Archive for July 2023

Monday, July 31, 2023

iCloud Drive Troubleshooting, Metadata, and Custom Icons

Howard Oakley:

Fixing problems with iCloud and iCloud Drive is completely different from any other troubleshooting in macOS, because:

  • Almost all problems are delays in or failure of synchronisation.
  • Documentation is almost entirely lacking.
  • There are almost no tools to help diagnose or fix problems.
  • Even those experienced in reading the log find it hard to use for diagnosis of iCloud problems.
  • There’s a very limited range of potential solutions.

The main problem I have with iCloud Drive is that (even small) files added from my iPhone often take 8 or more hours to be uploaded, even with the phone on Wi-Fi and a small total amount of data stored in iCloud Drive. There are even fewer troubleshooting levers to try in iOS than in macOS. Sometimes restarting the phone helps; other times I just need to wait or share the file in a different way if I need it sooner.

Howard Oakley:

The illusion that all xattrs are retained by iCloud Drive when read from the same Mac that uploaded them isn’t the result of those xattrs being stored alongside the file’s data in iCloud Drive. Instead, those xattrs are accessed from the local file system. Eviction thus appears to change local metadata by deleting large xattrs, and all xattrs.


For example, although I’m sure they have long since been deprecated, Resource Forks can still be used to provide a custom thumbnail that’s displayed in preference to the default set by QuickLook. As that is accessed from the local file system on a Mac that uploaded the file to iCloud Drive, on that Mac the custom thumbnail will be displayed until the file is evicted; when it’s downloaded again, the Resource Fork will have been stripped, and the custom thumbnail has vanished. But on a different Mac accessing the same file in iCloud Drive, the custom thumbnail won’t have been shown at all.

Although that might seem an edge case, vanishing metadata can have other significant impacts on apps that rely on it.


Flags can be upper or lower case letters C, N, P and S, and invariably follow the # separator, which is presumably otherwise forbidden from use in a xattr’s name. Upper case sets (enables) that property, while lower case clears (disables) that property.

Howard Oakley:

Even if you were able to upload the Icon? file complete with its xattr, there’s another problem to overcome. In APFS, your local file system, directories can have xattrs attached to them, and often do. iCloud Drive doesn’t appear to have any equivalent that can be associated with xattrs, so there’s nowhere to store the xattr containing the flag to indicate that folder has a custom icon.


This xattr stripping also comes into play for custom file icons that are evicted, then downloaded and viewed on the same Mac that added the icon. As long as a file isn’t evicted, it still uses the xattrs stored in its local file system metadata, including, but when it has to be downloaded from iCloud Drive, that xattr is stripped, so removing the custom icon. This explains why custom file icons can mysteriously vanish, even when they’re viewed from the same Mac that created them.


Since writing my previous account of the behaviour of xattrs in iCloud Drive, I have also been able to clarify the limits imposed on their size. The primary limit appears to be a maximum total size of around 32,650 bytes (but slightly less than 32,767) available for the storage of xattrs for each file in iCloud Drive, rather than any lower limit on the size of individual xattrs. If the total size of xattrs for any given file exceeds that, then individual xattrs are removed, starting with the largest, until the total falls below that maximum.


Update (2023-08-04): Craig Grannell:

My iCloud Drive has suddenly started restoring months-old folders but without whatever was in them, which at first freaked me out because I thought I’d lost a load of files. Why is it doing this? No idea. On the plus side, no catastrophic data loss this time.

Exploring Unicode in macOS With Clui

Joel Bruner:

My new tool clui, pronounced “clue-ee” offers Command Line Unicode Info with the ability to export to a variety of formats like CSV, JSON, YAML, RTF and more. While I’ve written a few macOS command line tools geared to the Mac Admin like jpt the JSON power tool, ljt the little JSON tool, shui for easily adding AppleScript dialogs to your shell script, and most recently shef a Unicode text encoder and formatter for shell scripters. This is one is almost “just for fun” although you might find some practical uses for it. Writing shef opened my eyes to the stunning amount of detail and craftsmanship in macOS’ Unicode-aware fonts, which comprise not just the alphabets of the world but signs, symbols, and even Egyptian hieroglyphics! While macOS’s built-in Character Viewer does a pretty good job to group and display these characters it’s a painstakingly manual process if you want to get info on a range of characters. I hope clui makes it fun and easy to poke around the vast Unicode neighborhood.

Friday, July 28, 2023

Switching to a Mac After Decades on Windows

Anže Tomić:

The other reason I got the Mac mini is how quiet it is, which is very helpful when you record your voice for a living. […] The announcement of the M2 Pro Mac Mini with all those Thunderbolt ports at the back was the day I knew I was going to switch.


It turns out that on the Croatian keyboard layout, I can’t find the right key to press for this [Command-`] shortcut!


When Jason asked me to write about what surprised me about switching to the Mac, it never occurred to me that window management would be the main thing. But it is. I really believe this is the biggest difference between Windows and macOS nowadays. One is a desktop operating system that is worse on laptops and the other is a laptop operating system that is worse on desktops if you don’t buy a trackpad.

I frequently hear comments like this, but I don’t feel like I’m missing anything using my MacBook Pro as a desktop with a Magic Mouse. It seems much faster for me than a trackpad. And I think macOS shines as a desktop operating system, when there’s room to have a bunch of windows on screen at once.

A fair bit of the annoyance that prevents me from using the Mac the way it was intended stems from the fact that macOS does not support my language.


Those feelings extend to the apps, too. I finally got to play PCalc’s about screen! I bought Transmit, and it is the best app of its kind I have ever used. Ever. Audio Hijack is like a legal, no-side-effects performance-enhancing drug for a podcaster. There are very good Windows apps, but so far for me the Mac has some stuff that is unbeatable.


The Mess at Stack Overflow

Ayhan Fuat Çelik:

Over the past one and a half years, Stack Overflow has lost around 50% 35% of its traffic (Update: Around 15% of the observed loss seems to be related to the recategorization of the Google Analytics Cookie around May 2022.[…]). This decline is similarly reflected in site usage, with approximately a 50% decrease in the number of questions and answers, as well as the number of votes these posts receive.

Via David Mimno:

This is not sad, this is a warning. A company did everything (mostly) right: created a vitally useful free service, worked hard to keep it healthy, shared data for research. Then another company swooped the data and made it compete against itself.


To be clear, this is really bad for LLM cos as well. You can only pull the “snarf an existing web community” trick once, folks like Reddit have already wised up. Free data is as dead as zero interest rates.

I’m not sure how much of this has to do with AI. What is the evidence for that? It doesn’t seem like a good substitute, at least for the way I use Stack Overflow. Sure, some people are probably asking ChatGPT or Copilot instead, but so many so quickly?

My impression is that Stack Overflow had been kind of losing its way for years. The founders got distracted by other projects, then left, and the new management seemed more interested in business deals than in improving the product. They lost sight of what was best for the user/community.

Jon Ericson (via Hacker News):

I’ve been on vacation, so I haven’t been following the Stack Overflow moderator strike. Not that there has been much progress. Negotiations stalled for a variety of reasons. Meanwhile Stack Overflow’s CEO, Prashanth Chandrasekar, dug the company’s hole a bit deeper during an interview with VentureBeat.


By contrast Prashanth regularly talks about combining community and AI without going into detail about how that solves the problem at hand. Neither does he go into much detail about the problems the company intends to solve. I suspect one reason is that Prashanth, who has spent most of his career in management, has become something of an architecture astronaut. As Joel puts it, “architecture people are solving problems that they think they can solve, not problems which are useful to solve.” Since there is overlap between a Q&A site and generative artificial intelligence, there must be a way of jamming them together.

But there’s another factor. In May I wrote about Stack Overflow’s business, which lost $42 million over 6 months and had just laid off 10% of its employees. Since then, the company’s fiscal year-end results came out. Despite growing revenue, it lost $84 million over the year ending on March 31, 2023. In fact Prosus’ entire education technology segment lost money despite growing income[…]


While this might be the company’s public position, Prashanth privately wanted to limit who can access the data. On March 28, 2023, he ordered the data dump not be uploaded to The DBA who turned it off warned that the community would notice and it did. Rather than having an answer prepared, the company publicly struggled for an answer. Internal communication shows most of the company was as surprised as the rest of us.

It seems like they could have been profitable at a smaller size, but they grew way too much and got rid of unique features people liked, such as the jobs board.

Danny Thompson:


OverflowAI is a tool, that will also have a VS Code plugin. The way this works, if you are on the site and ask a question, it will produce the answer for you while also citing the sources it used to produce the answer.

You can then ask more in the conversational area, even including code, and through Generative AI it can continue building off of the answer.


Update (2023-08-04): Priyam (via Hacker News):

If we look closely, the most drastic drop starts around April of 2022, while ChatGPT came out 7 months later in November. While we do see drops every summer (school breaks) and winter (workplace vacations), this drop in April 2022 is sustained and only getting worse.


There are 4 reasons that explain the slow decline of Stack Overflow.

Update (2023-08-09): Rob Napier:

When someone on SO asks about the internal details of something, please stop chastising them that it’s internal and they shouldn’t need to know.

They want to know. That is all the reason they need.

Some questions are very advanced when it’s clear something simpler was meant, so probe that. But I’m tired of seeing folks who ask “just to learn” and get fussed at. Where do you think we get the next compiler devs?

Reddit Deleted Years of Chat History

Wes Davis:

Reddit users have noticed the site unexpectedly removed everyone’s chat history prior to January 1st of this year. Those asking why have been directed to a changelog update from June announcing feature updates to chats (via Mashable). The update’s headline didn’t say anything about data going away, and burying any reference to removal at the bottom with a vague, single line:

In an effort to have a smooth and quick transition to this new infrastructure, we will migrate chat messages sent from January 1, 2023 onward.

Older messages that are not migrated are effectively deleted.

I tested out the data export. The page gives you the option to initiate the request under the EU’s General Data Protection Regulation (GDPR), a pair of California regulations, or “Other.” I chose the third option and quickly received a file that appears to have my full history, though admittedly I didn’t make frequent use of the feature. But some users have said their downloads were missing chats.


Thursday, July 27, 2023

Tesla Range Estimates and Suppressing Complaints

Steve Stecklow and Norihiko Shirouzu (via Hacker News):

Tesla years ago began exaggerating its vehicles’ potential driving distance – by rigging their range-estimating software. The company decided about a decade ago, for marketing purposes, to write algorithms for its range meter that would show drivers “rosy” projections for the distance it could travel on a full battery[…]

Then, when the battery fell below 50% of its maximum charge, the algorithm would show drivers more realistic projections for their remaining driving range, this person said. […] The directive to present the optimistic range estimates came from Tesla Chief Executive Elon Musk, this person said.


Data collected in 2022 and 2023 from more than 8,000 Teslas by Recurrent, a Seattle-based EV analytics company, showed that the cars’ dashboard range meters didn’t change their estimates to reflect hot or cold outside temperatures, which can greatly reduce range.


Tesla supervisors told some virtual team members to steer customers away from bringing their cars into service whenever possible.


Tesla also updated its phone app so that any customer who complained about range could no longer book service appointments, one of the sources said.


In late 2022, managers aiming to quickly close cases told advisors to stop running remote diagnostic tests on the vehicles of owners who had reported range problems[…]

“Thousands of customers were told there is nothing wrong with their car” by advisors who had never run diagnostics, the person said.


Update (2023-08-04): Jon Brodkin (Hacker News):

Tesla is facing a class-action lawsuit filed by customers who say they were misled by the company’s exaggerated range claims. The lawsuit was filed yesterday, days after a report revealed that Tesla exaggerated its electric vehicles’ range so much that many drivers thought their cars were broken.

Update (2024-01-09): Jess Weatherbed (via Hacker News):

Tesla has lowered the range estimates across several Model Y, S, and X vehicles in the US, reducing the figure on certain trims by up to six percent. As reported by Electrek, Tesla’s online configurator now displays an estimated range of 285 miles for the Model Y’s Performance trim, down 18 miles from its previous 303-mile estimate.


Tesla has not offered an explanation for the lowered range estimations. Drive Tesla reports that the changes are related to two things after reviewing internal company documents. First, are “comfort and functionality improvements” made by Tesla that require more energy, and second is the implementation of revised EPA testing requirements that result in a “higher consumption and a slight decrease in overall range.”

Web Environment Integrity

Ron Amadeo:

Google’s newest proposed web standard is… DRM? Over the weekend the Internet got wind of this proposal for a “Web Environment Integrity API. “ The explainer is authored by four Googlers, including at least one person on Chrome’s “Privacy Sandbox” team, which is responding to the death of tracking cookies by building a user-tracking ad platform right into the browser.


The goal of the project is to learn more about the person on the other side of the web browser, ensuring they aren’t a robot and that the browser hasn’t been modified or tampered with in any unapproved ways. The intro says this data would be useful to advertisers to better count ad impressions, stop social network bots, enforce intellectual property rights, stop cheating in web games, and help financial transactions be more secure.


Google’s plan is that, during a webpage transaction, the web server could require you to pass an “environment attestation” test before you get any data. At this point your browser would contact a “third-party” attestation server, and you would need to pass some kind of test. If you passed, you would get a signed “IntegrityToken” that verifies your environment is unmodified and points to the content you wanted unlocked. You bring this back to the web server, and if the server trusts the attestation company, you get the content unlocked and finally get a response with the data you wanted.

Web-Environment-Integrity (via Hacker News, Chromium, Hacker News):

This repository details the proposal to add a new API for determining the integrity of web environments[…]


The explainer goes gives a high level overview of the proposal.

The spec currently describes how this is being prototyped in Chromium.

Chrome Proposal (via Hacker News):

Users often depend on websites trusting the client environment they run in. This trust may assume that the client environment is honest about certain aspects of itself, keeps user data and intellectual property secure, and is transparent about whether or not a human is using it. This is frequently established through the collection and interpretation of highly re-identifiable information.

The web environment integrity API provides a token that attests key facts about the environment their client code is running in while keeping the response low-entropy.

Interpeer (via Hacker News):

Ostensibly, this is to ensure for the user that the environment has not been tampered with in any way. The described use cases, however, make fairly clear that it is for the business that this feature exists.

In particular, the proposal suggests that “Google Play” could provide such attestations, and also provides an example case which intends to ensure that ads are served only to legitimate users, not to automated processes.


What Google is really after is ad blockers.

The downside of this approach is that it opens up a door for arbitrary abuse. Websites can refuse service unless you install their proprietary data collection agent.

