacker News):

At the time he began accusing Apple of abetting App Store scams early last month, Eleftheriou revealed that his FlickType app had been targeted by competing software he says either didn’t work well or didn’t work at all, and yet nonetheless chipped away at this sales and App Store rankings through false advertising and the purchase of fake reviews.


In the complaint, Eleftheriou goes further into detail about what he claims is wrongful behavior from Apple, including alleged false advertising, breach of its developer agreement, and fraud. One notable claim involves Apple trying to acquire FlickType, after which Eleftheriou says he faced “roadblock after roadblock” to selling his software on the App Store. The complaint suggests Apple chose not to take action on scam and copycat apps in an effort to force Eleftheriou to sell his app to Apple.


Eleftheriou says he was approached by Marsden, who expressed interest in having Apple acquire his software to improve typing on the Apple Watch. Yet, the negotiations went quiet, and afterward, Eleftheriou claims Apple removed his FlickType keyboard app and refused to approve future versions as well as a note-taking variant, on what he thinks are suspicious grounds. […] Meanwhile, many other wearable and mobile keyboard apps Eleftheriou characterizes as scams were also approved and allowed on the App Store.


Intel’s Anti-Mac Ads

Sami Fathi:

Intel has called on the services of former “I’m a Mac” actor Justin Long in a series of new ads in which Apple’s latest custom-made M1 processors are cast as inferior to newer laptops powered by Intel processors.


In one ad, Long promotes the flexibility of Windows laptops, specifically the Lenovo Yoga 9i versus a MacBook Pro. In another video, Long meets a PC user gaming on the MSI Gaming Stealth 15M laptop, powered by a Intel Core i7. Long then asks for a Mac, before swiftly agreeing with the PC user that “no one games on a Mac.”

Juli Clover (tweet):

Intel is continuing its anti-Apple ad campaign, today sharing a tweet that calls out the lack of ports on M1 Macs. In a photo, actor Justin Long sits on a couch with a Windows PC and holds up a handful of Apple dongles.

Juli Clover:

As part of its barrage of attacks against M1 Macs, Intel this week launched a “PC vs. Mac” website that’s biased heavily in favor of PC machines that are equipped with Intel chips and that makes questionable claims about Apple’s M1 Mac lineup.


PCs offer a “complete touch screen” instead of the “constrained Mac Touch Bar,” along with “2 for 1 Form Factor options” while Apple makes customers pay for “multiple devices and gear.”

John Gruber:

I’m sure some will claim to find this ad campaign to be a sick burn. I find it cringey, and kind of hard to watch. It’s neither parody nor sequel. It’s an attempt at comedy from writers who have no sense of humor. The concept isn’t actually anything beyond “Let’s hire Justin Long as our new pitchman, that’ll show them.


The truly weird thing is that Justin Long was always pitching for Intel-based computers, at least indirectly, in the “Get a Mac” campaign, the introduction of which coincided with the start of the Intel Mac era: 2006-2009.


So one of my takeaways from this new “Go PC: Justin Gets Real” campaign is that it highlights just how unusual Apple’s relationship with Intel has been. The Mac was an Intel-based platform — not just x86 but Intel chips specifically — for 15 years, yet neither company ever advertised it.

David Sparks (tweet):

As for me, I’m annoyed with Apple’s lawyers. How did they not write an “I won’t pitch competitive products ever” clause into Long’s original agreement? I write clauses similar to that all the time. Last week I did something similar on a lease agreement for a donut shop.

Ezekiel Elin:

PC vs Mac courtesy of Intel, an older take[…]

John Gruber:

No trip down memory lane exploring Apple/Intel commercials would be complete without this one from 1997.


Update (2021-03-19): John Gruber:

Really hard to believe I didn’t recall this ad yesterday. I blame the fact that I was trying to think of ads about specific Macs that mentioned Intel — and completely overlooked one of my favorite commercials ever, because it was entirely about the Intel partnership itself.

The message was that the two great companies of the industry were finally together: Apple, the product maker, and Intel, the chip maker. 15 years later, though, I can kind of see how Intel might have been a bit peeved. It paints Intel as needing the Mac for its chips to reach their potential, not the Mac as needing Intel chips to achieve performance-per-watt parity with the rest of the PC industry. It’s implicitly a bit insulting, and an utterly Jobsian way to frame the new partnership.


Intel is in trouble. For Intel to be Intel they need to be leading the industry. The best fabs, the fastest chips. Right now they can’t credibly argue that they’re the best at anything. They haven’t just lost the Mac. TSMC is absolutely killing them at fabrication. All modern smartphones are built on ARM chips. Intel tried to gain a foothold in the cellular modem business, and failed.

I think the new ads make some good points about PCs vs. Macs, but to me they feel weird and desperate due to the above context and the fact that they aren’t really about Intel.

Peter Steinberger:

Yes the campaign is cheesy, but accidentally activating Siri on the TouchBar is so real. It was such a good day when I found out that the “button” can be removed.

Josh Centers:

Intel rightfully points out some of the dumb things about newer Macs, but fails to acknowledge that PCs slavishly copy the same mistakes. There actually is an opportunity here for Intel to develop new laptops that don’t suck.

Jack Wellborn:

Most of the benefits Intel is touting — variety of hardware, touch screens, face unlock — all come from the laptop makers or Microsoft.

Nick Heer:

The funny thing about these Intel ads is that they could work just as well for PC makers that use AMD or ARM processors.

Update (2021-04-16): Dave:

My question is who is the intended target of these ads? The general public? I doubt it. If they wanted to reach the computer buying public they would give Microsoft ad money to produce these commercials. Also, why isn’t Microsoft running these ads? This is something Microsoft should be doing, not Intel.

If I had to guess who they were for, I would say Intel employees.

Juli Clover:

When discussing Intel’s new plans, Gelsinger said that Intel plans to pursue Apple as a potential customer, which would see Intel producing Apple silicon chips for use in Apple devices if Apple does indeed decide to use Intel’s services.

Nick Heer:

There is a lot of nostalgic spin in this presentation but, if you peel away the saccharine layers, it seems like Gelsinger has the insider perspective to structure a better path forward, and an encouraging level of staff support.

Ken Segall:

So, what do we make of Intel’s new campaign? Hold that thought, because it’s best judged in the context of history—and a juicy history it is.


Here are the reactions I had after my first and only viewing.

Sami Fathi:

Intel has been on a relentless marketing drive against Mac computers in recent weeks, positioning them as inferior to Windows laptops powered by Intel processors. In a slight slip-up, however, Intel has accidentally used a MacBook instead of a Windows laptop in one of its newest ads to promote one of its new 11th-generation chips as “the world’s best processor.”

Update (2021-06-07): Michael Potuck:

In an ironic move, Intel is now using the MacBook Pro in a new ad to promote “The world’s best processor on a thin and light laptop” that’s not found in any of Apple’s notebooks.

iOS to Offer Pre-Installed Apps in Russia


Russian media are reporting that Apple has agreed to sell its gadgets in Russia with preinstalled Russian-made software to comply with a law that comes into force on April 1.


The list of Russian government-approved programs for mandatory preinstallation on smartphones and tablets includes the search engine Yandex, mail and news, ICQ messenger, social network VKontakte, payment system MirPay, and antivirus Kaspersky Lab, among others.

Via Nick Heer:

I overestimated Apple’s willingness to withdraw from what is an increasingly authoritarian market. It does seem like Apple was able to strike something of a compromise — on Android phones and other devices, the apps will apparently be preinstalled without any configuration on the user’s part. Still, this sets a worrying precedent when it comes to privacy and surveillance concerns.

Sami Fathi:

In 2019, Apple warned that this new law would open up its device to possible risks and that it would be the “equivalent to jailbreaking.”


Update (2021-04-16): Juli Clover:

A few weeks after Apple agreed to allow Russia to show iPhone users in the country suggested apps created by Russian developers, Russian users are seeing the list of app suggestions when setting up a new device.

John Gruber:

It’s impossible to square Apple’s (reasonable) desire to explain that the prompt to suggest installation of these Russian apps is mandated by Russian law with Apple’s refusal to allow developers to explain the App Store rules they are required to comply with. As I’ve written before, it is prima facie wrong that one of the App Store rules is that apps are not allowed to explain the App Store rules to users.

It’s quite a thing that Russia’s “law against Apple” allows for more transparency to users than Apple’s own App Store rules.


Swift Proposal: Actors

SE-0306 (forum, Hacker News):

Actors allow you as a programmer to declare that a bag of state is held within a concurrency domain and then define multiple operations that act upon it. Each actor protects its own data through data isolation, ensuring that only a single thread will access that data at a given time, even when many clients are concurrently making requests of the actor. As part of the Swift Concurrency Model, actors provide the same race and memory safety properties as structured concurrency, but provide the familiar abstraction and reuse features that other explicitly declared types in Swift enjoy.


As a special exception to the rule that an actor can only inherit from another actor, an actor can inherit from NSObject. This allows actors to themselves be declared @objc, and implicitly provides conformance to NSObjectProtocol[…]


Like classes, actors as proposed allow inheritance. However, actors and classes cannot be co-mingled in an inheritance hierarchy, so there are essentially two different kinds of type hierarchies. It has been proposed that actors should not permit inheritance at all, because doing so would simplify actors: features such as method overriding, initializer inheritance, required and convenience initializers, and inheritance of protocol conformances would not need to be specified, and users would not need to consider them. The discussion thread on the proposal to eliminate inheritance provides several reasons to keep actor inheritance[…]


Acorn 7

Flying Meat (tweet):

Acorn now sports a unified window with a matching toolbar. Gone are the floating palettes everywhere and getting in your way. Palettes are now inspectors and can be brushed away by pressing the TAB key, and brought back the same way. Acorn also adopts many new MacOS Big Sur conventions to make it look and feel like it belongs on a Mac. If you prefer the previous behavior where inspectors are in their own windows, there is a preference to enable that.

Speaking of tabs, Acorn has a new preference for opening up images in tabs. So now you can gather all of your open images under a single window.


