Monday, May 8, 2023

Rapid Security Response Version Numbers

Howard Oakley:

Because these are ‘hot’ fixes to address vulnerabilities that are either being exploited already or are considered urgent, I can see a case for temporary secrecy. As they’re easy to uninstall, unlike regular macOS updates, any resulting problems should be easy to address.

What I hadn’t expected was the mess this has brought to macOS version numbering.

[…]

This new version numbering system introduced with Big Sur doesn’t provide for RSRs. One logical solution might have been to extend it to a fourth digit, making last week’s RSR 13.3.1.1. Perhaps the least appropriate would have been to introduce letters and punctuation marks other than the stop/period already used, and that’s exactly what Apple has chosen by making this first RSR 13.3.1 (a).

[…]

Interpretation of build numbers is more controversial, and has now reached a new height of opacity: apply this RSR to build number 22E261 and it becomes 22E772610a. Quite where the three additional digits come in remains a mystery that we can rely on Apple never to explain.

Howard Oakley:

How can you tell which upgrades and updates your Mac has downloaded and installed? If you wish, you can rummage through those listed in System Information’s Installations. I’d prefer to browse something a bit more selective and ordered: SystHist.

This new version now handles RSRs in its three panels.

Howard Oakley:

I’m delighted to announce what I think is a unique resource: a detailed listing of all updates to macOS over the last four years and more, with links to full information about each. These include regular updates, security updates, and Supplemental Updates.

You can access this list at this page.

Previously:

Update (2023-05-09): Howard Oakley:

The most significant risk with any RSR is relative lack of testing before release. This is countered by its ease of removal, and its relative isolation from the sealed system. Unlike a full macOS update, it makes no changes to the sealed system, and once removed shouldn’t leave any trace.

Previously:

Comments RSS · Twitter · Mastodon

Leave a Comment