Nick Heer:

Between this and features like PassKeys, you can imagine browsing a web where you are less frequently challenged to prove your identity and, when that happens, it is less interruptive.

Unfortunately, the likely reality is more worrisome.


It goes without saying — so I will anyway — that publishers and advertisers want to ensure humans look at ads. Google does as well. As the world’s largest online ad company — perhaps criminally so — Google has to toe a fine line between doing right by its advertising customers and doing right by the users of its web browser, which just so happens to be the world’s most popular. […] But what that could look like in practice is for unauthenticated users to be aggressively challenged by login prompts and CAPTCHAs.

Alex Ivanovs (via Hacker News):

Google’s proposal pivots on a key premise: enhancing trust in the client environment. It introduces a new API that allows websites to request a token, providing evidence about the client code’s environment. Google’s engineers elaborate, “Websites funded by ads require proof that their users are human and not bots…Social websites need to differentiate between real user engagement and fake engagement…Users playing online games want assurance that other players are adhering to the game’s rules.”

However, the critics argue that the quest for trust may come at the expense of privacy. While Google ensures that the tokens will not include unique identifiers, critics fear that this system, if misused, could lead to unwarranted surveillance and control.


A significant concern stemming from the tech community is the potential for monopolistic control. By controlling the “attesters” that verify client environments, Google, or any other big tech company, could potentially manipulate the trust scores, thereby deciding which websites are deemed trustworthy. This opens up a can of worms regarding the democratic nature of the web.


However, how this plays out with browsers that allow extensions or are modified remains a grey area.

Tim Perry (via Hacker News):

Of course, Google isn’t the first to think of this, but in fact they’re not even the first to ship it. Apple already developed & deployed an extremely similar system last year, now integrated into MacOS 13, iOS 16 & Safari, called “Private Access Tokens”:

Private Access Tokens are powerful tools that prove when HTTP requests are coming from legitimate devices without disclosing someone’s identity.

The focus here is primarily on removing captchas, and as such it’s been integrated into Cloudflare (discussed here) and Fastly (here) as a mechanism for recognizing ‘real’ clients without needing other captcha mechanisms.

Fundamentally though, it’s exactly the same concept: a way that web servers can demand your device prove it is a sufficiently ‘legitimate’ device before browsing the web.


Free usage of different clients & servers on the web is what has built the open web, and is a large part of why it’s so successful. Attestation breaks this by design.

Neel Chauhan (via Dare Obasanjo):

Supposedly, this is to make sure a browser environemnt can be “trusted”, but it seems Google wants this so they can kill ad blockers.

This looks a lot like Microsoft’s ill-fated “Palladium” they wanted to ship with Vista. Palladium was an attempt to improve Windows security by adding attestation and integrity, but could also be abused to enforce DRM everywhere on your PC, block competing but “untrusted” applications such as Firefox. The only saving grace was Vista’s very painful and long development period where Palladium was eventually killed so Vista could actually ship.


Even on the web today, there are bad actors like Chase Bank who claims to “require” only Windows or Mac (like it’s still 2003) and uses this as justification to block BSD and Linux-on-ARM without user agent switchers. The only reason why this isn’t in the media is because Chase allows Linux-on-x86 and Chrome OS, due to both having >2-3% market share each. In fact, I can log into on my Fedora laptop fine without modifications.

gacelperfinian (via Hacker News):

I have personal concerns since that while [Web Environment Integrity API proposal] in theory is vendor-neutral, in practice there is only three vendors which are widely-recognized: Google Widevine (which is used by Firefox in most platforms plus in Chrome and Android), Microsoft PlayReady (used by Microsoft Edge and Windows plus in some Android devices alongside Widevine), and Apple FairPlay (used in Safari and everything Apple).

It is reasonable that the current situation in EME would translate into this specification. This may hinder users of other browsers since while in theory websites would just try to verify the identity by other means in practice this would lead to websites requiring pre-approved browsers.


Conniving third parties can thus use this scheme to ensure that they are interacting with a device running the attacker’s software, and thus that the device is restricting the user behavior as the attacker specifies. For instance, it can ensure that the device is running the accomplice’s code unmodified, preventing the user from being able to run software of their choice, and it can ensure that the user is using device as desired by the attacker and their accomplices.

This attack is already running against Android smartphone users (orchestrated by Google, in the form of SafetyNet and the Play Integrity API) and iOS smartphone users (orchestrated by Apple) and this extends the attack to the web.


Can I just say I appreciate the framing of this as an attack? Somehow I hadn’t yet mentally filed Google and friends under “Man in the middle” but that’s pretty much exactly what’s going on.

This Web Integrity API is just a means to cement themselves as obligatory man in the middle, as opposed to an optional one.

Brian Grinstead:

Mozilla opposes this proposal because it contradicts our principles and vision for the Web.


Mechanisms that attempt to restrict these choices are harmful to the openness of the Web ecosystem and are not good for users.

Additionally, the use cases listed depend on the ability to “detect non-human traffic” which as described would likely obstruct many existing uses of the Web such as assistive technologies, automatic testing, and archiving & search engine spiders. These depend on tools being able to receive content intended for humans, and then transform, test, index, and summarize that content for humans. The safeguards in the proposal (e.g., “holdback”, or randomly failing to produce an attestation) are unlikely to be effective, and are inadequate to address these concerns.

Julien Picalausa (Hacker News):

Why Vivaldi browser thinks Google’s new proposal, the Web-Environment-Integrity spec, is a major threat to the open web and should be pushed back.

Francisco Tolmasky:

If someone drafted a proposal to the W3C that only a pre-approved set of existing browsers should be allowed to render web pages, the correct response would not be to “take the stance that you oppose that proposal,” it would be to seriously question whether the party should even participate in the group. Make no mistake, that is what is happening now.


Update (2023-07-31): Karl Fogel (via Hacker News):

In the normal world, you show up at the store with a five dollar bill, pick up a newspaper, and the store sells you the newspaper (and maybe some change) in exchange for the bill. In Google’s proposed world, five dollar bills aren’t fungible anymore: the store can ask you about the provenance of that bill, and if they don’t like the answer, they don’t sell you the newspaper. No, they’re not worried about the bill being fake or counterfeit or anything like that. It’s a real five dollar bill, they agree, but you can’t prove that you got it from the right bank. Please feel free to come back with the right sort of five dollar bill.

This is not the Open Web that made what’s best about the Internet accessible to the whole world. On that Web, if you send a valid request with the right data, you get a valid response. How you produced the request is your business and your business alone. That’s what software freedom is all about: you decide how your machinery works, just as other people decide how their machinery works. If your machine and their machine want to talk to each other, they just need an agreed-on language (in the case of the Web, that’s HTTP) in which to do so.

Google’s plan, though, steps behind this standard language to demand something no free and open source software can ever deliver: a magical guarantee that the user has not privately configured their own computer in any way that Google disapproves of.

Update (2023-08-09): Peter Snyder:

Brave strongly opposes Google’s “Web Environment Integrity” (WEI) proposal. As with many of Google’s recent changes and proposals regarding the Web, “Web Environment Integrity” would move power away from users, and toward large websites, including the websites Google itself runs. Though Brave uses Chromium, Brave browsers do not (and will not) include WEI. Further, some browsers have introduced other features similar to, though more limited than, WEI (e.g., certain parts of WebAuthn and Privacy Keys); Brave is considering how to best restrict these features without breaking benign uses.

Update (2023-08-15): Philippe Le Hégaret (via Hacker News):

For a few weeks now we have been hearing concern in the Web community in regard to Web Environment Integrity, and are asked more and more about it. Our silence is due to the fact that the Web Environment Integrity API is not being worked on in W3C, nor has there been any submission to W3C for W3C Technical Architecture Group (TAG) review.

UK Antitrust Lawsuit Over App Store Fees

Tim Hardwick (via Dare Obasanjo):

Apple has become the target of a £785 million ($1 billion) class action lawsuit on behalf of over 1,500 developers in the UK over its App Store fees, reports TechCrunch.

The suit accuses Apple of abusing a dominant position by charging a 15% to 30% fee on in-app sales in the App Store[…]


The lawsuit is being brought by Sean Ennis, a professor at the Centre for Competition Policy at the University of East Anglia, on behalf of app developers.


For Apple’s part, it says the App Store is not the only way for developers to reach users, since they can also do so over Safari and other web browsers, where Apple rules do not apply.


Apple has also been keen to point out that over the past 15 years it has not raised commission rates or added fees[…]

As I have previously written, that is not the case because they expanded the scope of what the existing fees applied to.


Wednesday, July 26, 2023

Microsoft Office’s New Default Font: Aptos

Tom Warren (Hacker News):

Microsoft is replacing its Calibri default font with Aptos, a new sans-serif typeface that’s inspired by mid-20th-century Swiss typography. Previously known as Bierstadt, Aptos has been part of Microsoft’s hunt for its new default font over the past couple of years. The software giant commissioned five new custom fonts for Office in 2021, and the Aptos font was picked as the default after years of feedback.

Si Daniels:

As we shared before, Microsoft commissioned five new fonts: Bierstadt, Grandview, Seaford, Skeena, and Tenorite. It was our hope that one of them would be our next default font for Microsoft 365. All of them were added to the drop-down font picker. From there, as you got a chance to use them, we listened to your impassioned feedback and chose the one that resonated most which was Bierstadt. But as there was a change of guard so too the name. Bierstadt is now known as Aptos.


The typeface was created by Steve Matteson, one of the world’s leading type designers. His previous work includes the development of the original Windows TrueType core fonts and the creation of Segoe. Steve renamed the typeface he designed from Bierstadt to Aptos after his favorite unincorporated town in Santa Cruz, California, whose widely ranging landscape and climate epitomizes the font’s versatility. The fog, beaches, redwood trees, and mountains of Aptos summed up everything that he loved about California. Getting away from digital and evoking the outdoors was akin to getting back to pencil and paper. Drawing letters by hand would play a pivotal role in Steve’s creative process.

Nick Heer:

Still not getting it. But thanks to a handful of tech companies, I am learning way more about Californian geography than I thought I ever needed to.


It is ridiculous that the closest we see to Aptos in-use is on a series of posters and things which look like signage. In the real world, we will most often see it a few hundred words at a time at body text size with the default Microsoft Word margins.

John Gruber (Mastodon):

So I took matters into my own hands, and created rudimentary specimens for each of Microsoft’s five new typefaces (and Calibri to boot). A–Z in upper- and lowercase, 0–9, and the most common punctuation marks.


I don’t know why Microsoft states as fact that Calibri somehow needed to be replaced as their default font just because it’s 15 years old. A good default font should stand the test of time for decades, if not a literal lifetime. But if Microsoft feels the need to chase fleeting fashion rather than timeless style, Aptos is the trendiest of the bunch: grotesque sans serifs are having a moment. Aptos is by no means a rip-off of Apple’s San Francisco, but it is, by far, the most San-Francisco-esque of any of these typefaces. Noteworthy characters: J (stunted and ugly), Q (small tail), R (inspired by Univers?), g (double-story, reminiscent of Franklin Gothic’s), and the numeral 1 (curved hat, a la, of all fonts, Arial). But the most distinctive character is the lowercase L, which has a curve to differentiate it from the uppercase i and numeral 1.


Seaford strikes me as the only other font in the bunch that might conceivably have been chosen as the new default. If Microsoft had better (any?) taste, they would have chosen Seaford.

Nicolas Magand:

As a font, Calibri is fine. But as a font for documents like letters, reports, CVs, spreadsheets, PowerPoint presentations? It looks a bit dull and amateurish, completely out of place in the type of documents one tends to produce with Microsoft Office. With this decision to use Calibri in 2007, Microsoft really made sure that users who did not care would instantly be recognised as such, while they could more easily go unnoticed with the previous default font (Arial) for instance. One of these careless users even went to jail because of this mistake.

To me, this situation was a bit grotesque, a bit like if a wedding certificate was set in Impact, or if a movie poster was set in Papyrus. I see Aptos as a huge improvement over Calibri: bland but elegant, modern, generic, and variable; this looks like a real Swiss knife of a font, which is not surprising considering the strong mid-20th-century Swiss typography — read Helvetica — heritage.


Using AirPods as a Hearing Aid

Garry Knight (via John Gruber):

I got a pair of AirPod Pro earbuds and set them up for my personal hearing needs. Later that day I went for a walk in my local woods and literally gasped out loud at hearing the birds I’d been missing for some years!

The way you set them up is buried deep in the Settings, so it’s not surprising that not many people know about it. Here’s where you need to go.


You run through a couple of hearing tests, one for voice volume levels and one for best music settings. After the tests you should see a volume slider. It’s important to move that to wherever you need it. Hearing sounds at all frequencies is great, but I found that I wanted a slight volume boost to enhance conversations. Some people might want to turn it down if it’s enhancing the sound too much.


Tuesday, July 25, 2023

Finbar 1.7.3

Roey Biran (Reddit):

Finbar reimagines the Mac’s built–in menu bar search with great features such as fuzzy filtering and tracking of recently selected menu items — without sacrificing an ounce of speed. With Finbar, you’ll unlock the menu bar’s true potential as a native, ubiquitous command palette.


Traverse the most complex of menu bar hierarchies with just a few keystrokes: Finbar turns every menu bar into a browsable outline, just like the Finder does for your file system. And selecting menu items containing other items will scope the search just to the nested items.


Finbar will automatically pick up any shell scripts or AppleScript files placed inside a special folder and integrate them with the rest of the menu bar.


Update (2023-07-26): Kᑐᑌᑐᕮ:

Alternative with Alfred.


Adam Engst:

Then we found Melio, which promises ACH payments for free and has no transaction limits (banks may have their own). Melio makes its money by charging for rush payments, credit card payments, paper checks, and what are essentially payment loans. While those upsell opportunities are always visible in the interface, there’s no problem with using it purely with ACH for free. Note that Melio doesn’t do wire transfers.


Everyone I pay regularly said entering the necessary routing and account numbers to receive payments was easy, although they were all in the US. When I looked into paying Kirk McElhearn, who lives in the UK, I found that Melio supports international payments, but that requires getting the recipient’s SWIFT or IBAN number and costs $20 per transaction.


Melio also lets you upload a PDF invoice or image, then parses it to create a bill, which is quite slick, or you can sync with QuickBooks. A quick search revealed that there’s also a Melio Payments integration with Xero, but reviews suggest it has synchronization problems.