A new export workflow gives you options for specifying a color profile (like CMYK or Gray), more formats to save as (now including WebP!), precise file size of your export, and a live preview even for PDFs.


This time around we managed to make Flood Fill, Instant Alpha, and Magic Wand multithreaded and up to 3x faster. Filters have also been fully optimized for Metal on Apple Silicon and Intel Macs.

Photoshop is impressive and all, but I find Acorn much more pleasant to use. There’s also a new tool for fixing perspective distortions. It’s currently on sale for 50% off.


Update (2021-03-22): Gus Mueller:

Here’s a casual overview of some things I find interesting with this release.


One nice thing about the Command Bar is that I can also include other random oddball things in there which don’t necessarily deserve a menu item by itself. For instance, there’s a toggle in there to switch Acorn into Dark Mode or to Light. There’s an entry to quickly switch to pixels for the ruler, or fill the current selection or layer with the stroke color, or capitalize any currently selected text. I get requests all the time for cool little ideas (just today I got someone asking for the ability to pull the alpha channel out into it’s own layer). I’ve always shied away from these ideas because I want Acorn to be approachable, and having too many options in the menus can be a big turn off. But if they could be tucked away in the Command Bar, ready at your finger tips if you know it’s there?

Photoshop for Apple Silicon

Jonny Evans (via MacRumors, Hacker News):

Adobe has released Photoshop for M1 Macs, delivering a huge boost in application performance on Apple Silicon in contrast to how it performs on similar Intel-based machines.


“At the moment, Photoshop and Lightroom are both available as native apps for M1 Macs, and public betas of native apps are also available for Premiere Pro, Premiere Rush and Audition. We’re excited to bring more native Creative Cloud apps to Apple silicon devices, and will have updates to share later this year.”

Hopefully Lightroom Classic will be out soon. It’s one of the few apps I use that feels slow.

Pam Clark:

Our internal tests show a wide range of features running an average of 1.5X the speed of similarly configured previous generation systems.

DL Cade:

Keep in mind that both the 13-inch MacBook Pro and the Dell XPS 17 boast a full 32GB of RAM to the Mac mini’s 16GB. The XPS 17 is also running a 10th Gen, 8-core Intel Core i9-10875H alongside a GeForce RTX 2060 Max-Q GPU with 6GB of VRAM. Finally, both the 13-inch Intel MacBook Pro ($3,000) and the Dell XPS 17 ($3,000) that we tested cost a whole lot more than the fully-loaded M1 Mac mini ($1,700) used for this comparison.


Unsurprisingly, the M1 Mac mini loses to the competition in raw GPU performance, more-or-less matching the onboard graphics of the quad-core Core i7 that’s in the 13-inch MacBook Pro. But even with this score working against it, the Mac mini running Apple Silicon-optimized Photoshop managed to get the second highest Overall score we’ve ever seen out of PugetBench.

What’s more, none of the computers we’ve reviewed, not even the most expensive 16-inch MacBook Pro you can buy or the Razer Blade Studio Edition, has ever broken the 100 mark on the PugetBench Photo Merge test. Running optimized Photoshop, the M1 Mac mini hit 130+ in run after run after run.

Michael Clark:

Adobe just dropped its latest software updates via the Creative Cloud and among those updates is a new feature in Adobe Camera Raw (ACR) called “Super Resolution.” You can mark this day down as a major shift in the photo industry.


I immediately tested this out and was pretty shocked by the results. Though it might be hard to make out in the screenshot below, I took the surfing image shown below, which was captured a decade ago with a Nikon D700 — a 12MP camera — and ran the Super Resolution tool on it and the end result is a 48.2MP image that looks to be every bit as sharp (if not sharper) than the original image file.


Update (2021-03-19): Joe Cieplinski:

Watching Photoshop launch in two seconds on my M1 MacBook Pro is enough to make a grown man weep.

Update (2021-05-19): Om Malik:

The M1-Photoshop is pretty useless for those — like me — who use third-party extensions as part of their editing workflow. For instance, I use some extensions that allow me to pursue highly granular masking via luminosity masks. Other extensions for color grading (including Adobe’s own Color Themes) and additional tune-ups are also part of my flow. And none of them work with the new Photoshop.

Extensions are not working because Adobe has shifted to a new way of writing extensions — specifically, using UXP. According to Adobe, “UXP provides modern JavaScript, a curated selection of UI components, and a more streamlined workflow for plugin developers.” In the past, Adobe used CEP (Common Extensibility Platform), which used web-based technologies like CSS to make the extensions work. The shift to UXP is visible with the M1-Mac version of Photoshop.

Deleting Tweets and Other Social Media Content

Jesse Squires:

I have been periodically deleting my tweets for a while now. Yesterday, I finally found a reliable solution for deleting my Twitter “likes” as well and I spent some time deleting all of them. Long ago, I also deleted all of my content on Facebook and Instagram. If you are interested in purging your social media accounts, here are some options.


Regardless of whether or not I choose to continue using these platforms in the future, I prefer to retain the accounts for historical reasons and leave them vacant — at least for now. This is similar to what I did when I got off of LinkedIn. This preserves (at least the shell of) my online “identity” and prevents someone else from taking the usernames that I used for so many years.


Twitter remains valuable to me for now. I use it almost entirely for interacting with the developer community. In my experience, it is a great way to help others or get help from others — diagnosing bugs, sharing development tips, etc. However, I do not need a private company to maintain a public record of everything I have ever typed[…]

Update (2021-03-22): Semiphemeral:

There are plenty of tools that let you make your Twitter feed ephemeral, automatically deleting tweets older than some threshold, like one month.

Semiphemeral does this, but also lets you automatically exclude tweets based on criteria: how many RTs or likes they have, and if they’re part of a thread where one of your tweets has that many RTs or likes. It also lets you manually select tweets you’d like to exclude from deleting.

It delete all of your old likes, even really old ones that Twitter makes difficult to delete. And it can automatically delete your old direct messages.

Apple’s Perplexing Home Strategy

Zac Hall:

You can trust that Apple will continue to make new iPhones and Macs for the foreseeable future, but Apple’s home products resemble Google’s betting strategy more than Apple’s usual commitment to focus and delivery.


How confident are we that HomePod mini will be enough of a hit to keep Apple’s interest? How sure are we that Apple TV, the streaming media box, has a place in Apple’s lineup? Maybe the Apple TV app and AirPlay 2 TVs are like the HomePod mini in that they reach more households.

Apple discontinuing HomePod isn’t impossible to understand, but the move does leave me with a number of questions for Apple. What’s the threshold for success for home products? What does Apple hope to achieve with home products? Why should customers trust Apple believes in its home products when it doesn’t lead the market? Why not just invest in Amazon, Sonos, and other smart home solutions that feel less like a hobby?

John Voorhees:

There are plenty of good AirPlay 2 speakers available that I can eventually swap in, as Hall points out. However, coupled with the expensive, long-in-the-tooth Apple TV, I don’t have the confidence I once had in Apple’s home strategy, especially when it comes to audio and video entertainment, which feels especially strange to say when Apple Music and TV+ are so clearly important parts of the company’s service strategy.

Jason Snell:

I sure hope this is all setting us up for a roll-out of Apple’s new home strategy, but I’m concerned that the company is still utterly at sea when it comes to this stuff.


Apple also abandoned the home router market… and its competitors have rushed in. HomeKit seems stalled, though perhaps it’s just waiting for the CHOP to drop.


Tuesday, March 16, 2021

Dropbox Passwords

Joe Rossignol:

Dropbox today announced that it will be rolling out a limited version of its Dropbox Passwords password manager to users with a free Dropbox Basic account in early April. The feature launched last year for paying subscribers only.

Dropbox Basic users will be able to store up to 50 passwords, with automatic syncing on up to three devices.

See also: Dropbox Launches Password Manager, File Vault, and More Across iPhone and Mac.


Google Play Store Drops Commission to 15%

Joe Rossignol (Hacker News):

Google today announced that, starting July 1, it will be lowering its Play Store commission from 30% to 15% for the first $1 million of revenue developers earn using the Play Store billing system each year, as reported by TechCrunch.

Google estimated that 99% of developers that sell goods and services with the Play Store billing system will see a 50% reduction in fees.

Michael Love:

Also kudos to Google for simply applying it to the first $1M rather than making a whole complicated program you have to apply for / get booted from if you go just over $1M / etc; hopefully Apple will grudgingly decide to do the same.

Anyway the fact that as of July 1st none of my revenues will be taxed at more than 15% is going to open up some very interesting possibilities in terms of licensing.

Paul Haddad:

I’m happy to see more App Stores going down the 15% route but the “progressive taxation” nature of it just seems weird to me. It’s not like the Store’s cost/unit go up as more units get sold. Just go 15% across the board.

Neither do the store’s costs go to zero when distributing free apps that monetize through advertising. The weird structure is a great fit for Apple and Google’s goals. It quiets most of the complainers and increases the supply of apps without greatly reducing the stores’ revenue, which mostly comes from a small percentage of top apps.


Update (2021-03-19): Mike Peterson (also: MacRumors):

If the App Store program was in place throughout 2020, for example, Apple would have been short $595 million in revenue. That’s about 2.7% of its estimated $21.7 billion it makes form App Store commissions. Google similarly would have made $587 million less in revenue, or just about 5% of the estimated $11.6 billion in Google Play fees it collected in 2020.

John Gruber:

70/30 percent just feels harder and harder for Apple and Google to defend. Make it 85/15 across the board and it all becomes simpler.

In the meantime, thanks to Epic and others for improving the deal for us small developers. I don’t think Apple and Google would have done this without them.

DMCA Takedown for Old Acrobat Tweet

Lorenzo Franceschi-Bicch (Hacker News):

Adobe wants Twitter to take down a tweet from five years ago that links to a site that allows visitors to download a 27-year-old version of the company’s PDF reader.

On March 6, a company that works on behalf of Adobe sent takedown requests for three tweets and several short URLs. One of the people who received the DMCA takedown request, well-known security researcher Mikko Hypponen, revealed that Adobe wanted a tweet of his that linked to the MS-DOS version of Acrobat Reader taken down. The news was first reported by TorrentFreak.

