Monday, March 8, 2021

macOS 11.2.3

Juli Clover:

Apple says that macOS Big Sur 11.2.3 introduces important security updates and should be installed by all users, with an additional support document clarifying that the software addresses WebKit vulnerability that could allow maliciously crafted web content to execute code.

Another 2.4 GB update for one security fix?

See also: Howard Oakley and Mr. Macintosh.

Previously:

Update (2021-03-09): Howard Oakley:

Big Sur 11.2.3 does update a lot of Safari and WebKit components.

[…]

In Big Sur, Safari itself is installed on the Data volume, not the SSV, but most if not all of its supporting frameworks and other immutable files are stored on the SSV. This division was originally intended to ensure that updating Safari itself in Catalina didn’t require long and complex installation. Unfortunately for Big Sur users, in this case the changes required to address the security vulnerability have been in those immutable files protected by the SSV, making installation considerably slower and more complex.

The minor updates in AppleIntel Graphics kexts and the ImageIO framework appear unrelated and undocumented.

Previously:

Update (2021-03-14): Dr. Drang:

When I learned yesterday that 11.2.3 had been released, I decided to update right away. Two reasons:

  1. I wanted to know whether Apple had fixed things or whether this update would also destroy the Command Line Tools installation.
  2. If it was the latter, I wanted to do the update while I still remembered how to repair the damage.

It’s not fixed.

Many years ago, OS updates would sometimes overwrite the Python site-packages directory in the /Library/Python tree. This was pretty bad behavior, as the whole point of the site-packages directory is to hold modules that the user installed. But I think destroying Command Line Tools is even worse because Apple is overwriting directories installed by its own software.

11 Comments RSS · Twitter


Yet again Apple permits a patch-gap for older oses. watchOS got a security update today. Catalina? radio silence. Apple is unfit to be a platform vendor.


> Another 2.4 GB update for one security fix?

The most shocking aspect of which is that, on Catalina, the same security fix — if the release notes are to be believed, which admittedly they seldom are — downloads and installs in 40 seconds flat, without the need for a restart. But, of course, Catalina’s system volume is not sealed or special…


It looks like China finally allowed Apple to patch macOS after compromising enough Uyghurs outside of China.


I guess the updates are big because of the dyld_shared_cache. Having a single bit changed in any framework would make them ship a whole new cache, which is a new Big Sur thing and is several gigabytes big. Did not look into the update internals and don’t know why minor iOS updates are still compact.


The bigger pain, for me at least, is the install times: 20 - 30mins on my (relatively new) Intel Macs. Google manage almost instant updates on ChromeOS and Android - why is macOS such a slouch? Wouldn't be so bad if they didn't keep releasing updates every other week... Seems like we are collectively paying a large price for security no-one really asked for on a desktop OS.


Old Unix Geek

I find it highly ironic that Apple claims to be environmentally friendly but architects their OS to require 2.4 Gb.

The internet is a large (3-4%) and growing user of electricity which is mostly generated from fossil fuels. Even if they only were to use "renewables", the routers along the way don't.

It also precludes people with bad internet from buying Macs (rural USA).


Really, this is no different than anything else Mac OS does -- it's a bandwidth hog. Anytime I'm on limited speed like 1 Mbit/sec my entire connection is tied up for 10+ minutes seemingly every time I open my Mac, via either iCloud or "nsurlsessiond" doing god knows what (I don't take photos except maybe 3 or 4 times a week and I never take videos, so it's not that). It's really pathetic how Apple just assumes everyone has gigabit connections everywhere for free and gives almost no tools to manage data use (especially on Mac, but even iOS new "low data mode" leaves a lot to be desired).


Old Unix Geek: 2.4 GB is about an hour of HD video. If you think this is bad, then you should *really* be upset that AppleTV exists at all! One afternoon of binge-watching a TV show uses more bandwidth than all of the updates Big Sur will ever have.

Maxim: There's several ways to support small changes in large binary files without needing to ship gigabytes of data every time one bit changes. This explains *what* they're doing that's causing the problem, but not *why* they're doing it in such an inefficient way.


Worse, if you run Big Sur in a virtual machine, there is no incremental installer, only a full 12.2 GB installer.


Old Unix Geek

@Ted:

Actually, I am. I don't have one. I much prefer optical media. Other than lowering energy usage, it has the advantage that once bought, it stays bought, unlike politicians.

For the same reason, I force most youtube videos down to 144p (even though Google's UI keeps trying to "upgrade" them to 1080p) unless I really care about the video.

Last year's wildfire season was no fun. Lack of food, and mass migration due to people fleeing the unsurvivable predicted wet bulb temperatures won't be fun either. But hey, at least people got to see that zit on the presenter's face in high definition! To me, that's a stupid trade-off.

If you're interested in the topic, and are open to have any happy delusions dispelled, this presentation is worth watching: https://www.youtube.com/watch?v=s254IPHXgVA

(It comes with slides, so you can look at those instead of using high resolution. It includes a map of places humans will not be able to survive in if temperatures hit 4˚C). His full course is worth doing (it's on youtube) but it's in French.


2.4 GB is about an hour of HD video. If you think this is bad, then you should really be upset that AppleTV exists at all!

I think that’s a flawed argument. 2.4 GiB is an hour of HD video because we want that level of quality, and better compression algorithms don’t (commonly) exist yet.

That’s not true for this macOS update. I don’t know if the WebKit fix is literally the only thing 11.2.3 changes (Apple seems institutionally unwilling or unable to consistently and properly write detailed release notes), but if so, I imagine the binary diff isn’t much more than a Megabyte; probably less. Presumably, the bug is somewhere in WebCore.framework or WebKit.framework, but they total 160 MB, i.e. less than an order of magnitude than the update.

In a video, the vast majority of data is taken up by the actual video and audio streams; in this update, the vast majority of data apparently is taken up by things unrelated to the core function of the update.

Leave a Comment