PayPal is very expensive way to send money across currencies or borders. If you need to do this in the future, I recommend Wise (that’s my referral link which gets you your first transfer for free). Their rates+fees are generally the best you’ll find, and the interface is excellent. I’ve been using them for many years (they were formally called TransferWise). And don’t be fooled by ‘no fees’ from PayPal and similar – it’s all in the ridiculous exchange rate they use!


Monday, July 24, 2023

macOS 13.5

Juli Clover (release notes, security, enterprise, developer, full installer, IPSW):

According to Apple’s release notes, macOS Ventura 13.5 introduces important bug fixes and security updates. Apple recommends that all users install the software.

There are no notable feature changes or standout bug fixes in macOS Ventura 13.5, and work on the operating system is wrapping up.

After several updates that worked automatically, I’m back to having to apply the update manually using sudo softwareupdate -irR because it kept failing from System Settings.

See also: Mr. Macintosh and Howard Oakley.


Update (2023-07-28): Howard Oakley (tweet):

Thanks to Maurizio for pointing out a serious bug in 13.5: in System Settings > Privacy & Security > Location Services, all third-party apps have been omitted from the list of services you can control.

Update (2023-07-31): Howard Oakley:

Ever since its introduction in the first betas of Ventura, System Settings has been dogged by inattention to detail. Its most significant omission from the first release of 13.0 was support for network locations, which was belatedly added back in 13.1, camouflaged in a popup menu under an ellipsis so obscure that most don’t even notice its existence, and assume it’s still missing.

Loss of control over Location Services in apps is the more serious because there’s no command tool to act as substitute.


If experience is anything to go by, Apple now seems to delegate most pre-release testing and checks on macOS to third-party beta-testers, and depends on their reporting of issues using Feedback. When we fly, we expect the pilots and engineers to perform thorough checks on the aircraft and its essential functions before declaring that flight ready for takeoff. If they instead walked through the main cabin asking some of their passengers whether they thought everything seemed OK, would you fly with that airline?

Since updating to macOS 13.5, I get at least one crash of transparencyd per day.

Update (2023-08-11): Juli Clover:

Since July, there have been complaints from macOS Ventura users who updated to the new software and then were unable to access and control location permissions for first and third-party apps.

Update (2023-08-23): Howard Oakley:

This was just the wrong time for the bug introduced in macOS Ventura 13.5 that effectively paralysed access to Location Services until it was fixed in last week’s update to 13.5.1. Although not a crashing bug, memory leak or kernel panic, its effect was disastrous. For over three weeks, every Mac that was kept up to date with Ventura lost all user control over access given by macOS to location and related data.

Those who installed some software like Little Snitch were unable to authorise its access to Location Services, while other apps, notably those already installed, were automatically given access without the user having any say in the matter. For a corporation that places privacy and its protection at the heart of its products, this was surely catastrophic: in the latest release of its current computer operating system, the user had absolutely no control over which apps were given access to their location data.


No, the root cause was an intentional design choice that makes all privacy protection vulnerable to a single point of failure. […] Yet the only tool that works with those privacy settings controlled by TCC, tccutil, is deliberately stunted so that all it can do is reset them, and there isn’t any tool to work with Location Services.


macOS 12.6.8 and macOS 11.7.9

Apple (full installer):

This document describes the security content of macOS Monterey 12.6.8.

Apple (full installer):

This document describes the security content of macOS Big Sur 11.7.9.

See also: Howard Oakley.


iOS 16.6 and iPadOS 16.6

Juli Clover (release notes, security):

According to Apple’s release notes for the update, it includes unspecified bug fixes and security improvements. No new features were found during the beta testing period, and Apple’s notes on the software provide no insight into what’s included.

Apple has since published information about the security issues.


Update (2023-07-27): Pierre Igot:

I just had to update a really old iPhone to iOS 12.5.7 (latest available) and a newer iPhone to 16.6. I started both processes simultaneously, side by side.

I really don’t care what the technological reasons/excuses are. It simply does not seem right that the far newer (and far more powerful) phone is taking FOUR TIMES LONGER (at least) to install the 16.6 update than the older phone took to install the 12.5.7 update.

Update (2023-07-31): Joe Rossignol:

Apple has acknowledged a bug with its parental controls feature Screen Time on the iPhone and iPad, and promises it will take additional steps to remedy the situation, according to a report this weekend from The Wall Street Journal.


Apple already fixed an issue with Screen Time settings failing to stick with iOS 16.5, released in May, but the report claims that some parents have continued to experience the issue on devices updated to iOS 16.6 and the iOS 17 public beta.


Why You Can No Longer Roll Back a macOS Update

Howard Oakley:

As some of us learned in the last week, it’s easy to uninstall a troublesome Rapid Security Response (RSR). Several naturally asked why that isn’t possible with a macOS update, pointing out that it was available and worryingly popular between High Sierra and Catalina 10.15.2, since when the ability has been lost.


To be able to roll back to the previous SSV, all the firmlinks between the updated SSV and the Data volume would have to be broken, and remade between the old SSV and the same Data volume. All the evidence is that wouldn’t be easy, could be unreliable, and may not even be feasible. Without that, roll back couldn’t work.

This pretty disappointing, as it negates a major benefit of APFS snapshots. It’s not clear to me that the SSV is more useful than being able to roll back a bad update. And rolling back manually, e.g. using a backup utility to make or restore bootable backups, is harder than before. I don’t really understand why firmlinks are so difficult to work with—is there an intrinsic limitation or was this just not prioritized? If the two pieces can’t be made to fit together, I wonder why Apple designed the SSV this way. There must have been other ways the content could be verified.

Howard Oakley:

Although traditional Unix architectures bring some separation, there are many directories that contain mixtures of files, some that are part of the system, and others that the user installs. The solution Apple’s engineers came up with is the firmlink, an essential part of the structure and function of macOS since Catalina.


Apple has never documented firmlinks in any detail, and doesn’t provide the user with any tools for working with them. They don’t appear to be easy to create, though, and rejoining existing volumes using firmlinks may not be possible. During the early days with Big Sur, it was all too easy to end up with orphaned Data volumes that had lost their firmlinks to the System volume. At that time, it appeared that firmlinks had to be created early in the life of a volume, probably before its file system had been populated with files. Currently, there doesn’t appear to be any method for the user to join together any given pair of System and Data files using their firmlinks.

Howard Oakley:

Without wishing to deepen the conundrum, all these answers are correct: the System volume isn’t itself encrypted, but it can only be mounted when FileVault has been unlocked, because of the firmlinks that splice the Data volume into it.


Update (2023-08-04): I got a volume hash mismatch.

Apple Opposes Updated UK Investigatory Powers Act

Benjamin Mayo (Hacker News, MacRumors):

Facing possible legislation that would require messaging services to offer backdoors in end-to-end encryption, Apple is saying it would rather remove apps like iMessage and FaceTime entirely from the UK market (via BBC News).


The UK government wants the ability to scan end-to-end encrypted messages, for child-abuse material and other illegal content. They argue the existing law accommodates this but is technically outdated by the security provisions of modern technology.

Apple has submitted a nine-page opposition to the planned bill.

Nick Heer:

While Kleinman broke this news, it was Jonny Evans at Apple Must who obtained and posted the full letter:

The threat was presented to the UK within Apple’s response to the government in relation to these proposals. You can read the nine-page criticism here (PDF).

Suzanne Smalley (via Hacker News):

A bill requiring social media companies, encrypted communications providers and other online services to report drug activity on their platforms to the U.S. Drug Enforcement Administration (DEA) advanced to the Senate floor Thursday, alarming privacy advocates who say the legislation turns the companies into de facto drug enforcement agents and exposes many of them to liability for providing end-to-end encryption.

The bipartisan Cooper Davis Act — named for a Kansas teenager who died after unknowingly taking a fentanyl-laced pill he bought on Snapchat — requires social media companies and other web communication providers to give the DEA users’ names and other information when the companies have “actual knowledge” that illicit drugs are being distributed on their platforms.


Vox Media Stops Using Chorus

Sara Fischer and Kerry Flynn (Hacker News):

CMS licensing was once seen as a lucrative opportunity for publishers looking to grow revenue beyond ad dollars. But WordPress’ continued dominance in the space has made it harder to compete.


Vox Media will move its own websites off of Chorus and into WordPress VIP, the enterprise arm of the 20-year-old CMS company.

The migration is part of a broader strategic partnership that will allow Vox Media to extend the reach of Concert and Coral, while focusing on its core revenue streams, like advertising and subscriptions.


“If you’re not a tech company, it’s really hard to do this,” Brown told Axios. “It’s really hard to service it. It’s really hard to maintain it.”

I was not aware of WordPress VIP, but apparently it’s used by Meta, Salesforce, CNN, and News Corp. Plans start at $25,000/year, a bargain compared with maintaining an internal development team after going down from six external clients to zero.

Nick Heer:

Last year, Vox stopped licensing Chorus to third parties, but some sites are still using the platform, including the Ringer and the Chicago Sun-Times. Incredibly, Vox Media also operates two other proprietary CMSes: Clay and Pinnacle. In a press release from September, Vox said it planned to move everything to a new “publishing platform” called Duet, which Axios says will continue to be used on the front-end.


Kevin Mitnick, RIP

Kelly Kasulis Cho (via ednl):

Mr. Mitnick branded himself the “world’s most famous hacker,” as KnowBe4 called him in a Thursday statement. As the World Wide Web was slowly being adopted across the globe, he broke into the computer systems of companies such as Motorola, Nokia and Sun Microsystems, causing what prosecutors alleged was millions of dollars in damage.


In 1999, Mr. Mitnick pleaded guilty to several counts of wire fraud and other cybercrimes. He was sentenced to five years in prison. Upon his release in 2000, taking into account time already served in detention, he was prohibited from using the internet without government authorization, a right he won back only after a lengthy tussle with authorities.


It was not clear if Mr. Mitnick made significant financial gains from cybercrime, though he had the opportunity to do so. “My motivation was a quest for knowledge, the intellectual challenge, the thrill and the escape from reality,” he told a Senate committee hearing several months after he was freed from incarceration.

Alex Traub:

Ultimately, he was caught and spent five years in prison. Yet no evidence emerged that Mr. Mitnick used the files he had stolen for financial gain. He would later defend his activities as a high stakes but, in the end, harmless form of play.


Mr. Mitnick’s most spectacular crimes were his attempts to evade capture by the authorities. In 1993, he gained control of phone systems in California that enabled him to wiretap the F.B.I. agents pursuing him and confuse their efforts to track him. At one point they raided what they thought was Mr. Mitnick’s home, only to find there a Middle Eastern immigrant watching TV.


Mr. Mitnick ran into trouble on Christmas Day 1994, when he stole emails from a fellow hacker named Tsutomu Shimomura and taunted him. When he learned of the attack, Mr. Shimomura suspended a cross-country ski trip he was on and volunteered to help track down Mr. Mitnick.

Obituary (Hacker News):

Kevin emerged from his final prison term, which he deemed a ‘vacation,’ in January 2000. He was a changed individual, and began constructing a new career, as a White Hat hacker and security consultant.


The bus driver who saw young Kevin memorize the bus schedules, punch cards and punch tool systems so he could ride the buses all day for free testified as a character witness for Kevin during his federal trial. The federal prosecutor offered his testimony that Kevin never tried to take one dime from any of his “victims.” The probation officer assigned to monitor Kevin after prison gave Kevin permission to write his first book on a laptop when he was not yet supposed to have access to computers. Shawn Nunley, the star witness in the FBI’s case against Kevin, became so disillusioned with the government’s treatment of Kevin that he contacted Kevin’s defense team, helped garner Kevin’s release, and became one of Kevin’s dearest friends.

Jason Koebler:

We made this video with him a few years back, about how he convinced Motorola to send him their source code[…] and here’s how he hacked a McDonald’s drivethru when he was 16[…]

John Gruber:

Mitnick was technically gifted, but his greatest hacking skill was social engineering.

Nick Heer:

Mitnick’s exploits are legendary, and his first book [The Art of Deception] remains an essential read for anyone curious about security, hacking, manipulation, or human behaviour.

Friday, July 21, 2023

A Fast Timestamp Parser in Swift

Juri Pakaste (Mastodon):

It’s well known that DateFormatter, the main timestamp formatter and parser Apple ships in Foundation, is not particularly fast. It’s flexible and it’s correct, but it takes its time. The newer ISO8601DateFormatter has similar performance.


Swift’s C bridging is first-class; struct tm and timegm(3) are right there. After changing the code to use those, the whole String to Date conversion runs completely without heap allocations and it’s around 6–7 times faster than when doing the detour via DateComponents.

The final result, according to Benchmark, is maybe around 15x the speed of the Foundation parsers. I’m pretty happy with it. It’s available as a Swift package, there’s documentation, and if you need something different or don’t feel like using a package, all the parsing code is in just one file you can copy over to your project.

You can set set it as a JSONDecoder.DateDecodingStrategy.


Better Medication Tracking

Dr. Drang:

Slight differences in color, which could be very helpful in distinguishing pills that are otherwise similar in size and shape, just aren’t available in the app. I don’t get why Apple doesn’t let you just take a photo of a pill and use that as the ID.

Another deficiency is that size isn’t included as part of the visual ID. While I understand Apple’s reluctance to ask its users to measure their pills (something I’d do readily, but I’m weird that way), there’s no question that people use their pills’ sizes to help distinguish them.


There are several advantages to using the organizer, but the main one for me is that it’s self-documenting. Because I leave the lid open, the organizer itself provides a record of whether I’ve taken today’s pills or not. This is true automation, something I doubt the Health app will ever equal.


Update (2023-07-25): A. Lee Bennett Jr.:

I just wish Apple Health had a means of tracking remaining pill quantity the way Mango Health did, which I still use, but it’s been abandoned and is showing early signs of breaking.


I noticed another bug:

  1. Use 2 Apple Watches: 1 during the day, 1 for sleeping.
  2. Turn the Watch you’re NOT wearing off
  3. So, when you switch watches, and turn one off and the other one ON, after a while you get (duplicate) notifications with all that days Medication reminders (which you had already taken) AGAIN a second time 🤦🏼‍♂️

Advice for Operating a Public-Facing API

Joshua Stein:

Serve your API at, never at As your API’s usage grows, it will expand beyond your website/dashboard server and need to move to a separate server or many separate servers. […] Your API may also have more relaxed security restrictions in terms of TLS versions and ciphers accepted that you don’t want to relax on your dashboard website that handles sensitive information.