Goodbye, Original HomePod

Matthew Panzarino (tweet, MacRumors, tweet, Slashdot, Hacker News):

Apple has discontinued its original HomePod after four years. It says that it will continue to produce and focus on the HomePod mini, introduced last year. The larger HomePod offered a beefier sound space but the mini has been very well received and clearly accomplishes many of the duties that the larger version was tasked with. The sound is super solid (especially for the size) and it offers access to Siri, Apple’s assistant feature.

John Gruber (tweet):

I love my HomePods, but clearly the market deemed them too expensive.

Joe Rosensteel:

I know there are some people that really like the HomePod so I don’t want to harp on how it was an overpriced, over-engineered, fiddly, gimmicky, rudderless, Siri-hampered, mono speaker, and hurt the feelings of dozens of people. R.I.P. 🙏

Jason Snell:

Don’t forget its lack of an aux-in jack. My iPod Hi-Fi is going to outlast it.

Steve Troughton-Smith:

I wish I had good things to say on the eve of the HomePod’s death, but it was just never a great product. I was never happy with the audio quality of a standalone unit, and Siri+HomeKit is incredibly inconsistent, and nowhere near as fun as a voice assistant as Google’s/Amazon’s


I expect the original HomePod to be dropped like a stone from future OS updates — it’s saddled with a CPU no longer supported by mainline iOS (they moved it to a tvOS core recently, just to stay afloat), and the HomePod mini is built on Apple Watch chips

Paul Haddad:

For < $100 Google gives you an entire screen, which is pretty cool at doing things like showing the weather and providing more info on searches. Does a passable job at showing doorbell camera video too.

Don’t even get me started comparing Siri vs Google Assistant.

Federico Viticci:

Also, HomePod mini discontinued ~2023? I’m afraid Apple is simply too late to the market here – cheaper, more diverse options from the competition, available everywhere, in multiple languages, with smarter assistants.

Myke Hurley:

I try to use a HomePod pair with my Apple TV. When it works, it sounds fantastic. However most days it doesn’t. I get all kinds of failures — with content pausing, or one of the HomePods failing.

Kirk McElhearn:

I think Apple fell into the trap of people who care about audio, thinking that everyone feels like they do. The vast majority of people are fine listening to music on cheap Bluetooth speakers, or ever from their phones, and paying that much for what might be better audio just doesn’t make sense.

Jack Wellborn:

You may still think four HomePods is a bit ridiculous, but trust me when I say that they really work well for our needs in this space. We can watch TV, or play music in one or both areas and it all sounds good. You might think “sounds good” would be table stakes, but so much consumer audio, especially wireless speakers, simply don’t sound good. Even my wife, who doesn’t typically care about this sort of thing, asked if we should by another pair when I told her that HomePods were being discontinued.

Am I a little sad that the original HomePod is going away? Sure, but do I have regrets owning four discontinued wireless speakers? Not at all.

Benjamin Mayo:

Honestly, the decision to cancel it feels like a misstep. The HomePod was overpriced but it was differentiated. The HomePod mini doesn’t really excel at anything. The mediocrity of the Mini’s sound quality means it leans much more heavily on the ‘smart’ component of being a smart speaker, and we know that Siri lags behind Alexa and Google Assistant in many ways. By focusing on the HomePod mini, Apple is implicitly focusing on Siri.

See also: TidBITS.


Update (2021-03-19): Andrew Abernathy:

My living & dining areas are “separated” by these little ledges, and due to the all-around design, a stereo pair of HomePods sends good audio to both sides. (It doesn’t appear to me that the newer minis would do as well.) For me, these have been perfect.

Michael Kukielka (via Ryan Jones):

The 2nd HomePod I bought after their cancellation is also from the launch stock.

Mac APIs that Require Provisioning Profiles

Jonathan Deutsch:

Apple’s documentation should also state provisioning profile requirements of API.

I just burned a day thinking I’d be able to use HomeKit on a Developer ID app.

There’s no way the App Store will approve my utility; so the feature (which I thought was quite cool) is instead cut.

The documentation should also state which APIs work when sandboxed.

Allan Odgaard:

I have codesigned the application using hardened runtime and the entitlement (although this is outside App Store and no sandboxing).

It doesn’t work and I see this error in the console:

(libsystem_secinit.dylib) xpc_pipe_routine() returned [5: Input/output error]

NSWorkspaceAuthorization apparently requires a provisioning profile.


Update (2021-03-19): Jonathan Deutsch:

I was trying to use HomeKit in a Catalyst helper app on macOS. It can’t be provisioned for Developer ID, but would work for the App Store.

HomeKit is only available on macOS via Catalyst and UIKIt for Mac.

Underused and Overused GCD Patterns

David Smith:

Underused GCD patterns:

Making a serial queue that’s less aggressive about creating threads (“non-overcommit”):

let q = DispatchQueue(…, target:

All serial queues ultimately target a global queue, which is responsible for actually executing the work; but, for historical reasons, the default target is an overcommit queue. That means it has a higher max thread cap and creates threads more aggressively. This avoids that.

Multiplexing work onto a single serial queue efficiently:

theQueueWeAreAlreadyOn.async { … }

This pushes towards architectures with small numbers of well-known queues and/or explicitly passing queues into things.

Probably overused GCD patterns:

  • Global queues as anything but targets
  • Almost any use of concurrent queues
  • Queues as locks; os_unfair_lock is more efficient (sadly a little trickier to use in Swift; no ideal solution here yet)
  • Turning async into sync with semaphores

Another overused GCD pattern I forgot: manually specifying QoS. Most of the time you can/should rely on automatic propagation, you only need to do it manually if you want to override that for some reason.

Pierre Habouzit:

even when you do not set a target queue you have the autorelasepool of last resort, but you should never rely on it ever.

Nowadays you should always pass the “autoreleasing” attribute at queue creation. we couldn’t make it default due to things too horrible to mention.

See also: Modernizing Grand Central Dispatch Usage.


Update (2021-03-22): Jonathan Joelson:

The lack of official GCD documentation is baffling given the complexity. Why isn’t any of this stuff explained here?

Pierre Lebeaupin:

I haven’t found any better way to avoid these scenarios than by not blocking in the kernel unless you know for a fact that doing so will arbitrarily scale; and consequently, you need only launch a limited number of tasks: with rare exceptions you will not need libdispatch to schedule an unpredictable number of them to reach full core occupation.


If that queue is a serial queue, however, you have a real problem: as soon as your task has “returned” after calling the asynchronous API, there is nothing that prevents another unrelated task on the serial queue from launching, and finding the state not as it was when you usually start a task, but as you left it at the point you needed to call the async API.

So that leaves you with a rotten choice: either keep the synchronous call instead and risk thread explosion, or factor your code so your state is consistent at the point you hand over to the asynchronous API. But, wait. I don’t call that a choice: I call that a fake dilemma. Presumably, you were using the serial queue for the purpose of state protection, and if that queue can’t ensure its purpose, then the problem is with the queue. I haven’t found any way to “reserve” the queue until the completion has run, that does not seem to be possible with libdispatch. There is no simple solution here, to put it bluntly. If you have few enough serial queues in that situation, then I give you special dispensation to perform blocking calls from it, but in compensation every single such serial queue you create has to be considered equivalent to creating a thread, resource-wise.

David Smith:

dispatch_workloop_t is great stuff btw. It’s a serial dispatch queue that runs blocks in priority order instead of first-in-first-out. This can be considerably more efficient when you just need the thread + mutual exclusion aspects of a queue.

But it is not available in Swift.

Monday, March 15, 2021

SMS Rerouting Vulnerability

Joseph Cox (tweet):

I hadn’t been SIM swapped, where hackers trick or bribe telecom employees to port a target’s phone number to their own SIM card. Instead, the hacker used a service by a company called Sakari, which helps businesses do SMS marketing and mass messaging, to reroute my messages to him. This overlooked attack vector shows not only how unregulated commercial SMS tools are but also how there are gaping holes in our telecommunications infrastructure, with a hacker sometimes just having to pinky swear they have the consent of the target.


While adding a number, Sakari provides the Letter of Authorization for the user to sign. Sakari’s LOA says that the user should not conduct any unlawful, harassing, or inappropriate behaviour with the text messaging service and phone number.

But as Lucky225 showed, a user can just sign up with someone else’s number and receive their text messages instead.


As for how Sakari has this capability to transfer phone numbers, Nohl from Security Research Labs said “there is no standardized global protocol for forwarding text messages to third parties, so these attacks would rely on individual agreements with telcos or SMS hubs.”


Horsman added that, effective immediately, Sakari has added a security feature where a number will receive an automated call that requires the user to send a security code back to the company, to confirm they do have consent to transfer that number.


Update (2021-03-19): Bruce Schneier:

Don’t focus too much on the particular company in this article.

Update (2021-05-24): Juli Clover:

Major carriers in the U.S. like Verizon, T-Mobile, and AT&T have made a change to how SMS messages are routed to put a stop to a security vulnerability that allowed hackers to reroute texts, reports Motherboard.

Mac Software Updates Open Up sshd

Rachel Kroll (Hacker News):

A couple of weeks ago, I read a post about how the “sealed system” on Big Sur was hurting people. I kind of skimmed through it and figured it was mostly complaining about the size of the download. For whatever reason, that hadn’t been a problem for me and my machines, so I kind of wrote it off.

Last night, I applied the latest security patches to arrive at Big Sur version 11.2.3, and realized that I should have paid more attention to that thing. It explained something that I had been noticing for a while: my Apache config would keep reverting.


Why would it matter if the sshd config got reverted? Simple: it’s because the stock Mac sshd install includes password-based auth, and that means someone can brute-force their way onto your machine if they can connect to it on port 22 for long enough.

I don’t understand how this would be caused by the SSV, and there’s a report that it’s actually been happening since Catalina. Big Sur updates are also removing the command-line developer tools, although this is also not due to the SSV, as far as I know.