Rather than bending over backwards trying to support poorly written code, don’t let their bad code function properly in the first place so it doesn’t get deployed.


With OAuth your API can’t be used from a simple curl request but has to be a custom multi-step process pulling in a whole OAuth library. Use static API tokens if you can, but make it easy to rotate them.


[Generate] a unique ID or UUID with every request, return it to the user in the message body somewhere, log it, and ask for it on your support form.


[Use] a short prefix for each type of random ID you create.

ABC C Compiler

Tom Murphy (PDF, via Nicolas Seriot):

Since only 37% of bytes are printable, if you inspect (i.e., “cat”) an executable program, it will almost always contain unprintable characters, and may beep at you, etc. However, since the printable bytes do stand for some subset of X86 opcodes, it is technically possible to make X86 sequences that are printable. One famous example is the EICAR Test File[…]


Most damningly, like many viruses it uses “self-modifying code” to first rewrite itself into different opcodes. This means that the processor ends up executing several non-printable opcodes. This is like telling the waiter that you don’t eat poultry but eggs are okay, and then they bring you an egg, but that egg hatches into a chicken right after they bring it to you. Come on.


In this paper I present a compiler for the C89 programming language called ABC. It produces completely printable executables from C code. While self-modifying code is a powerful technique, it makes this problem “too easy;” I want to explore what programs can be written natively in the printable subset of X86. Programs compiled with ABC do not modify themselves, or cause themselves to be modified; every instruction program executes (outside of the operating system) contains only the bytes 0x20-0x7E. Moreover, every byte in the file is printable, so programs can viewed as text.

Source code for this project is available at:

Tom Murphy:

But I also created the following video that explains the ideas involved, for interested non-experts or patient experts.

Thursday, July 20, 2023

Fixing Launch Services Problems

Howard Oakley:

When a document is set to be opened by an app other than the default for its UTI, a extended attribute is added, containing a property list specifying[…]


When an app is first run from the Finder and GUI, information about it is extracted from its Info.plist file and added to LaunchServices’ database. This includes custom document types specified by the app and its abilities to open and edit different types of document. These are then used to match document UTIs against the apps that can open them. Unless you’ve set any different, LaunchServices should normally open the most recent version of the specified app in your Applications folder[…]


There are two command tools that can be valuable for tackling harder problems: lsappinfo for getting information from LaunchServices’ database, and lsregister for changing it.


Edward Fredkin, RIP

Alex Williams:

An autodidact who left college after a year, he nonetheless became a full professor of computer science at M.I.T. at 34. He later taught at Carnegie Mellon University in Pittsburgh and at Boston University.

Not content to confine his energies to the ivory tower, Professor Fredkin in 1962 founded a company that built programmable film readers, allowing computers to analyze data captured by cameras, such as Air Force radar information.


A developer of an early processing system for chess, Professor Fredkin in 1980 created the Fredkin Prize, a $100,000 award that he offered to whoever could develop the first computer program to win the world chess championship.


With a pair of innovations […] he demonstrated that computation is not inherently irreversible. Those advances suggest that computation need not consume energy by overwriting the intermediate results of a computation, and that it is theoretically possible to build a computer that does not consume energy or produce heat.

Rachel Gordon and Alex Shipps:

One of the early computer programmers, Fredkin served as director of Project MAC from 1971 to 1974, spearheading efforts to develop and improve computer time-sharing systems.


Fredkin wrote a PDP-1 assembler language called FRAP (Free of Rules Assembly Program, also sometimes called Fredkin’s Assembly Program), and its first operating system (OS). He organized and founded the Digital Equipment Computer Users’ Society (DECUS) in 1961, and participated in its early projects. Working directly with Ben Gurley, the designer of the PDP-1, Fredkin designed significant modifications to the hardware to support time-sharing via the BBN Time-Sharing System. He invented and designed the first modern interrupt system, which Digital called the “Sequence Break”.


Fredkin was broadly interested in computation, including hardware and software. He was the inventor of the trie data structure, radio transponders for vehicle identification, the concept of computer navigation for automobiles, the Fredkin gate, and the Billiard-Ball Computer Model for reversible computing.


The Auto Layout Comprehendium

Mischa Hildebrand (2017, via Tanner Bennett):

Auto Layout is essential for creating modern, responsive user interfaces on iOS and macOS. Its core idea is easy to grasp – yet, it feels like a jungle full of hidden secrets to many. Once you dive a little deeper into the topic, you will discover that there is much more below the simple surface. The Auto Layout Comprehendium™️ is intended as a compendium for you to look up certain topics and to fully understand the internal mechanics behind the technology. While following an intuitive approach, it will help you master Auto Layout at a deeper level and empower you to build adaptable layouts without conflicts or ambiguities.


If there was only a single constraint for the intrinsic content size that couldn’t be satisfied that constraint would simply be ignored and the view would have an undefined size.

That’s why in reality the intrinsic content size (for one dimension) is represented by two inequality constraints[…]


UUID Formats 6–8

IETF (via Hacker News):

The fact that UUIDs can be used to create unique, reasonably short values in distributed systems without requiring synchronization makes them a good alternative, but UUID versions 1-5 lack certain other desirable characteristics:

  1. Non-time-ordered UUID versions such as UUIDv4 have poor database index locality. Meaning new values created in succession are not close to each other in the index and thus require inserts to be performed at random locations. The negative performance effects of which on common structures used for this (B-tree and its variants) can be dramatic.
  2. The 100-nanosecond, Gregorian epoch used in UUIDv1 timestamps is uncommon and difficult to represent accurately using a standard number format such as [IEEE754].
  3. Introspection/parsing is required to order by time sequence; as opposed to being able to perform a simple byte-by-byte comparison.


An inspection of these implementations and the issues described above has led to this document which attempts to adapt UUIDs to address these issues.


This is the working area for the IETF UUIDREV Working Group Internet-Draft, “A Universally Unique IDentifier (UUID) URN Namespace”.


Update (2023-10-30): Buildkite (via Hacker News):

The upcoming UUIDv7 standard offers the best of both worlds; its time-ordered UUID primary keys can be utilized for indexing and external use. This blog post will take you on the journey Buildkite took that led to our eventual adoption of UUIDv7 as the primary key of choice. We’ll explore the tradeoffs of database indexes; from sequential integers, randomly generated UUIDs, through to time-based identifiers.

Wednesday, July 19, 2023

Meta’s Microservice Architecture

Darby Huye et al. (PDF, via Hacker News):

We present a top-down analysis of Meta’s microservice architecture, starting from its service-level topology and descending into individual request workflows. (Request workflows describe the order and timing of services visited by requests when executing.) Our focus is on underreported characteristics of microservice architectures important for developing microservice tools and artificially modeling microservice topologies. Specifically, we describe growth and churn of the microservice topology (to inform tools that learn models of the topology), whether elements of the topology fit power-law distributions common to large graphs (to inform potential artificial topology generators), and the predictability of individual request workflows (to inform the vast number of tools that work by aggregating trace data).


A basic assumption of Meta’s architecture (which may or may not be true for other organizations’ architectures) is that business use case is a sufficient partitioning by which to define services, scale functionality, and observe behaviors.


Scale is measured in millions of instances: On 2022/12/21, the microservice topology contained 18,500 active services and over 12 million service instances.


We investigated the services that have the highest fan-in and fan-out degrees. The former is a vault server storing credentials for use by other services. The latter is a service for querying hosts for arbitrary statistics.


Services can be written in many programming languages. There are currently 16 different programming languages in use at Meta, with the most popular being Hack (a version of PHP), measured by lines of code. Other popular languages include: C++, Python, and Java, with the rest forming a long tail.


Removing the Python GIL

Jonathan Corbet (2021, Serdar Yegulalp, Hacker News):

Concerns over the performance of programs written in Python are often overstated — for some use cases, at least. But there is no getting around the problem imposed by the infamous global interpreter lock (GIL), which severely limits the concurrency of multi-threaded Python code. Various efforts to remove the GIL have been made over the years, but none have come anywhere near the point where they would be considered for inclusion into the CPython interpreter. Now, though, Sam Gross has entered the arena with a proof-of-concept implementation that may solve the problem for real.

Łukasz Langa (2021, Hacker News:

Sam’s work demonstrates it’s viable to remove the GIL in such a way that the resulting Python interpreter is performant and scales with added CPU cores. For performance to be net positive, other seemingly unrelated interpreter work is required.

See also: Faster CPython (Hacker News).

Backblaze (2022):

Our team had some fun experimenting with Python 3.9-nogil, the results of which will be reported in an upcoming blog post. In the meantime, we saw an opportunity to dive deeper into the history of the global interpreter lock (GIL), including why it makes Python so easy to integrate with and the tradeoff between ease and performance.

PEP 703:

This PEP proposes adding a build configuration (--disable-gil) to CPython to let it run Python code without the global interpreter lock and with the necessary changes needed to make the interpreter thread-safe.


The GIL is a CPython implementation detail that limits multithreaded parallelism, so it might seem unintuitive to think of it as a usability issue. However, library authors frequently care a great deal about performance and will design APIs that support working around the GIL. These workaround frequently lead to APIs that are more difficult to use. Consequently, users of these APIs may experience the GIL as a usability issue and not just a performance issue.


Removing the GIL requires changes to CPython’s reference counting implementation to make it thread-safe. Furthermore, it needs to have low execution overhead and allow for efficient scaling with multiple threads. This PEP proposes a combination of three techniques to address these constraints. The first is a switch from plain non-atomic reference counting to biased reference counting, which is a thread-safe reference counting technique with lower execution overhead than plain atomic reference counting. The other two techniques are immortalization and a limited form of deferred reference counting; they address some of the multi-threaded scalability issues with reference counting by avoiding some reference count modifications.


Using mimalloc, with some modifications, also addresses two other issues related to removing the GIL. First, traversing the internal mimalloc structures allows the garbage collector to find all Python objects without maintaining a linked list. This is described in more detail in the garbage collection section. Second, mimalloc heaps and allocations based on size class enable collections like dict to generally avoid acquiring locks during read-only operations.


This PEP proposes using per-object locks to provide many of the same protections that the GIL provides. For example, every list, dictionary, and set will have an associated lightweight lock. All operations that modify the object must hold the object’s lock. Most operations that read from the object should acquire the object’s lock as well; the few read operations that can proceed without holding a lock are described below.

There are some backwards compatibility issues with the C API.

Carl Meyer (via Hacker News):

We’ve had a chance to discuss this internally with the right people. Our team believes in the value that nogil will provide, and we are committed to working collaboratively to improve Python for everyone.

If PEP 703 is accepted, Meta can commit to support in the form of three engineer-years (from engineers experienced working in CPython internals) between the acceptance of PEP 703 and the end of 2025, to collaborate with the core dev team on landing the PEP 703 implementation smoothly in CPython and on ongoing improvements to the compatibility and performance of nogil CPython.


Update (2023-07-31): Thomas Wouters (via Hacker News):

It’s clear that the overall sentiment is positive, both for the general idea and for PEP 703 specifically. The Steering Council is also largely positive on both. We intend to accept PEP 703, although we’re still working on the acceptance details.

Update (2023-08-22): Jake Edge (Hacker News):

If the Python community finds that the switch is “just going to be too disruptive for too little gain”, the council wants to be able to change its mind anytime before declaring no-GIL as the default mode for the language. He outlined the steps that the council sees, starting with a short-term (perhaps for Python 3.13, which is due in October 2024) experimental no-GIL build of the interpreter that core developers and others can try out. In the medium term, no-GIL would be a supported option, but not the default; when that happens depends a lot on how quickly the community adopts and supports the no-GIL build. In the long term, no-GIL would be the default build and the GIL would be completely excised (“without unnecessarily breaking backward compatibility”).


It is quite a turning point in the history of the language, but the work is (obviously) not done yet. There is a huge amount of researching, coding, testing, experimenting, documenting, and so on between here and a no-GIL-only version of the language in, say, Python 3.17 in October 2028. One guesses that the work will not be done, then, either—there will be more optimizations to be found and applied if there is still funding available to do so.


Hau Tran (via Hacker News):

Self-hosted photo and video backup solution directly from your mobile phone.

The demo is impressive compared with other such services that I’ve used. And there’s an iOS app that can auto-upload new photos.


Update (2023-08-04): Christian Tietze:

Any #FOSS / #selfhosting enthusiasts for photo sharing in my timeline?

We want to share 700 pictures of our wedding weekend.

I tried Piwigo -- it’s cumbersome, but it allows guests to upload stuff form their mobile phones. (In theory)

I tried PhotoPrism -- it’s sleek and responsive, but I can’t create nested-albums and share the parent one (e.g. wedding day → party vs wedding day → ceremony)

@nextcloud Photos is just so buggy. They fixed one issue of privately shared links, but now visitors with read-only guest access can delete/rotate/… photos 🙄

Found Immich on @mjtsai’s blog yesterday, too. Sounds veeeeery intriguing, but with a focus on backup (sadly), not sharing with family.

Mid-1990s Sega Document Leak

Kevin Purdy (Hacker News):

Most of the changes on the Sega Retro wiki every day are tiny things, like single-line tweaks to game details or image swaps. Early Monday morning, the site got something else: A 47MB, 272-page PDF full of confidential emails, notes, and other documents from inside a company with a rich history, a strong new competitor, and deep questions about what to do next.

The document offers glimpses, windows, and sometimes pure numbers that explain how Sega went from a company that broke Nintendo’s near-monopoly in the early 1990s to giving up on consoles entirely after the Dreamcast. Enthusiasts and historians can see the costs, margins, and sales of every Sega system sold in America by 1997 in detailed business plan spreadsheets. Sega’s Wikipedia page will likely be overhauled with the information contained in inter-departmental emails, like the one where CEO Tom Kalinske assures staff (and perhaps himself) that “we are killing Sony” in Japan in March 1996.

Tuesday, July 18, 2023

Creating Dynamic Colors in SwiftUI

Jesse Squires:

Beginning with the introduction of dark mode in iOS 13, colors in iOS are now (optionally) dynamic. You can provide light and dark variants for all colors in your app. However, I was surprised to find that SwiftUI — which also made its first appearance on the platform in iOS 13 — still does not provide any API for creating dynamic colors.


Of course, you can use Asset Catalogs to define dynamic colors and reference them in SwiftUI, and Xcode 15 makes that easier! But if you need to programmatically initialize dynamic colors in SwiftUI, you are out of luck due to this glaring omission. Instead, you must resort to UIKit and AppKit. So, here’s a helpful extension that accommodates the missing API for all platforms.

Laws of UX

Jon Yablonski (via Hacker News):

Laws of UX is a collection of best practices that designers can consider when building user interfaces.


The time to acquire a target is a function of the distance to and size of the target.


The time it takes to make a decision increases with the number and complexity of choices.


Users spend most of their time on other sites. This means that users prefer your site to work the same way as all the other sites they already know.


Be liberal in what you accept, and conservative in what you send.

The site itself is not particularly usable, with text not selectable and problems with the back button.


ExtensionKit and XPC

Matt Massicotte:

ExtensionKit is a pretty significant new feature of macOS Ventura. But, I wouldn’t be surprised if you didn’t know, as it had a conspicuously quiet introduction. There were no sessions or labs about it during WWDC 2022. I only discovered it because a friend stumbled across the beta documentation and sent it to me.


At a high-level, you can define extension points in your app, either with or without a UI component. All communication between extension and host goes over XPC, and there’s a bit of infrastructure provided by Apple for discovering available extensions and establishing a connection.

One of the most exciting things ExtensionKit can do is remote views. This is a view that is constructed with SwiftUI and managed within the extension, but displayed within the hosting application. As far as I can tell, this arrangement is totally transparent and supports virtually everything that SwiftUI can do, even animation. Perhaps the only real downside is window/view resizing can sometimes have a little lag.

There is now some documentation for ExtensionKit.

Matt Massicotte:

Being a communication system, all XPC calls can fail. They can fail even if the method does not return an error. And, because of how they can fail, XPC methods do not guarantee that their reply callback will be called. This is extremely important, because that behavior violates the Swift concurrency runtime requirements. XPC calls will hang your tasks when they fail. Because of this, it is unsafe to use this technique in your XPC interfaces.


This poor fit between XPC and Swift has bothered many others. There are two libraries that look pretty nice for dealing with all this nonsense: SwiftyXPC and SecureXPC. They both offer async/await support, and use Codable for serializing data. Unfortunately, they also both use their own custom communication primitives. That doesn’t work well for us - ExtensionKit requires NSXPCConnection instances.

Christian Tietze:

I want to give a big shout-out to Matt Massicotte of ChimeHQ for dropping another awesome Swift open source package that makes using XPC Swift-ier. I’m really grateful for all the amazing work Matt has been doing and for sharing it with the community.


So among a ton of other things, here are Matt’s concurrency and XPC related packages (some recently split off of ConcurrencyPlus)[…]


eWorld Promotional Mailer

Stephen Hackett:

An anonymous 512 Pixels reader recently mailed me something amazing — a promotional mailer for eWorld, dating back to 1994. In the package was a set of 3.5-inch eWorld 1.0 installer disks, the “Apple Online Service Subscriber Agreement” and an amazing brochure for eWorld.

eWorld was great.

Monday, July 17, 2023

Chronicling 1.0

John Voorhees:

Chronicling is a brand-new event tracking app for iOS and iPadOS by Rebecca Owen. The App Store is full of apps for tracking everything from the very specific, like caffeine consumption, to apps like Chronicling that can be used to track nearly anything. What makes Owen’s app unique, though, is it’s one of the best examples of modern SwiftUI design that I’ve seen that incorporates the still relatively new Swift Charts and other recent Apple technologies to deliver a great user experience.

Trackers like Chronicling are the perfect fit for the iPhone. Most people have the device with them all the time, which makes it perfect for collecting data frequently, but it’s what you do with that data that matters the most. Maybe you’re trying to learn a new language and want to track how often you practice to hold yourself accountable. Or maybe your knee has been bothering you, and you want to keep track of when it flares up to see if it corresponds to an activity in your life. The point is, whether you’re trying to form a new habit or find patterns in things that happen throughout your day, part of the process is gathering the data. The other half of the equation is breaking the data down in a meaningful way. Chronicling does both well.

This looks really nice. To me, the line between tracking and journaling is kind of blurry. I’ve been using plain text files for both, which gives me a lot of flexibility to add comments, use a variety of tools, and sync via Git. I’m reluctant to get locked into a more specialized tool that’s rigid or may not last. But I don’t get any pretty charts unless I extract the data and make them by hand. I do get charts for some health stuff stuff tracked via the Health app and for hours tracked via ATracker. The latter is around the fourth such app I’ve used. Each week I transfer the summary data to OmniOutliner and eventually to Excel.


Update (2023-07-18): Rereading this, I realize that it may sound like I’m implying that Chronicling locks in your data. That is not the case, as it lets you export to CSV, and this can be automated via Shortcuts. I was more thinking in general terms of changing the way I work to fit a particular tool’s design and limitations.

Macros in Swift 5.9

Platforms State of the Union:

But some APIs can be hard to use, requiring you to write a lot of boilerplate code just to get started. That’s why Swift is unlocking a new kind of API that’s easier to use and easier to get right with the introduction of macros. And these macros are done the Swift way. A macro is an annotation that uses the structure of your code to generate new code that’s built with your project. Macros can either be attached as attributes to your code, or they can be freestanding, spelled with the hash sign. Macros make APIs feel like they’re part of the language, and there are so many ways to start using a new API with just an annotation. Macros come to life in Xcode, where the generated code feels like it’s part of your project.

What’s new in Swift:

In Swift, macros are APIs, just like types or functions, so you access them by importing the module that defines them. Like many other APIs, macros are distributed as packages.


Uses of the macro will be type checked against the parameters. That means, if you were to make a mistake in using the macro, such as forgetting to compare the maximum value against something, you’ll get a useful error message immediately, before the macro is ever expanded. This allows Swift to provide a great development experience when using macros because macros operate on well-typed inputs and produce code that augments your program in predictable ways. Most macros are defined as “external macros,” specifying the module and type for a macro implementation via strings. The external macro types are defined in separate programs that act as compiler plugins. The Swift compiler passes the source code for the use of the macro to the plugin. The plugin produces new source code, which is then integrated back into the Swift program.

Write Swift macros:

Code along as we explore how macros can help you avoid writing repetitive code and find out how to use them in your app. We’ll share the building blocks of a macro, show you how to test it, and take you through how you can emit compilation errors from macros.

Expand on Swift macros:

Learn how macros can analyze code, emit rich compiler errors to guide developers towards correct usage, and generate new code that is automatically incorporated back into your project. We’ll also take you through important concepts like macro roles, compiler plugins, and syntax trees.

Antoine Van Der Lee:

In this example, we’re using a so-called freestanding expression macro. This is just one of the currently seven available different roles[…]


Xcode automatically generates a test target for you, including an example unit test for the stringify implementation.

Daniel Steinberg:

Sadly, Xcode looked at the generated code and told me that although the expanded macro was symbol for symbol what I would have typed in myself, it had no idea what those variables represented.

So I decided that what I really needed was a MemberMacro.

And by decided, I mean that based on no information and guided by no intuition, I figured that I’m trying to add new members to the type so maybe this was it.

It turned out to be the right decision.

Joseph Heck:

One of the most amazing (to me) things about this year - if you want to know HOW that fancy Observable macro works, you can just read through it.

Helge Heß:

When using the new Observation features in Swiftlang, be careful with the naming of your properties. It creates a stored property w/ an underscore in front, so don’t do the same, surprises may happen.

Also didSet doesn’t work, in case you didn’t notice yet[…]. Though the generated code actually moves the didSet to the fresh new property (not sure this is just a bug or actually impossible to do right w/ macros).

Nick Lockwood:

I’d be a lot more into Swift macros if they didn’t have to be defined in an external module (which itself depends on the external SwiftSyntax module).

To anyone used to ecosystems where apps routinely import hundreds of 3rd party packages, this probably sounds insane, but after years as an iOS dev without any sort of standard package manager, I’ve really come to value code having no dependencies outside of what ships with the platform.

Swift macros feel no more more “built-in” than Sourcery.

Ole Begemann:

If you’re writing Swift macros, you have to check out the fantastic Swift AST Explorer by @kishikawakatsumi. It makes it really easy to make sense of the syntax tree your macro operates on.

Tanner Bennett:

I’ve been experimenting with Swift macros all day trying to make “key path” decoding work. I.E., being able to supply a string like “config.meta.flag” to a macro and somehow using it to pull a value out of one or more nested dictionaries and insert it into a top-level property, without declaring nested Codable types for the nested dics.

It is not possible.

[Update (2023-07-26): See below.]

Soumya Ranjan Mahunt:

I’m excited to introduce my latest project, MetaCodable, a powerful macro library that will help you with all your Codable needs. Using MetaCodable, you can get rid of repetitive boilerplate code that you often have to write.

Dave Verwer:

The package index is already filling up with packages that contain macros, and it makes me glad we added 5.9 support so quickly. Some of the packages I’m linking to below will become essential parts of the Swift package ecosystem, and some will remain experiments. It’s impossible to know which yet!

There’s everything from full-featured packages like SwiftRequest and papyrus that let you define a type-safe HTTP client with function annotations to smaller utility packages like AssociatedObject, which allows variable storage in extensions. There are many, many more though. Here’s a list of others I saw this week:


Update (2023-07-26): Amy Worrall:

My first foray into Swift macros.

It removes the need to write a whole bunch of boilerplate when making new Lexical nodes.

Rob Napier:

All of these are possible in a certain sense (with a custom JSON type and/or a custom AnyCodingKey type)[…]


If you start here, it’s pretty close to where I talk about stuff that I think lines up with what you’re doing.

Update (2023-07-31): See also: Daniel Steinberg’s videos.

Update (2023-08-15): Krzysztof Zabłocki:

If use Swift Macros you have to be careful how you structure your code, unlike Sourcery the Macro’s don’t concatenate whole project AST and they won’t see anything you added in Extensions to your original type…

In the example below x variable won’t be visible as a member in your macro code, this can lead to some hard to find bugs…

Apple Legal vs. Fruit Union Suisse

Gabriela Galindo (via Hacker News):

The Fruit Union Suisse is 111 years old. For most of its history, it has had as its symbol a red apple with a white cross—the Swiss national flag superimposed on one of its most common fruits. But the group, the oldest and largest fruit farmer’s organization in Switzerland, worries it might have to change its logo, because Apple, the tech giant, is trying to gain intellectual property rights over depictions of apples, the fruit.

“We have a hard time understanding this, because it’s not like they’re trying to protect their bitten apple,” Fruit Union Suisse director Jimmy Mariéthoz says, referring to the company’s iconic logo. “Their objective here is really to own the rights to an actual apple, which, for us, is something that is really almost universal … that should be free for everyone to use.”


Over the past few years, Apple has pursued a meal-prepping app with a pear logo, a singer-songwriter named Frankie Pineapple, a German cycling route, a pair of stationery makers, and a school district, among others.



Absurdly Long YouTube Videos That Play Nothing on Purpose

David Pierce:

In this case, it turns out, the outrageous length is the whole appeal. Across all these videos and many other silent blank ones, every viewer seems to have their own use case. The most common, by far, is to use these videos as a way to simply keep your device on. “I keep this playing overnight so that my laptop doesn’t shutdown while downloading games,” one commenter wrote. “I have to keep this open on my phone because it’s broken and will not turn back on if it turns off,” another said.

There are also a surprisingly large number of times when you might want your device on but the screen off. “I use this so I can have music open on another tab at night and have this open so the screen with the music on it wont shine so bright in my room,” one commenter wrote on a two-day-long video of a blank black screen.


But you know what’s actually easier than tweaking a bunch of settings, especially for younger users accustomed to finding everything they need on YouTube? Just playing a video. One commenter on a blank-screen video called it “the perfect video to cast to your tv when you’re too tired to get up and turn it off,” which seems both ridiculous — if you can cast from your phone to your TV, you can probably use your phone to turn off your TV! — and telling.

Update (2023-07-31): Matthew Panzarino:

There’s apparently an iOS 16.x bug that deletes screen time limits on apps if your kid hits the ‘one more minute’ button. Classic. Ruining my life currently.

Jonathan LaCour:

So much this.

My kids have also figured out that they can visit YouTube in Safari, pick a super long video, enter Picture in Picture, and it completely bypasses all screen time limits.

I reported it to Apple two years ago. They acknowledged it. Still no fix.


Friday, July 14, 2023

Threads and ActivityPub

Richard MacManus:

The fediverse is a collection of decentralized social media services that interconnect via ActivityPub. The most prominent member of the fediverse is Mastodon, a microblogging network that launched in 2017. But many other Web 2.0-style apps have been built on ActivityPub — including Bookwyrm (Goodreads), Lemmy (Reddit), PeerTube (YouTube), and PixelFed (Flickr).


With ActivityPub, the server manages your identity and data. So when you join Mastodon, for example, you are essentially entrusting management of your data to the server (“instance”) you join. As fediverse developer Ryan Barrett put it in a post this week, your ActivityPub “identity, data, and administration are all tied to your instance, for both technical and cultural reasons.” Among other things, this architecture enables your instance to make moderation decisions on your behalf. You’re still free to move to another instance, at any time and for whatever reason, but you can’t port your data (your posts and media) from one instance to another.

I mention all this because it plays right into Meta’s strengths. Meta will still control the identity layer even when it integrates with ActivityPub — and that’s immensely valuable when you’re the owner of Instagram’s social graph. Since Threads is also hosted on Meta’s servers, all your data is managed by Meta too.


There are, of course, also technical challenges that will need to be overcome. As another W3C working group member, Johannes Ernst, put it, “I think one of the things we are all very interested in learning is just what exact stack of protocols Meta is implementing, and then the higher-level policies not prescribed in the standard.” Ernst pointed out that “merely implementing ActivityPub in itself is not sufficient to produce interoperable software nor make what’s happening comprehensible to users.” For example, which of the activity types will Threads implement? Will it allow hyperlinks and HTML markup?


Update (2023-09-11): Jesse Chen (via Chris Adamson):

Our goal with Threads is to make social content as interoperable as email. We are working on the ability for Threads to integrate with ActivityPub, the open, decentralized social networking protocol. Once that happens people will be able to enjoy the best features of Threads across platforms. More importantly, they’ll be able to have more control over their online social presence, regardless of any app or platform. They’ll have the ability to distribute their posts to other social media apps, and consume content from creators on other apps on Threads.

Fedora Telemetry Proposal

corbet (via Hacker News):

The Fedora project is considering a Fedora 40 change proposal to add limited, opt-out telemetry to the workstation edition. The proposal is detailed; it is clear that the developers involved understand that this will be a hard sell in that community.