Update (2021-03-16): TJ Luoma:

This has been happening for a long time, and not just on Big Sur. Apple resets 1) sshd_config, 2) ssh_config, 3) the config file that speeds up Time Machine, and 4) the setting that allows you to use Touch ID for sudo auth.

I now have scripts to re-apply those settings.

Also, after every point-update, macOS asks me if I want to turn on Siri (a setting I’ve never enabled on any Mac, ever…take a hint, Apple).

I recently turned off Document & Desktop sync via iCloud, and after a point-update, I was asked if I wanted to re-enable that too.


Update (2023-10-25): Rachel Kroll:

They’ve changed the way the config works [in Monterey] to add a “.d” directory scheme which sets some defaults. There is now /etc/ssh/sshd_config.d, and in it, 100-macos.conf.

Editing that file would likely get reverted upon the next patch (12.0.2?), so that’s right out. You can’t go past it with a higher number, since as the sshd_config points out, the first instance of a setting is kept, and subsequent instances of the same setting are ignored.

Instead, you have to get in front of them, and use a LOWER number. Try something like “000-yourname.conf”[…]

Larger and Slower Updates With Big Sur

Howard Oakley:

The first gigabyte or so of the update has to be downloaded direct from Apple’s servers[…] For M1 Macs these are marked out so that they can’t be obtained from the Content Caching Server. The size of this additional directly downloaded part of the update is essentially the same as the difference in total size of macOS updates between Intel and M1 Macs, around 1 GB.

Howard Oakley (tweet, Hacker News):

In macOS past, those two patches could have been small, whether installed by the system or using a downloadable Installer package. Several factors now conspire to turn a few kilobytes of changes into several gigabytes of update:

  • Firmware updates are only provided as part of a macOS update, and Apple deems it necessary for every macOS update to include a complete set of current firmware for Intel models. […]
  • The dyld cache, nine files occupying about 4 GB when compressed in /System/Library/dyld, which contains a dynamic linker cache of all the system-provided libraries. These fall within the SSV, and appear to have to be freshly provided in every macOS update.


As Jeff Johnson has reminded us, Apple still claims that Big Sur has “Faster updates. […]” Anyone who has been keeping Big Sur up to date over this last month knows that’s simply not true, and its reasoning is flawed.


Had Apple explained these costs and penalties of the SSV at last year’s WWDC, wouldn’t it have been booed from the virtual stage?

Howard Oakley:

With its change in version numbering system, macOS 11 has hopefully replaced the Supplemental Update with patch releases like 11.2.2. Although we haven’t yet reached 11.3, there have already been 6 updates to the initial 11.0 release, and there are marked differences between Intel and M1 Macs. The initial release for Intel Macs was 11.0.1, which was an update for early M1 models, which came with 11.0 pre-installed, and required immediate updating to 11.0.1. Sizes of updates are also different: for Intel Macs these have ranged from 2.3-3.27 GB, for M1s 3.1-4.2 GB. Total update size delivered so far has been 13.86 GB in 5 updates for Intel Macs, and 22.27 GB in 6 updates for M1 models.


Amazon Basics Copies Peak Design

John Gruber:

Amazon even called their rip-off the same name — “Everyday Sling” — although they’ve since changed the name to “Camera Bag”. The crew at Peak Design did the right thing in response: they mercilessly mocked Amazon in this video.


Parler Denied Re-entry to the App Store

William Turton and Mark Gurman:

When it initially removed Parler from the App Store in January, Apple asked the social network to change its moderation practices. Apple said that Parler’s new community guidelines, released when the service came back online Feb. 15, were insufficient to comply with the App Store rules.


“In fact, simple searches reveal highly objectionable content, including easily identified offensive uses of derogatory terms regarding race, religion and sexual orientation, as well as Nazi symbols,” Apple wrote “For these reasons your app cannot be returned to the App Store for distribution until it complies with the guidelines.”

The guidelines simply say:

1.2 User Generated Content

Apps with user-generated content present particular challenges, ranging from intellectual property infringement to anonymous bullying. To prevent abuse, apps with user-generated content or social networking services must include:

  • A method for filtering objectionable material from being posted to the app
  • A mechanism to report offensive content and timely responses to concerns
  • The ability to block abusive users from the service
  • Published contact information so users can easily reach you

Parler has all this. You can argue with how well it works, but the guidelines don’t state any specific requirements about that. They also don’t define “objectionable content,” except in the previous Section 1.1, which does not seem to be about user-generated content and is obviously not applied to other social apps.

Mike Rockwell:

Maybe you dislike Parler. And given the content on the platform, maybe there’s plenty of reasons to. But I can’t help but wonder if requiring more robust moderation systems from platform makers is in some ways bolstering the status quo.

Are these App Store policies making it even more difficult for a smaller service to actually compete with the likes of Facebook, Twitter, Reddit, and YouTube? Could a scrappy startup with limited resources actually buildup a compliant moderation system quick enough if they suddenly get an influx of new users?

The answer is that it depends on whether Apple likes you. If you go by Apple’s written guidelines, multiple apps were compliant, yet rejected anyway. If you go by Apple’s stated objections, none of the major apps are compliant, yet they’re in the store, anyway.


Update (2021-03-16): Mike Rockwell:

Regardless of your opinion about Parler, it’s clear that Apple’s policies are not enforced uniformly. And yes, I agree with the likely rebuttal — the App Store is a private platform, Apple makes the rules and can remove an app for any reason. But there’s a difference between what they can do and what they should do. Without any predictability to policy enforcement, developers are left in the dark. And the smaller developers are the ones hurt the most.


But I would also advocate for opening the platform. Because no matter how hard Apple tries, the review process will never be perfect. Just let developers distribute their own apps.

Thursday, March 11, 2021

Roblox in the App Store

Ben Thompson:

In short, Roblox isn’t a game at all: it is world in which one of the things you can do is play games, with a persistent identity, persistent set of friends, persistent money, all disconnected from the device that you use to access the world.


[By] controlling everything Roblox can bring all of the disparate parts of gaming into one place; instead of one app for social interactions, another app for purchases, and a different app for every different game, everything is all in the same place.


That’s the screen you see when you launch the app, and I have to say, it looks an awful lot like an App Store! That’s a problem because Apple states in its App Store Guidelines that “Creating an interface for displaying third-party apps, extensions, or plug-ins similar to the App Store or as a general-interest collection” is “unacceptable”.

On one hand, perhaps Roblox is fine because these are not 3rd-party App Store apps, unlike, say, the rejected Facebook Gaming app. But then again, Xbox Game Pass wants to launch 3rd-party games that run in the cloud, not on the iPhone at all, and Apple also said no.

And, unlike xCloud, Roblox downloads the game code, which is also forbidden:

2.5.2 Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code which introduces or changes features or functionality of the app, including other apps.

David Heinemeier Hansson:

Great example of Apple’s infinite contradictions with the App Store.


Lou Ottens, RIP

Daniel Boffey (Hacker News):

Ottens’s idea was that the cassette tape that should fit in the inside pocket of his jacket. In 1963 the first tape was presented to the world at an electronics fair in Berlin with the tagline “Smaller than a pack of cigarettes!”

Photographs of the invention made their way to Japan, where substandard copies started to emerge. Ottens made agreements with Sony for the patented Philips mechanism to be the standard.

Bill Chappell:

Ottens’ goal was to make something simple and affordable for anyone to use. As Taylor says, “He advocated for Philips to license this new format to other manufacturers for free, paving the way for cassettes to become a worldwide standard.”


Nearly 20 years after Philips introduced cassette tapes, Ottens helped the company to develop compact disc technology for the consumer market and, with Sony, to settle on a format that would become the industry standard.

Update (2021-03-14): John Gruber:

I spent a fortune on CDs when I went to college, but I don’t have the reverent nostalgia for CDs that I do for cassette tapes. (Cassettes were even part of computing — my elementary school had a few TI-99/4A computers with cassette tapes instead of floppy drives.)

Brave Search

Brave (tweet, Hacker News):

Today Brave announced the acquisition of Tailcat, the open search engine developed by the team formerly responsible for the privacy search and browser products at Cliqz, a holding of Hubert Burda Media. Tailcat will become the foundation of Brave Search. Brave Search and the Brave browser constitute the industry’s first independent, privacy-preserving alternative to Google Chrome and Google Search, which rely on tracking users across sites and have 70 percent and 92 percent market share, respectively.

Under the hood, nearly all of today’s search engines are either built by, or rely on, results from Big Tech companies. In contrast, the Tailcat search engine is built on top of a completely independent index, capable of delivering the quality people expect, but without compromising their privacy. Tailcat does not collect IP addresses or use personally identifiable information to improve search results.


We will provide options for ad-free paid search and ad-supported search.

John Gruber:

Putting aside the question of whether any non-Google search engine provides good enough search results to replace Google as Safari’s default — a huge question! — if Apple were to make such a move in the name of privacy, it almost certainly would come as a multi-billion dollar annual hit to the company’s Services revenue.


Google to Replace Ad Cookies With FLoC

David Temkin (via John Gruber):

Today, we’re making explicit that once third-party cookies are phased out, we will not build alternate identifiers to track individuals as they browse across the web, nor will we use them in our products.


People shouldn’t have to accept being tracked across the web in order to get the benefits of relevant advertising. And advertisers don’t need to track individual consumers across the web to get the performance benefits of digital advertising.

Advances in aggregation, anonymization, on-device processing and other privacy-preserving technologies offer a clear path to replacing individual identifiers. In fact, our latest tests of FLoC show one way to effectively take third-party cookies out of the advertising equation and instead hide individuals within large crowds of people with common interests.

Sam Schechner and Keach Hagey (via John Gruber, Hacker News):

Google’s heft means the change could reshape the digital ad business, where many companies rely on tracking individuals to target their ads, measure the ads’ effectiveness and stop fraud. Google accounted for 52% of last year’s global digital ad spending of $292 billion, according to Jounce Media, a digital ad consultancy.

Nick Heer:

One reason Google is doing this is because it operates at such a vast scale that it can continue to abuse user privacy with its own services with little adjustment. This affects third-party tracking and data, so it disadvantages smaller ad tech firms that are not part of the web advertising duopoly.

Bennett Cyphers (via Nick Heer, John Gruber):

This post will focus on one of those proposals, Federated Learning of Cohorts (FLoC), which is perhaps the most ambitious—and potentially the most harmful.

FLoC is meant to be a new way to make your browser do the profiling that third-party trackers used to do themselves: in this case, boiling down your recent browsing activity into a behavioral label, and then sharing it with websites and advertisers. The technology will avoid the privacy risks of third-party cookies, but it will create new ones in the process. It may also exacerbate many of the worst non-privacy problems with behavioral ads, including discrimination and predatory targeting.

Google’s pitch to privacy advocates is that a world with FLoC (and other elements of the “privacy sandbox“) will be better than the world we have today, where data brokers and ad-tech giants track and profile with impunity. But that framing is based on a false premise that we have to choose between “old tracking” and “new tracking.” It’s not either-or. Instead of re-inventing the tracking wheel, we should imagine a better world without the myriad problems of targeted ads.


Facebook Gets Location From EXIF

Zak Doffman (via DuckDuckGo):

When you upload your photos to Facebook or Instagram, most metadata is stripped out and replaced by Facebook’s own codes. The date and time remain, but the location data does not. This is a major privacy benefit, you don’t want others to download your Facebook or Instagram photos and have details of where you live or work, for example, or to map your movements by the photos you’ve taken.

But that location metadata is not thrown away by Facebook—it is way too valuable. It is harvested, “collected and processed” to be added to the data treasure trove it holds on each of us. Let’s be very clear here, in your iPhone’s “Location Services” settings, under “Privacy,” you can select to “never” allow Facebook access to your location. This shuts down the Facebook app’s access to the location derived from the iPhone itself when using the app or in background. But Facebook still uses this hidden EXIF workaround and it’s your data that is being taken, with most of you not realising it’s being done.


Facebook acknowledged to me that it collects and processes EXIF data—it’s in its data policy, if you know where to look. But its explanation to me focused on technical data to better handle images—it did not want to be drawn on location data, which is the real issue.

Wednesday, March 10, 2021

Shortcuts Library, Simplified

Matthew Cassinelli (via Dave Mark):

It’s my pleasure to announce that I’ve completely revamped my Shortcuts Library portion of my Shortcuts Catalog, remaking what was previously hundreds of shortcuts into a condensed set of:

I spent many hours combining each of my 100 or so Shortcuts folders and putting each shortcut inside a single shortcut for that folder, filled with menus of different actions to take – this is the same content as before, repackaged to be much more accessible.

Fixing macOS Big Sur Search Bugs

Jesse Squires:

Search in the on Big Sur stopped working for some users. In addition to the workarounds mentioned here, Ben used OnyX to delete Mail’s Mailboxes index. After that, search in started working for him again.

More recently, Alexis tweeted about an issue with Spotlight Search (and others replied with the same issue). Apparently, for some users, Spotlight was taking insanely long to search. For Alexis, it took almost 45 minutes to find a single file. I suggested using OnyX to rebuild the Spotlight index, which fixed the issue for him.

OnyX is available here, and there are also manual ways of rebuilding these indexes.



Fredrick R. Brennan (via Jason Snell):

It is abundantly clear that this is the font they used, and no typewriter was involved in the production of this scene, even though the documents were the primary object of the scene.

While working on the project, incredibly, another bad typewriter scene intruded upon my life.

Fredrick R. Brennan:

While it would be ideal for the font itself to contain code through which it could create a (near-) infinite number of similar-looking glyphs, that is not possible in an OpenType font.


FF Duper, however, works via hundreds of GSUB subtables; while I tried to follow Wenzel’s lead in this regard, I eventually realized that for my font it was not going to be possible; the layout would be far too slow and the GSUB table far too large.


Instead of large tables and variable numbers of alternate glyphs, acquiesce, and include n (I decided on 9) versions of each glyph, even such glyphs as “space”.

His more realistic typewriter font is available here.


The Role of Bootable Duplicates in a Modern Backup Strategy

Adam Engst:

This change increases security even more, but it also prevents all backup apps from creating bootable duplicates because they cannot sign the backed-up System volume. In theory, Apple’s asr (Apple Software Restore) tool makes this possible, but it didn’t work at all until just before Big Sur was released, still has problems, and even now cannot make a bootable duplicate of an M1-based Mac boot drive. On the plus side, Apple has said it plans to fix asr, but who knows when, or how completely, that will happen.


So, even if you can make one, a bootable duplicate won’t help you unless every Mac you want to use it with uses the same chip.


The primary reason for having an up-to-date bootable duplicate is so you can get back to work as quickly as possible should your internal drive fail.


All this is to suggest that the bootable part of a bootable duplicate is no longer as essential for many people as it was when we first started recommending that a comprehensive backup strategy should include one. Since then, it has become far more common for people to have multiple devices on which they could accomplish their work, and much more of that work takes place in the cloud or on a remote server.

The situation with bootable clones is a shame. It was nice to have that option. Even with an SSD, it can take a long time to restore your data to a fresh macOS installation. But it’s likely that, with access to multiple Macs that are mostly in sync, these days I would be more likely to try to resume work on another device while trying to fix the first, rather than boot from a clone of it.

The most important part, as Engst lays out, is to have a multi-part backup strategy. Time Machine is useful, but should not be relied upon. I consider Internet backups and clones to be essential, too, even if they aren’t bootable.


Update (2022-10-06): Howard Oakley:

There are two other good reasons for wanting to build a cloned external bootable volume.

One is to add your own tools to supplement those provided in Recovery Mode, for example a copy of Disk Warrior to enable rebuilding the directory structures of an HFS+ volume, or TechTool Pro for its hardware tests and other tools. Apple has improved those available in Recovery, and the most important third-party disk utilities simply aren’t available for APFS, as Apple still hasn’t provided developers with sufficient information to enable their development.

The other is to provide a fallback macOS known to work, in the event that the upgraded macOS has problems that can’t be solved. These most commonly arose as the result of defective or failed upgrades, which have largely been addressed by Apple’s new updater/installer and the use of the Signed System Volume (SSV), which verifies every last bit in the System volume is correct. There will always be users who want to have a fallback bootable disk, but that can easily be created by a normal macOS install, rather than requiring any form of cloning.

However, without a clone you cannot quickly switch to a fully capable backup system.

Tuesday, March 9, 2021

Transferring iCloud Photos

Data Transfer Project (via Hacker News):

The Data Transfer Project was launched in 2018 to create an open-source, service-to-service data portability platform so that all individuals across the web could easily move their data between online service providers whenever they want.

The contributors to the Data Transfer Project believe portability and interoperability are central to innovation. Making it easier for individuals to choose among services facilitates competition, empowers individuals to try new services and enables them to choose the offering that best suits their needs.

Apple (via Juli Clover):

You can request to transfer a copy of photos and videos you store in iCloud Photos to Google Photos. Transferring photos and videos from iCloud Photos doesn’t remove or alter the content you store with Apple, but sends a copy of your content to the other service.

The transfer process takes between three and seven days. We use this time to verify that the request was made by you, and to make the transfer.

Some data and formats available in iCloud Photos—such as Smart Albums, Live Photos, or some RAW files—may not be available when you transfer your content to another service.

Mark Munz:

I can now transfer my iCloud photos to another service.

When will I be able to copy my iCloud data to another iCloud account so I can merge it into a single account? ⏱

Nick Heer:

Curious that you can transfer to Google Photos images from two of its biggest competitors, Facebook and now Apple’s iCloud Photos, but not from Google to either of those.

Did Schnorr Destroy RSA?

Steve Weis (via Hacker News):

A recent paper, “Fast Factoring Integers by SVP Algorithms“ by Claus P. Schnorr, claims significant improvements in factoring that “destroys the RSA cryptosystem“. If true, it would be practical to demonstrate on well known RSA factoring challenges.

No such demonstration has been made. Without this, assessing the correctness of the paper will have to wait for reviewers to wade through the details and give their feedback.

Bruce Schneier (Hacker News):

At best, it’s an improvement in factoring — and I’m not sure it’s even that.

See also: Stack Exchange.

Vulnerabilities in Microsoft Exchange Server

Brian Krebs (via Hacker News):

At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.

Nick Heer:

Thumbing through that spreadsheet is informative. You will see exploits targeting software and firmware from Apple, Google, Mozilla, and Adobe — especially Adobe. But the number of vulnerabilities in Microsoft’s products that are being used in the wild stands head and shoulders above all other vendors. That is alarming but it is also unsurprising: organizations large and small use Microsoft’s productivity and server products; perhaps more importantly, these products are used by governments at all levels with no great alternatives.


The State of Deepfakes

James Vincent:

When a series of spookily convincing Tom Cruise deepfakes went viral on TikTok, some suggested it was a chilling sign of things to come — harbinger of an era where AI will let anyone make fake videos of anyone else. The video’s creator, though, Belgium VFX specialist Chris Ume, says this is far from the case. Speaking to The Verge about his viral clips, Ume stresses the amount of time and effort that went into making each deepfake, as well as the importance of working with a top-flight Tom Cruise impersonator, Miles Fisher.


Apple Platform Security Guide (February 2021)

Apple (PDF, via mikeymikey):

This documentation provides details about how security technology and features are implemented within Apple platforms. It also helps organizations combine Apple platform security technology and features with their own policies and procedures to meet their specific security needs.

Rich Mogull:

The future of cybersecurity is vertical integration. By vertical integration, I mean the combination of hardware, software, and cloud-based services to build a comprehensive ecosystem. Vertical integration for increased security isn’t merely a trend at Apple, it’s one we see in wide swaths of the industry, including such key players as Amazon Web Services. When security really matters, it’s hard to compete if you don’t have complete control of the stack: hardware, software, and services.

Nick Heer:

All of this makes me wonder whatever happened to Project McQueen, Apple’s effort to eliminate its reliance on third-party data centres for iCloud. Surely this project did not die when some of the engineers responsible for it left the company, but Apple still depends on others for hosting.