We believe an open source community can ethically collect limited aggregate data on how its software is used without involving big data companies or building creepy tracking profiles that are not in the best interests of users. Users will have the option to disable data upload before any data is sent for the first time. Our service will be operated by Fedora on Fedora infrastructure, and will not depend on Google Analytics or any other controversial third-party services. And in contrast to proprietary software operating systems, you can redirect the data collection to your own private metrics server instead of Fedora’s to see precisely what data is being collected from you, because the server components are open source too.


OneDrive Leaks Photos via E-mail

loyall (2021, via Hacker News):

Today I received an email from OneDrive. The message said, “Look back on your memories from this day.” This email contained images of photos from my One Drive Backup. […] My question is how did someone gain access to my cloud documents and publish on the internet? What and how much do I need to be afraid of? What can I do to protect myself.😟

Apparently, OneDrive really does send these e-mails, exposing public links to thumbnails of private photos.

Xcode String Catalogs

Discover String Catalogs:

Discover how Xcode 15 makes it easy to localize your app by managing all of your strings in one place. We’ll show you how to extract, edit, export, and build strings in your project using String Catalogs. We’ll also share how you can adopt String Catalogs in existing projects at your own pace by choosing which files to migrate.

Cihat Gündüz:

But most people I talked to since Dub Dub are still unaware of the implications String Catalogs have on their projects. So I figured I should answer the most frequent questions to make it more clear how amazing String Catalogs really are.


String Catalogs replace both .strings and .stringsdict files and therefore support pluralization out-of-the-box. Unlike .strings(dict) files that are placed under locale-specific folders like en.lproj, String Catalogs encapsulate the translations of all supported languages in one file.


Currently, there seems to be no way to control the extraction from the source of truth. […] I also couldn’t find a way to mark a String in a SwiftUI view for example that needs no translation to mark as “non-translatable”.

String Catalogs look pretty neat, but I’ve been burned so many times by bugs and limitations in Xcode’s localization tools that I doubt I will use this. Also, I think the approach of having the tool extract strings from source code is fundamentally wrong. Any keys that are constructed at runtime will be invisible to the extractor. So it forces you to either put short and non-semantic or long and unwieldy strings into the source. I would rather use short and semantic but context-dependent keys. And it prevents the use of helper functions that operate on multiple related localized strings given a key base.

Rather than more layers of high-level Xcode features, which depend on buying into a whole system/workflow, I would like to see better tools from Apple for auditing the .strings and .stringsdict files directly.


Thursday, July 13, 2023

macOS 14 Sonoma Public Beta

Juli Clover:

Public beta testers can download the macOS 14 Sonoma update from the Software Update section of the System Preferences app after signing up on Apple’s beta testing website and opting into the public beta under the Beta Updates section.


For more on what’s new in macOS Sonoma , including a new Game mode, we have a detailed macOS Sonoma roundup that highlights all of the features in the update.

The public beta is build 23A5286i. I was on Developer Beta 3, and it offered me another “Beta 3” update, which only brought the build to 23A5286g. Then it offered a third “Beta 3,” update, which ended up being the same as the public beta.

Jason Snell:

macOS Sonoma, out in public beta now and due to be released this fall, is an update that feels small in all the best ways. Even in early development, I’ve managed to use it on my main Mac without any serious compatibility issues or major bugs. This means that if you’re desperate for change in macOS, you will be disappointed—but at this point I suspect that most Mac users just want incremental improvements without disruptive changes. Slow and steady wins the race.

My experience is that Bluetooth connections are broken (FB12550887, FB12550939). Otherwise, it seems pretty good, though.

This unsung hero of macOS [Screen Sharing] has gotten a major update. For starters, there’s an actual interface—instead of a simple Connect To start, there’s a proper window listing nearby computers and devices you’ve previously controlled. And there’s also a stunning new High Performance mode, which lets two Apple Silicon Macs running macOS Sonoma connect with low latency, high quality, and even support for two displays. I was able to edit some video in Final Cut Pro using this feature, and while it wasn’t perfect, I was impressed at how well it worked.

John Voorhees:

No single Sonoma feature has had as immediate an effect on how I use my Mac as interactive desktop widgets. I’ve never been a fan of the way macOS Big Sur put widgets in Notification Center, an offscreen panel that is only accessible by clicking on the clock in the menu bar. That’s still available, kind of how the Today view is still a feature of iOS, but migrating widgets to the desktop from Notification Center makes them infinitely more useable.


Apple’s new autocorrect system is orders of magnitude better than the old system on every OS. Apple is using a new, more accurate language model. The core system works a lot like the old one, but you’ll notice differences as soon as you begin to type in an app. As you go, Sonoma will also suggest the autocompletion of words, and event phrases.

Six Colors:

In recent years, Apple has taken to making more of its new features available across all of its major operating systems. As a result, it’s made less sense for us to cover the same feature in multiple preview articles. Instead, we’ve rolled some of the key improvements you’ll see across macOS Sonoma, iOS 17, and iPadOS 17 into a single article—this one.

Monica Chin (Hacker News):

Ventura looked a heck of a lot like iOS, and Sonoma looks even more like iOS. I turned my office’s Mac Studio on after installing the developer beta and thought, for a second, that I might be hallucinating my iPhone’s lockscreen. It’s remarkably reminiscent.


iPadOS 17 Public Beta

Jason Snell:

iPadOS 17 uses the extra screen space of the iPad and lets you add a load of lock-screen widgets down the left side. I’ve already stuck a few in there and I’m looking forward to shopping for even more because there’s just so much space.

Another iOS 16 feature picked up in iPadOS 17 is support for Live Activities. These dynamically updated notification boxes can now live on the iPad Lock Screen as well, so you can keep track of a flight in Flighty or a baseball game via the MLB app or a running timer from the Clock app.


That all changed in iPadOS 17, which allows your iPad to sync health data from your iPhone and display it in the new, iPad-expanded Health app. Now I can have quick access on my preferred device to my health trends, which I never think to look at when I’m on my iPhone. In just a few weeks, I am already browsing my health data—and using it to motivate me—far more than I did when it was on my iPhone.


So the good news: in iPadOS 17, Stage Manager really will let you put windows wherever you want.

See also: Juli Clover.


iOS 17 Public Beta

Dan Moren:

I’ve been using iOS 17 for several weeks, and while I’ve encountered the usual assortment of rough edges typical of a beta, none have been significant enough to make me wish to go backward.


Where StandBy really shines, though, is in its other interactions. For one thing, when you play audio, you get a big full screen interface reminiscent of CarPlay. No more fumbling around trying to hit a tiny pause button, or having to wake up your phone to see what’s playing. For another, Apple has finally improved the timer interface, not only letting you set multiple named timers (hallelujah!) but also providing a nice visualization of the countdown with a big, easy-to-read full-screen progress bar. In fact, the whole experience is tuned to be visible from a distance, from the widgets down to Siri’s onscreen responses, and it’s a big help.

There are still some tricky aspects to StandBy. For one, since this is basically a different view of the lock screen, interacting with widgets requires you to authenticate with Face ID. While it’s admirable from a security point of view, that can be awkward if, for example, you have a MagSafe stand that’s not at the right level or angle.


AirPlay now learns what, when, and where you tend to play on certain speakers.

See also: Juli Clover.


Update (2023-07-17): Benjamin Mayo:

Having used iOS 17 for a month so far, you can definitely feel the difference. The corrections are better. It feels like it knows what you meant to type far more than any previous version of the software. It also seems more resilient to typing slang.


But algorithm improvements are only part of the story. Obviously, it still won’t get it right all the time. But in those cases, the experience of managing autocorrect is also improved through a superior UI. When the system does make a mistake, it is far less punishing as the interface now gives you way to quickly revert autocorrect changes.

Update (2023-09-05): Federico Viticci:

I don’t know who else cares about these things, but as someone who reviews iOS and iPadOS every year, I always find these marketing copy and visual differences between Apple’s splash screens fascinating.

Here’s the iOS 17 Contact Poster intro screen (Beta 1 in June Vs. Beta 8 this week) and AirPods Adaptive Audio intro (Beta 2 in June Vs. Beta 4 in July).

iOS 17’s Live Voicemail

Dan Moren:

Live Voicemail finally means I can turn on another feature that I’ve been tempted to use since iOS 13: Silence Unknown Callers.

I’ve always been reticent to turn on Silence Unknown Callers because I worry too much about missing important calls. There are simply too many times that I get a call I don’t want to miss from, say, a doctor’s office, or a delivery person, or a contractor.


But in iOS 17, if you have Silence Unknown Callers active, callers with unrecognized numbers will go straight to Live Voicemail, allowing you to decide whether or not to pick up.


Update (2023-07-17): Juli Clover:

Unless you have a custom-created voicemail message, the default iOS 17 voicemail recording asks callers to provide a reason why they’re calling after the tone sounds, and are informed that “the person you’re calling may pick up.” Note that if you had a custom message in iOS 16 , there will be no change, so this impacts people who are using the default voicemail greeting feature.

The “may pick up” wording seems to be confusing some people who are calling iPhone owners that have iOS 17 installed. Two separate Reddit threads feature complaints from Reddit users who have received calls from people who have not understood Apple’s messaging.

watchOS 10 Public Beta

Dan Moren:

[This] year, the action is on watchOS.

As I wrote several months back, watchOS 10 is a big update that really spends its time re-thinking how we interact with our smartwatches. And now that I’ve spent several weeks using the beta, I can say with some confidence that I’m very excited about this reinvention.


Wednesday, July 12, 2023

Swift HTTP Types

Guoye Zhang et al. (via Quinn):

We’re excited to announce a new open source package called Swift HTTP Types.

Building upon insights from Swift on server, app developers, and the broader Swift community, Swift HTTP Types is designed to provide a shared set of currency types for client/server HTTP operations in Swift.


As the package matures, our goal is to replace SwiftNIO’s HTTPRequestHead and HTTPResponseHead as well as the HTTP message details of Foundation’s URLRequest and URLResponse.


Mac Sales in Q2 2023

Ben Lovejoy (Hacker News):

Mac shipments grew by more than 10% in the second quarter of the year, compared to the same period in 2022, according to a new market intelligence reports.

All major PC brands saw their own shipments fall in the same period, most by double digits[…] Apple’s growth in Mac shipments is said to in large part reflect constrained supply last year.

IDC says that Apple has an 8.6% share of shipments and that overall this was the “sixth consecutive quarter of contraction brought on by macroeconomic headwinds, weak demand from both the consumer and commercial sectors, and a shift in IT budgets away from device purchases.”

Note that these numbers are for the calendar Q2, which is not the same as Apple’s fiscal Q2 below.


Update (2023-07-13): Nick Heer:

The number of Mac shipments, as Goswami acknowledges, grew; it was not “markedly down” and did not “mirror […] the broader market”. It was the complete opposite. Market share is also up — from 6.8% to 8.6%. I might be reading this wrong, but it looks a little like the second paragraph here was prewritten in anticipation of a sales slide and Goswami forgot to delete it.

How Do You Request Music Using Siri?

Adam Engst:

Usually, I like to offer solutions in TidBITS articles, but when it comes to the black box of controlling Apple Music using Siri, I have no sense that my approach is ideal. So I’m going to describe my frustrations, and I hope those of you who have different approaches that work well for you will chime in with suggestions.


The best roundup I’ve found is at Smartenlight, though it’s still not entirely satisfying. The article is from December 2019, and quite a few of the commands didn’t work or worked sporadically for me. Your mileage may vary.


With voice commands directed to a HomePod, though, I have to figure out what I want to listen to without any visual reminders that might trigger a positive—or negative—response, and I’m not happy with how well I’m doing that. I find that I listen to a relatively small subset of music simply due to the limited details I can bring to mind at any given time. Of course, I could pull out my iPhone and scroll through the Music app whenever I wanted to play music—and I do that occasionally, but it’s too much work most of the time.


But given that Apple doesn’t promote how it’s using machine learning to play the best music for you at any given moment, I suspect that it’s nowhere near what the company has done with computational photography and other ML-driven photography features.

It would be nice if HomePod supported Genius playlists. It doesn’t even support my regular playlists. Aside from general reliability issues, the main problems I have with Siri are that many music commands that work on my iPhone don’t work on HomePod and that it can’t answer questions about which music is available in my library. So I pretty much always request music from Marvis on my phone.


HomePod Sound Recognition

Benjamin Mayo:

By taking advantage of the always-on microphone inside the HomePod, it means you don’t need to necessarily invest in buying new internet-connected smoke alarm systems — HomePod can simply enhance the utility of the existing “dumb” offline smoke alarms already installed in your home.

To enable Sound Recognition, open the Home app and go to Home Settings -> Safety & Security screen.

It then sends a notification to your devices if it hears the alarm.


Update (2023-07-28): bcFromSanJose:

HomePod Alarms detected that my smoke alarms were going off and Siri told me in my AirPods Pro. I ran back and discovered a forgotten jar candle had gone nuts. Roaring flames, quickly extinguished.

Apple literally saved my apartment from burning down.

Tuesday, July 11, 2023

The Disappearance of Classic Video Games

Kelsey Lewin (via Hacker News):

The Video Game History Foundation, in partnership with the Software Preservation Network, has conducted the first ever study on the commercial availability of classic video games, and the results are bleak. 87% of classic video games released in the United States are critically endangered.

Imagine if the only way to watch Titanic was to find a used VHS tape, and maintain your own vintage equipment so that you could still watch it. And what if no library, not even the Library of Congress, could do any better — they could keep and digitize that VHS of Titanic, but you’d have to go all the way there to watch it. It sounds crazy, but that’s the reality we live in with video games, a $180 billion industry, while the games and their history disappear.


This is where libraries and archives should come in. Anyone should be able to easily explore, research and play classic video games, in the same way that they can read classic novels, listen to classic albums, and watch classic movies. But outdated copyright laws are preventing institutions like ours from doing our jobs.

Dare Obasanjo:

It’s amazing to think how much digitization has made it less likely content will last beyond a generation. Writing on stone tablets last hundreds to thousands of years. An Atari cartridge or Betamax tape is almost impossible to consume today if you aren’t a collector of classic electronics.

I used to think my kids and grandkids would read my blog posts and tweets. Now I doubt Medium or Twitter will still be around in ten years.


Update (2023-07-12): See also: Craig Grannell.

Update (2023-07-13): John Voorhees:

The problem extends to apps too. Craig Grannell, with the help of Internet sleuths, set out to recreate the list of 500 apps and games that debuted on the App Store as its 15th anniversary approached. Grannell’s Google Spreadsheet currently lists 355 titles, and guess what? By my count, only 43 of those apps and games have live App Store URLs, which works out to 12%, almost exactly the same results as the Video Game History Foundation’s study. Grannell’s spreadsheet may not have been compiled as rigorously as the Foundation’s study, but the point stands: we’re losing access to culturally significant apps and games on the App Store alongside the videogame industry.


Beta Updates in a macOS VM

Guilherme Rambo (Mastodon):

Installing betas now requires signing in with an Apple ID that’s enrolled in the beta program (be it the developer, customer, or public betas), and unfortunately signing in with an Apple ID inside a macOS VM is also not supported.

However, I have found a workaround that allowed me to update a macOS VM running macOS 14 beta 2 to macOS 14 beta 3.

Craig Hockenberry:

There are three primary use cases for most macOS developers running a beta OS in a virtual machine (such as macOS Ventura in UTM):

  1. To download their existing apps from the Mac App Store to verify that everything works correctly on the new OS. An Apple ID is needed to download from the Mac App Store.

  2. To build and debug their apps using Xcode. An Apple ID is needed to setup an account in Xcode so automatic code signing can be used.

  3. To test apps that use iCloud. An Apple ID is needed to access iCloud in System Settings.


Rapid Security Responses Pulled Due to User Agent

Juli Clover:

The iOS 16.5.1, iPadOS 16.5.1, and macOS Ventura 13.4.1 Rapid Security Response updates fixed a WebKit vulnerability that Apple says may have been actively exploited. Unfortunately, it appears that the updates changed the Safari user agent to include an (a), leading some websites to break.

Miguel Arroz:

Still, between having the Mac vulnerable to an issue being exploited in the wild and not being able to browse Meta sites, it’s pretty much a no-brainer. 😄

Thomas Clement:

It’s bad enough for Apple to pull the updates, which means they didn’t do a really good job at testing them with a number of very obscure web sites such as Facebook, Instagram, WhatsApp and Zoom 🙃 I’m sure it doesn’t matter much to all the users who had issues whether the bug lies on Apple’s side or not. It’s very nice to be able to uninstall these updates, but you might still lose a few hours dealing with issues until you realize you need to do that.


Update (2023-07-13): See also: MacMule.

Suing OpenAI and Meta for Copyright Infringement

Wes Davis (Hacker News):

Comedian and author Sarah Silverman, as well as authors Christopher Golden and Richard Kadrey — are suing OpenAI and Meta each in a US District Court over dual claims of copyright infringement.

The suits alleges, among other things, that OpenAI’s ChatGPT and Meta’s LLaMA were trained on illegally-acquired datasets containing their works, which they say were acquired from “shadow library” websites like Bibliotik, Library Genesis, Z-Library, and others, noting the books are “available in bulk via torrent systems.”


Monday, July 10, 2023

The App Store Turns 15

Phil Schiller:

Happy 15th Birthday App Store 🎂

Ken Case (Mastodon, podcast):

Fifteen years ago today, on Thursday, July 10, 2008, Apple launched the iPhone App Store. And we launched the first app we ever built which could fit in your pocket, OmniFocus for iPhone.


At its launch, there weren’t any mechanisms for free copies of paid apps: no promo codes, no TestFlight, no trials or in-app purchases. What to do? The next morning, we went to the local Apple Store, bought a bunch of iTunes gift cards matching the price of our app, scratched the backs of each one to get at their codes, and then emailed out all those codes to potential reviewers.

Craig Grannell:

Let’s (try to) crowdsource the names of the original iPhone App Store apps and games!

I’m writing a piece on the App Store turning 15, and I couldn’t find a list of the original ~500 App Store apps and games from 11 July 2008, which I thought was strange. @jamesthomson, whose PCalc was there from the start, suggested we might be able to crowdsource this, for posterity and future research.

Here’s the spreadsheet.

If you have info to add to it, please do. Please share!

See also: BasicAppleGuy.


Update (2023-07-13): Mike Rockwell:

But here we are, fifteen years later, and the App Store feels like more of a hindrance. A limitation on the platform that prevents entire categories of applications from even being developed.

Update (2023-10-25): Christina Warren:

Looking through my decade and a half of App Store purchases is like looking through a time capsule of the last era of tech, seeing all the fads, the booms, and the busts of the era. The first app I ever downloaded was the official Obama app. My other first-day apps included two different Twitter clients, the official Facebook app, an RSS client, and an $8 copy of Scrabble. Today, the Facebook app is still active and amazingly, that old version of Scrabble still works.

It’s also a remnant of a time that has largely passed. Because even as App Store revenues continue to grow each and every quarter, lining Apple’s pockets to the tune of tens of billions a year, our cultural reliance on mobile apps themselves has changed.


Yes, I have an app for my bank, but I’m just as likely to visit its website when trying to check my balance. Whereas I used to get excited about a new app on my iPhone, I now often resent being asked to download an app when I know that the website will work just as well and cause fewer disruptions or take up less space on my phone.


There is still a lot of money to make on mobile apps, but usually not just on the app itself. The most successful app developers today aren’t the same as they were 15 years ago, where a good novel idea could net millions of downloads overnight. Now, apps need to serve as part of an ongoing business and not necessarily be the business themselves.

How the Threads App Was Built

Emerge Tools (Hacker News):

Two things stand out for Threads on iOS:

  1. Threads has 0 dynamic libraries, whereas the Facebook app which heavily utilizes dynamic frameworks.
  2. Threads has one of the largest plugins we’ve ever seen. BarcelonaShareExtension is 81 MB.


As with the Android app, it looks like they were able to share significant amounts of code between Threads & Instagram to help speed up development. Threads team wanted to move fast and took whatever code it could from Instagram and shoved it where it needed to go.

Cam Roth:

99% native, with a home grown cross-platform solution for a few lightweight flows (think tables or reporting)

We utilized a bunch of existing obj-c/obj-c++ things within IG, but 95% of the new code we wrote was Swift.

We’ll have an eng blog post coming eventually. Mostly Swift, almost all UIKit, a dash of SwiftUl.


Update (2023-07-14): Ahmad Shadeed:

One of the most noteworthy use cases of CSS Grid in a production app is found in Threads. CSS Grid is used to build the post layout.


That line connecting my avatar to Mark’s one is an SVG path.

Fraudulent Yelp Reviews

Stephen Council (via Hacker News):

It seemed the clinic had hired a local lawyer to demand that Dean remove her negative review or face a lawsuit. The envelope included a $50 check.


Since then, Dean, 60, has mounted a yearslong crusade against Yelp and the broader online review ecosystem from a home office in San Jose. Yelp, founded in San Francisco in 2004, is deeply entrenched in American consumer habits, and has burrowed itself into the larger consciousness through partnerships with the likes of Apple Maps. The company’s crowdsourced reviews undergird the internet’s web of recommendations and can send businesses droves of customers — or act as an insurmountable black mark.

Dean follows fake reviews from their origins in social media groups to when they hit the review sites, methodically documenting hours of research in spreadsheets and little-watched YouTube videos. Targets accuse her of an unreasonable fixation. Yelp claims it aggressively and effectively weeds out fakes. But Dean disagrees, and she’s out to convince America that Yelp, Google and other purveyors of reviews cannot be trusted.

Her channel is Fake Review Watch.

Dan Luu:

I find it interesting how businesses have been able to co-opt review sites to get negative reviews removed. If I see credible negative reviews on a major review site, they’re often gone when I check back later, replaced by positive reviews.

The flip side of this is that when I’ve reported obviously fake reviews (negative or positive), those almost never get removed. I guess it makes sense that people who specialize in getting reviews removed would know how to do it better than an honest actor.


Evernote Acquisition and Layoffs

Joshua Bote:

The Redwood City-based note-taking company — which has weathered all manner of tumult over the past decade, capped off last November by the sale of the company to Italian app maker Bending Spoons — axed nearly all its employees in the United States and Chile, according to a statement from Bending Spoons CEO Luca Ferrari provided to SFGATE.

Most of the company’s “operations will be transitioned to Europe,” Ferrari said in the statement, due to the “significant boost in operational efficiency that will come as a consequence of centralizing operations in Europe.”


The layoffs come less than six months after the company eliminated 129 workers — a decision that came as a result of the company’s unprofitability making it “unsustainable in the long term,” a spokesperson told TechCrunch at the time.

Via Dare Obasanjo (and Christina Warren):

VC funding may not be right for every app. You don’t need $290M in funding to build a note taking app and you definitely can’t live up to the billions in valuation it implies.

Martin Pilkington:

When I was there initially there was a lot of “build new products” rather than focusing purely on the core app. Then it pivoted (correctly IMO) into build up the business tools to help bring in more revenue.

Unfortunately expectations of revenue seemed to be a bit out of whack for what the initial steps were, so there were cut backs and some higher ups left.

Unfortunately that led to a new CTO coming in who didn’t really know about or care for native apps, so pushed for electron rewrites, at which point some of the engineering org was let go (most of the contractors, including myself) and a lot of the rest left very soon after.

If you’re in the market for a replacement, I know of one that can import from Evernote and convert your data to standard formats.

Gleb Dolgich:

I’m using EagleFiler with Resilio Sync to mirror the entire library across all family computers and iOS devices, works like a charm.

Resilio Sync is interesting because it works peer-to-peer. You can sync very large amounts of data quickly, without actually storing it in the cloud. EagleFiler also works with more traditional cloud services such as iCloud Drive and Dropbox.

See also: Hacker News.


Update (2023-12-11): Ben Lovejoy:

After an earlier test, all Evernote free users now have their accounts limited to a single notebook containing just 50 notes.


Friday, July 7, 2023

French Bill to Allow Police to Commandeer Phones

Tosin Ajuwon (via Hacker News, 2, 3):

A bill that would allow police in France to spy on suspects by remotely activating cameras, microphone including GPS of their phones has been passed.

The bill allows the geolocation of crime suspects, covering other devices like laptops, cars and connected devices, just as it could be remotely activated to record sound and images of people suspected of terror offences, as well as delinquency and organised crime.

I hope that Tim Cook will have a statement about whether this is possible with Apple devices. Has Apple has been asked to assist or has it been done via exploits? Edward Snowden has mentioned stuff like this before, but I don’t recall seeing specifics about which devices were affected.

Google and Meta have proactively announced that they will block links to Canadian news sources over a link tax. Would Apple go to bat for privacy?


Ethernet at 50

Iljitsch Van Beijnum (via Dave Nanian):

But in the end it was Ethernet that won the battle for LAN standardization through a combination of standards body politics and a clever, minimalist—and thus cheap to implement—design. It went on to obliterate the competition by seeking out and assimilating higher bitrate protocols and adding their technological distinctiveness to its own. Decades later, it had become ubiquitous.

If you’ve ever looked at the network cable protruding from your computer and wondered how Ethernet got started, how it has lasted so long, and how it works, wonder no more: here’s the story.

Om Malik:

There must be something to this whole notion that “time flies!” I distinctly remember writing a short essay about the incredible adaptability of the Ethernet, the technology protocol, on the 31st birthday of the technology that came from Bob Metcalfe’s work at Xerox PARC in the early 1970s. Metcalfe and David Boggs (who passed away in 2022) invented the Ethernet. It was inspired by ALOHANet, a packet radio network used to communicate among the Hawaiian Islands.

It just turned 50 years old — remarkably, it still powers our networks into the future. That is some serious resilience and longevity — no wonder (belatedly, in my opinion) Metcalfe got the 2022 Turing Award. In 1973, Metcalfe wrote a memo on a “broadcast communication network” linking personal computers (PARC Altos) to create a local network that moved data at 2.94 Mbps per second. In 1976, the follow-up work on the memo led to the publication of the seminal paper “Ethernet: Distributed Packet Switching for Local Computer Networks.”

Update (2023-11-20): Joanna Goodrich (via Hacker News):

The PARC facility also is known for the invention of Ethernet, a networking technology that allows high-speed data transmission over coaxial cables. Ethernet has become the standard wired local area network around the world, and it is widely used in businesses and homes. It was honored this year as an IEEE Milestone, a half century after it was born.


Currently, the IEEE 802 family consists of 67 published standards, with 49 projects under development. The committee works with standards agencies worldwide to publish certain IEEE 802 standards as international guidelines.

A plaque recognizing the technology will be displayed outside the PARC facility.

iPad Pro for Coding

Jesse Peterman (via Hacker News):

The #1 reason I started to consider buying an iPad a few years ago was for one thing, and one thing only: to read coding books. I have a kindle and I love it, but for coding books it is terrible. The large color screen especially comes in handy with code snippets as well as for color syntax highlighting.

Indeed, the best uses I’ve found for my iPad are reading books/papers that don’t fit well on a Kindle and watching videos. It seems like I’m not really taking advantage of what the hardware and software can do, though I do use multitasking with OmniFocus.

The #2 reason I considered the iPad was because Apple had announced at WWDC 2021 that their Swift Playgrounds app would be updated to support SwiftUI and be able to release complete iOS apps on Apple’s AppStore.


If you’re just learning Swift in Swift Playgrounds then sure, you can use it for coding, but you could also do the same thing with the base model iPad for a fraction of the cost.


After buying a powerful pro model, a decent keyboard, and a pencil the price ended up being MORE than a laptop I could have used for even more coding activities.


The keyboard shortcuts and operating system aren’t quite as power-user friendly as I would prefer.

The MacBook Air is so good these days. For most use cases, it’s more capable, it weighs less despite having a larger screen and a full keyboard, and it costs less, too. If you’re choosing one or the other, it’s the better choice unless you really need something only iPad can do.


Update (2023-07-10): Dave Verwer:

I’ve never been very excited about the prospect of Xcode on iPad. I don’t think many people would get much done with it without attaching a hardware keyboard, and with one, it feels like the very best it could be would be a slightly worse version of using Xcode on a MacBook.

You may have to give me a minute to explain myself after reading what I’m about to speculate on, but is visionOS where we will see the first iOS-based version of Xcode? From everything we’ve seen of Apple’s new platform, it’s clear this is a project with a long-term vision, and I think a version of Xcode could make sense.

Is It Safe to Store Passwords and 2FA Codes Together?