Rosyna Keller:

Apple modified the C compiler toolchain used to build the iBoot bootloader to improve its security. The modified toolchain implements code to prevent memory- and type-safety issues that are typically encountered in C programs.


In macOS 11, equivalent at-rest protection for system content is provided by the SSV, and therefore the system volume no longer needs to be encrypted. Any modifications made to the file system while it’s at rest will be detected by the file system when they’re read. If the user has enabled FileVault, the user’s content on the data volume is still encrypted with a user-provided secret.

If the user chooses to disable the SSV, the system at rest becomes vulnerable to tampering, and this tampering could enable an attacker to extract encrypted user data when the system next starts up. Therefore the system won’t permit the user to disable the SSV if FileVault is enabled. Protection while at rest must be enabled or disabled for both volumes in a consistent manner.

In macOS 10.15 or earlier, FileVault protects operating system software while at rest by encrypting user and system content with a key protected by a user-provided secret. This protects against an attacker with physical access to the device from accessing or effectively modifying the file system containing system software.

The idea here is that with neither FileVault nor the signing protecting the system volume, someone with physical access to the Mac could tamper with the system, e.g. to exfiltrate your password when you log in.

Ricky Mondello:

Ever wonder how iCloud Keychain’s Password Monitoring feature works?

tl;dr: Apple servers. 1.5 billion passwords. On-device matching against the most common. Cryptographic private set intersection after that.


Monday, March 8, 2021

Rachel True vs. iCloud

Jon Fingas (via Hacker News, Slashdot, Navin Kabra, 9to5Mac):

Actor and author Rachel True claims iCloud has effectively locked her out of her account due to the way her last name was written. Reportedly, her Mac thought lower-case “true” was a Boolean (true or false) flag, leading the iCloud software on the computer to seize up. The problem has persisted for over six months, she said.

True said she’d spent hours talking to customer service, and that Apple hadn’t stopped charging her for service.

This sort of bug can happen either due to too much static typing or not enough.


macOS 11.2.3

Juli Clover:

Apple says that macOS Big Sur 11.2.3 introduces important security updates and should be installed by all users, with an additional support document clarifying that the software addresses WebKit vulnerability that could allow maliciously crafted web content to execute code.

Another 2.4 GB update for one security fix?

See also: Howard Oakley and Mr. Macintosh.


Update (2021-03-09): Howard Oakley:

Big Sur 11.2.3 does update a lot of Safari and WebKit components.


In Big Sur, Safari itself is installed on the Data volume, not the SSV, but most if not all of its supporting frameworks and other immutable files are stored on the SSV. This division was originally intended to ensure that updating Safari itself in Catalina didn’t require long and complex installation. Unfortunately for Big Sur users, in this case the changes required to address the security vulnerability have been in those immutable files protected by the SSV, making installation considerably slower and more complex.

The minor updates in AppleIntel Graphics kexts and the ImageIO framework appear unrelated and undocumented.


Update (2021-03-14): Dr. Drang:

When I learned yesterday that 11.2.3 had been released, I decided to update right away. Two reasons:

  1. I wanted to know whether Apple had fixed things or whether this update would also destroy the Command Line Tools installation.
  2. If it was the latter, I wanted to do the update while I still remembered how to repair the damage.

It’s not fixed.

Many years ago, OS updates would sometimes overwrite the Python site-packages directory in the /Library/Python tree. This was pretty bad behavior, as the whole point of the site-packages directory is to hold modules that the user installed. But I think destroying Command Line Tools is even worse because Apple is overwriting directories installed by its own software.

Apple M1 Microarchitecture Research

Dougall Johnson (via Hacker News):

This is an early attempt at microarchitecture documentation for the CPU in the Apple M1, inspired by and building on the amazing work of Andreas Abel, Andrei Frumusanu, @Veedrac, Travis Downs, Henry Wong and Agner Fog. This documentation is my best effort, but it is based on black-box reverse engineering, and there are definitely mistakes.


These numbers mostly come from the M1 buffer size measuring tool. The M1 seems to use something along the lines of a validation buffer, rather than a conventional reorder buffer, which complicates measurements a bit. So these may or may not be accurate.


Distributing Mac Apps Without Notarization

Jeff Johnson:

Sometimes a developer needs to send a Mac app to a user for testing, and in that case it’s a pain to upload the app to App Store Connect first and wait for Apple to notarize the app before you distribute it. […] if you normally distribute your app exclusively in the Mac App Store, the app might not have enabled the hardened runtime, and you won’t be able to notarize the app for distribution outside the Mac App Store[…]

The easiest solution is to download the file in a way that doesn’t cause it to be quarantined. This can also be used to work around the recent problem that some users have been encountering where macOS falsely claims that a properly signed and notarized app is damaged.

In my opinion, using curl in this way is the easiest way to distribute a Mac app to a user without notarization. You still can and should sign your app with your Developer ID certificate, as Mac developers did for years before the notarization requirement. If the user wants some assurance about the downloaded app, they can run the codesign command to verify that the app was indeed validly signed with your Developer ID certificate.

I like to run curl like this:

cd ~/Downloads/ && curl -LO ''

The L handles redirects, and the O avoids having to repeat the filename. Johnson notes that if you download directly to the /Applications folder you can avoid a TCC prompt.


Update (2021-07-02): Howard Oakley:

This article is a demonstration of features in Big Sur which you might have thought would protect you, but because of their inconsistent behaviour could catch you out. This shows how you can download, install and run executable code, such as an app, which isn’t signed with a Developer ID, only an ad-hoc signature, without macOS warning you that the code is potentially dangerous.

Goodbye, iMac Pro

Joe Rossignol (Hacker News, Slashdot):

We’ve since confirmed with Apple that when supplies run out, the iMac Pro will no longer be available whatsoever. Apple says the latest 27-inch iMac introduced in August is the preferred choice for the vast majority of pro iMac users, and said customers who need even more performance and expandability can choose the Mac Pro.

The latest 27-inch iMac features a 5K display with True Tone and a nano-texture glass option, up to a 10-core 10th-generation Intel Core i9 processor, up to 128GB of RAM, up to 8TB of storage, up to AMD Radeon Pro 5700 XT graphics, a 10 Gigabit Ethernet option, a higher-resolution 1080p camera, improved speakers and microphones, and more.

Jason Snell:

This isn’t a surprise. The iMac Pro hasn’t ever been updated, though Apple has tweaked some specs and dropped the 8-core model when it was completely surpassed by the regular iMacs released over the past few years.

More notably, the iMac Pro is a product from a different time, and represents a path Apple ultimately chose not to take with the Mac.

Benjamin Mayo (tweet):

However, it has never been clear if the iMac Pro has sold well. It sits in a niche segment of the market, and much of its place in the limelight for pros has been taken by the 2019 Mac Pro tower. The high-end ‘standard’ iMac models have also encroached on the iMac Pro in terms of performance.

Maxim Eremenko:

As we can see, even the base iMac 2020 model outperforms iMac Pro 2017 ($2,300 vs $5,000) in Xcode. I personally think it mostly related to the higher frequency (3.8 GHz vs 3.0 GHz and 5.0 GHz vs 4.8 GHz using TurboBoost) and manufacturing years.

David Sparks:

My entry-level M1 Mac, which was one-sixth the cost of my iMac Pro, can render screencasts just as fast and more quietly as the iMac Pro. The big jump in technology with Apple Silicon has caught up with the iMac Pro. I sold mine a few months ago, hoping to get the best value for it. Since selling it, I’ve missed it and its presence on my desk. This is the first time that’s ever happened to me when selling a piece of hardware. But I expect that whatever Apple has in store for the new iMac with Apple Silicon inside will run circles around the iMac Pro and still be whisper quiet.

John Gruber:

The cooling system of the iMac Pro is simply uncanny. I’d hold it up as the best Mac Apple made, period, of the entire Intel era.


Update (2021-03-14): Jason Snell:

Maybe someday there will be a tell-all book written by someone inside Apple during the 2010s. Maybe we will eventually know exactly what happened that led to a bit of a lost decade for the Mac, one that will be remembered for a failed attempt to rethink the Mac Pro and a series of questionable hardware decisions that hobbled Mac laptops for years.


But in my opinion, there’s a single Mac model that tells a good portion of the story all on its own. It’s a Mac that was a remarkably good computer on its own, but also one that represented an approach to the Mac that Apple itself would end up repudiating.

Thursday, March 4, 2021

Reverse-Engineering Rosetta 2

Koh M. Nakagawa (via Hacker News):

I mentioned earlier that a proprietary ABI is used in AOT files. Specifically, the System V AMD64 ABI is used, with the x86_64 registers converted to arm64 registers according to the following table.


The Rosetta 2 runtime is the binary that initializes the emulation process, maps the AOT file onto the memory, and performs JIT translation. When an x86_64 emulation process starts, runtime is mapped onto the memory, and the program counter is set to the entry point of runtime.

One interesting point is that runtime is not a dynamic link library. This is in contrast to the x86 emulation engine xtajit.dll in Windows 10 on Arm.


The logic for JIT translation is also needed is to support the execution of x86_64 applications that generate x86_64 code at runtime (e.g., JavaScript engine uses a JIT compiler).

Multimodal Neurons in Artificial Neural Networks

OpenAI (via Hacker News, paper):

We’ve discovered neurons in CLIP that respond to the same concept whether presented literally, symbolically, or conceptually. This may explain CLIP’s accuracy in classifying surprising visual renditions of concepts, and is also an important step toward understanding the associations and biases that CLIP and similar models learn.


Through a series of carefully-constructed experiments, we demonstrate that we can exploit this reductive behavior to fool the model into making absurd classifications. We have observed that the excitations of the neurons in CLIP are often controllable by its response to images of text, providing a simple vector of attacking the model.

The finance neuron, for example, responds to images of piggy banks, but also responds to the string “$$$”. By forcing the finance neuron to fire, we can fool our model into classifying a dog as a piggy bank.


We refer to these attacks as typographic attacks. We believe attacks such as those described above are far from simply an academic concern. By exploiting the model’s ability to read text robustly, we find that even photographs of hand-written text can often fool the model. Like the Adversarial Patch, this attack works in the wild; but unlike such attacks, it requires no more technology than pen and paper.


When we put a label saying “iPod” on this Granny Smith apple, the model erroneously classifies it as an iPod in the zero-shot setting.

Accidentally Quadratic Parsing With sscanf

T0ST (via Hacker News):

GTA Online. Infamous for its slow loading times. Having picked up the game again to finish some of the newer heists I was shocked (/s) to discover that it still loads just as slow as the day it was released 7 years ago.


Enter stack sampling: for closed source applications there’s only one option. Dump the running process’ stack and current instruction pointer’s location to build a calling tree in set intervals. Then add them up to get statistics on what’s going on.


Disassembling the now-less-obfuscated dump reveals that one of the addresses has a label pulled out of somewhere! It’s strlen? Going down the call stack the next one is labeled vscan_fn and after that the labels end, tho I’m fairly confident it’s sscanf.

It’s parsing something. Parsing what? Untangling the disassembly would take forever so I decided to dump some samples from the running process using x64dbg. Some debug-stepping later it turns out it’s… JSON!


To be fair I had no idea most sscanf implementations called strlen so I can’t blame the developer who wrote this. I would assume it just scanned byte by byte and could stop on a NULL.

And then there’s another quadratic array membership test.

Michael Brown:

The performance problem with sscanf O(N2) in glibc has been known since at least 2014 (see bug 17577). Ironically, if they’d used fscanf (reading from a file instead of loading it into memory first) the problem wouldn’t exist.

Matt Keeter:

This sparked a great deal of discussion: Was this C’s fault? Perhaps “web shit”? Capitalism and incentives?

Still, folks in the comments section generally agreed: they wouldn’t write anything that silly.


Yes, I had made the exact same mistake as the programmers working on GTA Online: I had an accidentally quadratic parser!


As someone that has been programming for many years, this was a perfectly-timed reminder that there are always pitfalls out there. The documentation for sscanf does not include a time complexity, so this is particularly tricky footgun, and I’m sure it’s not the only one lurking in the darkness.

Git (via Hacker News):

This header lists functions that have been banned from our code base, because they’re too easy to misuse (and even if used correctly, complicate audits).


Apple Account Locked Due to Failed Trade-in

Dustin Curtis (tweet, Hacker News, 9to5Mac, David Heinemeier Hansson, John Gruber, Nick Heer):

I went to update a few apps in the App Store on my Mac, I was met with a curious error.

The internet is filled with stories from people whose Google accounts were locked for unexplained reasons, causing them to lose all of their data, including years of email, so I was somewhat concerned. But I’d never heard of similar cases involving Apple’s services, and I wouldn’t expect such behavior from a customer-focused company like Apple, so I figured it was a glitch and made a mental note to try again later.

The next day, stopped working.

Fortunately, iMessage and Photos continued to work.

When I received an email in mid-February asking about the trade-in, I responded (as it had invited me to do) explaining that I never received the kit and asked for another one. I didn’t get a response.

Very soon after, it seems that Apple simply added the amount of the credit I received when I purchased the M1 MacBook Pro to my Apple Card balance. Normally, this wouldn’t be a problem. Imagine if I had used any other credit card – it would have just been an ordinary charge. But because it was the Apple Store and Apple Card, apparently, things escalated very quickly.

Benjamin Mayo (also: MacRumors, John Gruber, Ezekiel Elin):

The company says that Apple Card and Apple ID are not linked in the way that the blog post alleged, and the company does not disable Apple ID services because of missed Apple Card payments.

The situation arose because the trade-in process was left unresolved, and Apple was following its standard procedures in matters of money owed; this is not anything specific to the Apple Card. When an account is marked as in bad standing, use of Apple ID services is restricted; things like Apple Music or App Store purchases. iCloud is wholly separate and is not disabled at all.


If the issue persists, Apple disables all paid services for that Apple ID until the money is recovered — as the account is essentially in debt.

This doesn’t make much sense to me. The apps and music had already been purchased; they are not a debt. I can see preventing additional purchases and maybe partially disabling the computer that was only partially paid for, but repoing unrelated purchases is unnecessarily harsh for what could be as simple as a lost UPS shipment that was not the fault of the customer. And what if you need access to your financial or password app in order to get your credit card in order?

People are saying that it’s good news that missing an Apple Card payment doesn’t endanger your Apple ID, but is the takeaway actually worse, that any type of credit card is susceptible to this problem?


This is entirely unrelated to Apple Card.

As far as I can tell, it really is an Apple Card-specific issue. With a regular credit card, you can imagine that Apple would have pre-authorized a charge for the trade-in in case it didn’t arrive. And if the bank account linked to the card changed, that would not be Apple’s concern. Apple would add the additional charge, which would go on the card account, the issuer would pay Apple, and then from Apple’s point of view there would be no debt.

But with Apple Card you can pay for Apple products monthly with 0% financing, and Apple has apparently made an optimization so that such purchases are paid directly to Apple via ACH from your bank account, rather than via the card issuer. So it very much matters to Apple that the bank details have changed. The ACH will fail. (At that point, you would think Apple could simply add the amount as a regular card charge, subject to interchange fees. That would be more customer friendly. But it’s clear that not only has this not been designed as a coherent system, but the different parts of Apple aren’t even aware of how it works.)

Dave Mark:

No matter, this should be a wake-up call. Do you have a backup plan if your Apple ID suddenly stopped doing its cloud thing?


I think I am less concerned that Apple disabled Dustin’s account as I am that it took so long to address the issue. If the call to Apple customer support had made the issue clear immediately, a couple of clicks would have resolved this. As is, and if true, looks like the left hand didn’t know what the right hand was doing.

Yes, if this is “standard procedure,” why did it take Apple multiple days to tell him what the problem was? Why are the general Apple support people not able to confer with the Apple ID department? Why did they tell him that it was an Apple Card issue but tell the press that it wasn’t? Why did the e-mail say that he could reply to the e-mail (which erroneously referred to an iPhone purhcase) to get his account back when the card issue was resolved, but actually the Goldman Sachs representative had to e-mail a department at Apple and wait a few days? (And that is more evidence that it is related to Apple Card.)


There’s a UX defect with Messages right now where if you delete some conversations in succession, randomly will a modal popup and ask you if you want to report the contact as spam. Some Apple articles will tell you not to worry if you’ve accidentally reported someone as spam, but it actually does something. It’s not a pedestrian crosswalk button.

I found this out the hard way when my wife could no longer send or receive messages nor sign into Messages and we had to contact Apple support. I’ve accidentally reported tons of people as spam because of this stupid Messages experience, and I can only guess that I’ve reported my own wife so many times from clearing all of my Messages conversations that they disabled her Messages account.


Wednesday, March 3, 2021

Free Trials Aren’t Free Apps

Cabel Sasser:

It doesn’t matter how clear your terms are in your subscription app — and ours are CRYSTAL — some people will just breeze past them

Until Apple starts clearly labelling subscription terms IN THE APP STORE ITSELF, I think we’ll keep getting stuff like today’s BBB complaint 😌

It’s really unfortunate that Apple shoehorned trials into the IAP system, so that the store acts like they aren’t a thing. There should be standard UI, both in the store and in the app, for the common patterns.

Ben Sandofsky:

The top source of negative @halidecamera reviews, by far, comes from users who thought it was free.

We put a big disclaimer at the top of our App Store description, explaining it’s paid with a free trial. Nobody reads it.

This really needs to be fixed at the App Store UI level.


I talk to a ton of Indies who went freemium not because they want to, but out of fear of negative reviews from users. That’s no way to run a business.


The bizarre part is Apple’s whole brand is built around just paying for the product. You pay a premium on the hardware to avoid adware. Apple TV+ doesn’t have “free with ads.”

Unfortunately, that is changing.

Cabel Sasser:

I’m going to reveal to you my ultimate secret. See screenshot.

  • Reduces zero-stars by giving an instant outlet for anger!
  • Is hooked up to an auto-responder that has a link to the full-price Transmit, which we can’t link in the app!

Netflix does something similar.

Update (2021-03-09): Ryan Jones:

Why does News+ have Ads? 😡


Mortgage rates

Jeff Johnson:

In the past couple of days, news sites such as ZDNet and iMore have reported that macOS can display a notification advertising Safari when you first launch Microsoft Edge. It turns out that this “feature” actually appeared first in Mac OS X 10.10 Yosemite, as described in an old blog post by Daniel Aleksandersen, an engineer for the web browser Opera. The Safari advertisement can occur with any alternative web browser, such as Opera, not just with Microsoft Edge. Ironically, it can occur even with Apple’s own Safari Technology Preview! I’ve discovered reliable steps to reproduce the advertisement, using the information from Aleksandersen’s blog post.

Tim Hardwick:

Apple’s advertising system for monetizing its apps and services is the target of a new complaint in France that has been brought against it by a lobby group representing startups and venture capital firms (via Bloomberg).


The group said it had acted because Apple’s system doesn’t ask for the user’s permission to receive the targeted ads, which are enabled by default.

Australia vs. Facebook and Google

Timothy B. Lee:

Google says it would have “no real choice” but to shut down its search engine in Australia if Australia passes a new law requiring Google to pay news sites to link to their articles.


You might think that Google would simply stop linking to Australian news sites. But that won’t be allowed under the ACCC proposal. New non-discrimination rules require Google to treat sites the same whether or not it has to pay to link to them.

Adam Schrader and Henry Martin (via Hacker News):

Tim Berners-Lee, known for creating the web in 1989, told an Australian Senate committee that the News Media Bargaining Code would violate the fundamental principals the public internet was founded on.


However, Leaver argued that what Facebook and Google do are not simple links. Instead, the companies create ‘compelling previews’ for the articles by using content from within the articles like headlines.

Matt Stoller:

Facebook stopped allowing the sharing of news in Australia, after the government put forward a law requiring the firm to negotiate with news publishers over the terms of content distribution. The firm also stopped letting Australian publishers be shared anywhere in the world on Facebook. Facebook also did their usual ‘move fast and break things,’ accidentally censoring much of the South Pacific, but the result is that when you try to post Australian news, this is the message you get.

Joshua Benton (via Hacker News):

Even people outside Australia can no longer share stories from Australian publishers big and small, from the Sydney Morning Herald all the way to the Goondiwindi Argus.


From that point, daytime traffic looks like the dead of night. In the 6 p.m. hour on Wednesday, Facebook sent 201,000 pageviews to Australian publishers. Twenty-four hours later, it sent just 14,000 — a 93 percent drop.


The decline in Facebook traffic from overseas has a particularly big impact because a larger share of publishers’ international traffic flows through Facebook than does its domestic audience.

John Gruber:

Calling Australia’s bluff is exactly the right framing. What’s surprising is that Australian government officials (and others around the world, like David Cicilline, chairman of the U.S. House Antitrust Subcommittee), didn’t even see it as a bluff that could be called. The mindset behind this law seemed to be that Australia could demand whatever crazy stuff they wanted (like Facebook being required to pay major news organizations just for links to their articles — which the news organizations themselves would be free to post to their own Facebook accounts) and Facebook and Google would just say “OK, sure.”

Mike Masnick:

This is like saying that not only should NBC have to run an advertisement for Techdirt, but it should have to pay me for it. If that seems totally nonsensical, that’s because it is. The link tax makes no sense.


Indeed, the people who are saying that this move by Facebook is somehow an “attack” on news or an attack on Australian sovereignty seem to be admitting more than they’d really like: that they think Facebook must be a dominant source of news in the country.

I mean, if Facebook is really such a problem, shouldn’t they all be celebrating? This is Facebook saying “okay, okay, we’ll completely remove ourselves from the news business.” Since everyone was complaining that Facebook was too much of a presence in the news business… isn’t that… a victory?


And the most incredible thing is that no matter what Facebook did here it would have gotten yelled at. And the proof is not hard to find. Because just an hour or two before Facebook made this announcement, Google went the other way -- coming to an agreement to pay Rupert Murdoch for featuring Murdoch-owned news organizations content on Google. And people freaked out, complaining about Google helping fund Rupert Murdoch’s disinformation empire. Except… that’s the whole point of the law?

Nick Heer:

The results of this policy do not appear to encourage quality journalism. Instead, Google has helped further entrench Rupert Murdoch’s longtime dominance of Australian media, while Facebook users will only be able to link to websites not informational enough to be considered news.

Nick Heer:

Maybe this means that Australian Facebook users will become some of the best news consumers in the world because they will have to look elsewhere. They won’t rely on what Facebook thinks they want to see. It could be good for publishers, too, who will surely be happy to avoid Facebook’s algorithmic Jenga game.

But, if Facebook referrals are a significant amount of traffic to news websites, this law will have backfired in a quick and predictable way.

Alex Kantrowitz:

“We’re restoring news on Facebook in Australia in the coming days” says Facebook VP of global news partnerships @campbell_brown.

Nick Heer:

It appears that Facebook and the Australian government are resolving their differences. Facebook says that it will be restoring links to news on its platform; the government will make some adjustments to the law.

But while a country and a social media company were scuffling, the latter’s power became obvious to those in the South Pacific.


Watson is describing the practice of zero-rating and one reason why it is so pernicious. Zero-rating sounds great on its face. It means that popular services can strike deals with telecom providers so, at its best, some of the things most people do on the web are not counted against data quotas.


Tuesday, March 2, 2021

Be Careful With Obj-C Bridging in Swift

Bruno Rocha:

While visually the same, this case is completely different from the view controllers one! String does not inherit or uses NSString in any way -- they are different objects with different implementations. The way this works is that as in this case is a syntax sugar for the following[…]


Cases like this can be extremely confusing if your Swift method cannot predict where its arguments are coming from, because as we can see above, the very same object can completely change the result of an operation depending on if it was bridged or not. If it wasn’t enough, things get even worse when you deal with the fact that the very same method can have different implementations across languages[…]


I personally think that using as as a syntax sugar for bridging was not the best idea.

What it does is fine, but perhaps it should have been spelled differently.


Update (2021-03-22): SE-0083 (deferred):

Dynamic casts using as?, as!, and is are currently able to dynamically perform Cocoa bridging conversions, such as from String to NSString or from an ErrorProtocol-conforming type to NSError. This functionality should be removed to make dynamic cast behavior simpler, more efficient, and easier to understand. To replace this functionality, initializers should be added to bridged types, providing an interface for these conversions that’s more consistent with the conventions of the standard library.

Apple TV 3 Losing More Content

Joe Rossignol:

Last week, the MLB app was removed from the third-generation Apple TV[…] A few other popular apps are being removed from the third-generation Apple TV as of this month, including YouTube and CBS All Access, the latter of which is being rebranded as Paramount+.

Zac Hall:

Developers just can’t justify putting resources behind a discontinued product that’s no longer being sold or maintained by Apple. Based on the state of streaming media affairs, we will only continue to see the third-gen Apple TV lose access to apps with no direct replacement product from Apple on the market.

I see why this is happening, but it’s frustrating because the newer Apple TVs don’t offer anything new that I want, and a 1080p box remains fine for my 1080p TV.


Origin of macOS Poof Animation

Chris Hynes:

It used to be that when you dragged an item off the Dock and dropped it, the icon would disappear in a puff of smoke and make a satisfying noise. The animation was strangely primitive against the backdrop of the slick user interface of what used to called Mac OS X.


The intention of the designer was that these drawings would stoke further discussion. That it would get cleaned up and refined later.

Apple Developer Forums Can Now Monitor Threads

Apple (also: MacRumors):

And now, it’s easier to find and keep track of content you’re interested in. Take advantage of enhanced search and a new feature that monitors threads for you and sends you an email each time there’s a reply.

The new forums remain pretty useless, except that they are the sole source of some incredibly valuable defacto documentation written by DTS engineer Quinn.


Update (2021-03-14): See also: The Wisdom of Quinn.

Adam Maxwell:

Quinn’s posts remind me of mmalc’s Cocoa Bindings sample code on his personal page, and his writeups on cocoa-dev. Super helpful, but sure would be nice to have IN THE FORMAL DOCUMENTATION.

Aaron Tuller:

Yes yes. I still have this in my favorites bar in Safari, can’t imagine relying solely on the reference pages.

Update (2021-05-06): Craig Hockenberry:

WTH? You can’t post an image on Apple Developer Forums?

Apple is intentionally making it hard to communicate visually. And with external links being banned, there’s no workaround.

Monday, March 1, 2021

Apple Beige

Ben Zotto:

Apple’s second computer — its first to have a case — launched in 1977, and that boxy beige Apple II was soon everywhere: in classrooms, living rooms and offices. At the vanguard of a generation of personal computers to come, it featured a particular and carefully-chosen beige. But what did that look like? Those first machines — the ones that have escaped landfills anyway — have shifted in color over 40 years. The documented public record is sketchy and confused. But I stumbled upon a way to investigate what Apple Beige was like.

Ben Zotto:

Jerry Manock, the original designer of the iconic cases and the person most closely associated with Apple Beige, was kind enough to respond in detail to my inquiries following the article. There’s more to this story than just a color swatch.


I shared my earlier story about Apple Beige with Chris Espinosa, the only current Apple employee who was around back when the Apple II was being developed (!). He was “surprised at the focus on Pantone because my work with Jerry [Manock] was always in Munsell.”

The Mac Price Crash of 2021

Robin Harris (via Hacker News):

The impressive performance and battery life gains of the new M1 MacBooks have created a historic discontinuity in the normally placid resale market. Should you spend $800 for a one year old MacBook Air when for $200 more you could get a MacBook Air with several times the performance and 50 percent better battery life?


I check Craigslist fairly regularly to keep track of what’s for sale. I’ve seen an unusual bifurcation in the pricing for MacBooks.

There are more late-model Intel MacBooks showing up for sale. Some of those are showing context sensitive pricing, i.e. almost new MacBook Airs for $600 rather than the $800-$900 that some think their Intel-based machine is still worth.


Update (2021-03-02): Om Malik:

After Apple loaned me a 13-inch M1 MacBook Pro for review, it was clear: we were on the cusp of a significant shift in architecture. Intel-powered Macs would feel puny in a few years. I needed to get rid of all my Intel machines as quickly as possible.

I will be keeping mine for a long time for testing. They work just as well as they always have, and even 2013 MacBook Airs can run Big Sur, so my hope is that many Intel Macs will have long second lives after being resold. The transition will create good opportunities for anyone who doesn’t need the latest or requires x86 support.

Weather Line Acquired

Off Coast LLC (tweet):

The acquisition means the app is going away. Today, we removed Weather Line from the App Store. For all existing Weather Line users, free and paid, the app will continue working for 13 months, until April 1, 2022.


As an Indie Founder without a day job, being able to sell an app provides for my family in a very difficult climate.

Ryan Jones:

For those asking – we will not be joining the purchasing company.

We’ll transition the app to them, show them the ropes, and help them plan – but we will not continuing with the app long term.

I hope the buyer brings it back in a similar form because there’s still nothing like it.


Update (2021-03-02): See also: MacRumors and Hacker News.

Update (2022-04-11): Ryan Jones:

Goodnight @weatherlineapp


Downcast 2.9.61

George Cox:

This update contains a big improvement in Downcast’s macOS app that reduces the chances of running into the dreaded ‘inaccessible resource’ issue. Per Apple’s suggestion, Downcast stores security-scoped bookmarks for file system resources rather than absolute paths. Bookmarks are a more robust way to keep track of the content Downcast downloads like artwork, episode media files, etc. However, these bookmarks can become stale or invalid for a variety of reasons. When this happens, it’s usually possible for the app to automatically refresh the bookmark and continue operating without issue. Unfortunately, Downcast wasn’t handling a specific recoverable condition correctly prior to this build and that led to users experiencing this frustrating ‘inaccessible resource’ issue when they shouldn’t have.

Great news, but apps shouldn’t have to deal with this. Security-scoped bookmarks have been around since macOS 10.7. Why do they continue to break for seemingly no reason?

See also: Peter Steinberger.