Megan Barker:

It’s important to acknowledge that 2SV is a very valid way to secure your accounts, and improves upon the standard use of a username and password (one-factor authentication). The additional required step can prevent account compromise by someone who gains access to your login information; it acts as a barrier regardless of TOTP location.

But there’s an incredibly specific (and unlikely) scenario in which storing your TOTP in a separate authenticator app may offer additional protection. If an attacker got ahold of your 1Password login information (and your 2FA secret if you’ve added that layer of protection to your 1Password account) but didn’t have control of your device, the separation between your passwords and TOTP could prove useful.

I hedged with may and could because this theoretical attacker who somehow gained access to your 1Password sign-in details would know your email address, Secret Key, and account password (at minimum). Anyone with the ability to gather that much sensitive intel is unlikely to see an authenticator as much of a challenge. And, to my knowledge, there’s no authenticator app or password manager on the market that can safeguard data on a compromised device.


Update (2023-07-10): See also: Accidental Tech Podcast, Sebastian Cohnen.

Update (2023-07-11): Adam Engst:

I dislike putting all my security eggs in one basket, and having 1Password contain both kinds of secrets—account passwords and TOTP codes—has given me some pause. I’m pretty confident in my 1Password setup and in 1Password’s integrity and security, but the fact remains that if someone were to gain control of my 1Password account, two-factor authentication wouldn’t restrict access to my most important accounts.


Two-step verification is a significant improvement over plain password-based authentication because it presents an additional hurdle to anyone attempting to log in to your accounts. But as long as that TOTP code is delivered on the same device and in the same pathway—you unlock 1Password for passwords and TOTPs using the same method—it’s not two-factor authentication. That’s the case if the TOTP code comes from 1Password, Authy, or some other authentication app running on the same device you unlock using a password, Touch ID, or Face ID. However, logging in on your Mac and looking up the TOTP code in Authy on your iPhone would be true two-factor authentication.


I’m not sure I buy Apple’s answer—if someone were to steal my Mac and guess my login password, they could accept two-factor authentication prompts just as in the iPhone passcode theft scenario we wrote about earlier this year[…] Maybe it’s more like 1.5-factor authentication[…]

He has an interesting idea that maybe 1Password could implement true two-factor authentication since it runs on multiple devices that communicate with their server.

Thursday, July 6, 2023

SwiftUI Data Flow 2023

Discover Observation in SwiftUI:

Simplify your SwiftUI data models with Observation. We’ll share how the Observable macro can help you simplify models and improve your app’s performance. Get to know Observation, learn the fundamentals of the macro, and find out how to migrate from ObservableObject to Observable.

Sarah Reichelt:

With the introduction of Swift macros, the SwiftUI team was able to reduce the number of property wrappers need to send data around, and remove a lot of boilerplate code.

For this article, I have re-written my sample app as a Mac app and updated it to use the new data macros.


Apart from adding some details to the decisions points, there are really only two additions to my chart:

  • If a property doesn’t need to change, it can be a let.
  • @Bindable only works for classes. The equivalent for structs or primitive data types is still @Binding.


And lastly, in @Observable classes, everything that is NOT private is published. This is the opposite to what we had before where you had to explicItly state which properties were published.

Keith Harrison:

[Observable] has a number of benefits:

  • Simplified data flow, using State and Environment. You no longer need StateObject or EnvironmentObject.
  • Less boiler-plate. No need to annotate properties with @Published or models with @ObservedObject.
  • A view is now only updated when a property it depends on changes not when any change happens to the observable object.
  • You can have arrays of observable models or even observable types that contain other observable types.

Apple has a useful guide on the steps to migrate an ObservableObject to an Observable. To summarise:

Ish Abazz:

In case anyone else runs across this… Using @Observable on a class that has a property that is a closure causes the Xcode beta 3 compiler to flip out. Using @ObservationIgnored on the said property will get the compiler to calm down.


Update (2023-07-26): Keith Harrison:

In iOS 17, Apple deprecated the onChange(of:perform) view modifier replacing it with two new variations.

Update (2023-08-10): Natascha Fadeeva:

When it comes to state management in SwiftUI combined with reference types, SwiftUI provides two property wrappers: @StateObject and @ObservedObject. Understanding the difference between them is crucial for building robust SwiftUI applications, as it determines how data is managed and flows through the view hierarchy.

Note: Apple introduced the Observation framework at WWDC23 which will make these two property wrappers obsolete in the future. The knowledge around them is still useful since they are used in many existing applications. The knowledge might also help migrate to new Observation framework.

Update (2023-08-22): Thomas Clement:

Things are getting a bit weird in the swift forums, there’s been a huge amount of feedback in several discussions over several months about missing didSet support in Observability and Apple’s response has been just complete silence.

Update (2024-02-14): Donny Wals:

In this post, we’ll explore the new @Observable macro, we’ll explore how this macro can be used, and how it compares to the old way of doing things with ObservableObject.

Firefox 115’s Two-Tier Extensions System

Vishal Gupta (Hacker News):

If you installed or upgraded to the new Mozilla Firefox 115 or later version and you are getting “Some extensions are not allowed” error message on Extensions panel or flyout (puzzle piece toolbar icon), this article will help you in fixing the issue and enabling the blocked extensions again in Firefox web browser.


The [error message] is shown by a new feature called “Quarantined Domains”[…]. According to Mozilla team, this new back-end feature has been implemented to only allow some extensions monitored by Mozilla to run on specific websites for various reasons, including security concerns.


Now double-click on extensions.quarantinedDomains.enabled preference and set its value to false.

Jeff Johnson (Mastodon, Hacker News):

I’m all in favor of giving users control over which extensions are allowed to load on which sites. Safari already has this feature on both macOS and iOS. My concern is not about user control—little of which even exists in Firefox 115, as I’ll show later—but rather about the remote control that Mozilla has now given itself, as mentioned in a Bugzilla report.


You have to wonder why an open source project required confidentiality about this. Incidentally, neither Safari nor Chrome, or any other browser as far as I know, has such a remote domain-specific kill switch for extensions, so you have to wonder why it was necessary in Firefox.


I believe that Mozilla already had the capability to remotely disable an individual extension, if it turned out to be malware. […] Given this preexisting capability, it’s unclear why there should be a list of domains where all except a lucky few chosen extensions are disabled, regardless of whether the disabled extensions have shown signs of misbehavior.

Update (2023-07-10): Jeff Johnson:

Mozilla has posted additional information about the quarantined domains feature added in Firefox 115.

Update (2023-07-11): Jeff Johnson:

Note that extensions.webextensions.restrictedDomains and extensions.quarantinedDomains.list are two separate settings in Firefox.


Thus, it appears that Mozilla introduced a built-in add-on to disable the Brazilian web sites in Firefox version 113, then they moved the same functionality from the add-on into the main app in Firefox version 115.

We still have no information from Mozilla about why most Firefox add-ons, except for a select few add-ons “monitored by Mozilla”, have been disabled on those six Brazilian web sites.

How Ventura Checks the Security of Apps and Tools

Howard Oakley:

When you first run an app that you’ve just downloaded to your Mac from a source that results in it being put into quarantine, the following has occurred[…]


Some or all of those can also be triggered when a known app, which has already passed its first run tests, is run from a previously unknown path, when it’s put back into quarantine, or when it remains stuck in app translocation.


One situation where repeated security checks could have significant impact is when repeatedly executing a third-party command tool in a script. […] Provenance tracking thus appears to overcome overhead without compromising security.


Affinity Publisher for iPad

Beardy Guy:

In general the app has been very stable and usable in my four months of use. And to be clear, it’s not just usable, it’s smooth and responsive on the M1 iPad, 8GB of memory. Being able to work with touch, Pencil and trackpad is a real pleasure.


For many iPad users Apple’s Pages app is all that’s needed. That app has also had many features added over the years and is quite capable for laying out documents. I used it for years designing a wide variety of reports, newsletters and brochures. Affinity Publisher is a competitor to Adobe’s InDesign. It will open InDesign IDML files as well as pdfs for conversion to Publisher files.

Unlike Adobe’s various iPad apps, Publisher on iPad is the full app with the full feature set. Should you want to edit a Publisher file shared by someone or share to someone using Publisher on a Mac or Windows, it’s no problem as long as the file will be opened with version 2 of the app on those platforms[…]


StudioLink, allows me to open up an a vector graphic in Designer or an image in Photo without actually leaving the Publisher app. It’s an amazing feature though it does require that you have all three apps installed to work.


Wednesday, July 5, 2023

How to Diagnose and Control Login and Background Items

Howard Oakley:

[From] Ventura onwards property lists that previously had to be installed in Library LaunchDaemons and LaunchAgents folders can now be kept inside their app, making them even harder to locate.


If your Mac has been in use some years, or has been migrated from an older system, you’re likely to see many Background Items listed here. However, your control over them is limited: all you can do is turn them off and on. If you try disabling some of them, you may see that they’re automatically re-enabled. Many appear unidentifiable. A few have Info buttons, revealing where they are on your Mac, but many don’t.


To remove all third-party Login Items and reset to installation defaults, you can use the undocumented command:

sudo sfltool resetbtm


A better and more systematic approach is to obtain a detailed listing of all those Background Items, and uninstall or delete those you no longer need, or are just old and unnecessary. For this, you need a BTM dump, using another undocumented option to the sfltool command:

sudo sfltool dumpbtm > ~/Documents/btmdump.text


If you see the right name [on a new machine/VM], it’s likely that your product is built correctly. If that same product shows the wrong name in other environments, it’s reasonable to assume that this is a bug in macOS.

Such bugs are very common on development machines. The code that gets the name of your product relies on the Launch Services database, and it’s not uncommon for the building and rebuilding you do on your development machine to thoroughly scramble that database. That’s why testing on a fresh machine is so important.

OTOH, if this test shows the wrong value you need to start looking at your code.


Update (2023-07-11): Howard Oakley:

At any given time your Mac has several hundred background activities scheduled, most of them by macOS. These include important services like making scheduled Time Machine backups, and a great many whose benefits may be less apparent, such as running medianalysisd to keep your Photos library and other media up to date. When one or more of those stop working, they can be hard to detect, with backups being one of the more obvious. Because most of these are run by a hidden scheduling system, there are essentially no user controls, and recognising the problem requires browsing the log. So what can you do if they stop running reliably?

Family Passwords and Passkey Providers

Juli Clover:

In iOS 17, Family Passwords is designed to let you share your passwords and passkeys with friends and family members. Using the Passwords section of the Settings app, you can create a group of people to share passwords with.

Using a setup process, you can select trusted contacts to share information with. Each person who is in the group can select passwords and passkeys to share with others. You can, for example, share passwords to streaming services and online bill paying sites without having to share the password for your bank.


Like regular passwords, shared passwords are stored in iCloud Keychain and are end-to-end encrypted. Passkeys, Apple’s device-verified alternative to passwords, can also be shared.

This is really cool.

Ricky Mondello:

The feature that allows you to share passkeys and passwords in iOS 17 and macOS Sonoma is not at all limited to families. You can set up shared groups with any collection of close contacts. And you can set up as many groups as you’d like. :)

Apple (Hacker News):

Passkeys can now be synced using external providers[…] Password manager apps can save and offer passkeys on iOS, iPadOS, and macOS.

Notably, there still doesn’t seem to be a way to actually export passkeys. I guess you could use an external provider that offers this, but then you would lose the benefits of iCloud Keychain.

See also: Deploy passkeys at work.

macOS 14 release notes:

The Credential Provider API for password managers has been expanded to support passkeys. Credential providers can save and offer passkeys for apps and websites across the system

Paulo Andrade:

While Secrets could potentially generate and store Passkeys, they would be challenging to use in any app or browser without a Secrets extension installed.

Unlike password-based authentication, you can’t simply copy and paste a Passkey into an authentication form. And that’s precisely why this announcement is so important.


By allowing third-party password managers to store and use Passkeys in both apps and websites, Apple is taking another step in that direction. It also prevents locking you into the ecosystem.

Dan Moren:

I was glad to see that Apple has now added the ability to log in to your Apple ID or using a passkey instead of your password.


I do find it a little bit odd that the macOS implementation currently doesn’t seem to let you use Touch ID on your Mac to log in, rather kicking you to verify via your mobile device. On the one hand, that does bestow the additional security of using a second factor—an item that you have—but that’s not required on iOS or iPadOS, which would seem to be at more risk of being lost or stolen.

Another interesting tidbit: I can’t locate the saved passkey in the Passwords section of System Settings on my MacBook Air running Sonoma.


A Vatican-Sized Flag Mystery

Nick Heer:

Reddit user “horizontalhole” discovered something curious:

From 2017–2022 the Vatican flag SVG on Wikimedia Commons contained a mistake. You can now tell which flag manufacturers/emoji platforms used the file.


Indeed, Becker includes a series of flags with variations in the colour used for the keys, the cord element, and the tiara, in the 1980s through 2013. Even well past the publication of what the Vatican deemed its official flag, versions shown in and around Vatican City have differences in the shading of each of these elements. Becker goes on to write that these “variations suggest that Vatican authorities could clarify the flag’s details more precisely”, and laments how “local flagmakers often rely on questionable sources (e.g., Wikipedia)” (106).

It does seem that, officially, the version of the Vatican flag with a white-filled tiara is the most correct option. But even within Vatican City itself and in official use, there is considerable variation. Perhaps most relevant to the original post, it is not necessarily true that a Vatican flag with a red-filled tiara is derived from the 2017–2022 Wikimedia image. However, with a more correct version in the world’s most-used encyclopaedia, it may be a productive case of citogenesis.

See also: Emojipedia.


Adobe at 40

Harry McCracken (2022, via Hacker News):

It’s a milestone that only a few of today’s highest-profile tech companies—such as Apple and Microsoft—have reached. And much of Adobe’s long history is tangibly present in its current business, which is full of products—such as, Photoshop, Illustrator, Acrobat, After Effects, and Premiere Pro—that have been around for longer than a meaningful percentage of the people who use them.


Adobe has been so dominant for so long in so many of the categories in which it competes that it’s easy to forget it was once a scrappy upstart with an uncertain future. In fact, if photocopying kingpin Xerox had been more adept at monetizing the breakthroughs of the brilliant scientists who worked for its PARC research lab, there might never have been an Adobe at all.


There are even alternate universes where Adobe itself didn’t make it into the 21st century. According to Pamela Pfiffner’s 2003 book, Inside the Publishing Revolution: The Adobe Story, Steve Jobs was so enamored with Adobe’s technology that he tried to acquire the company for $5 million in 1983, well before it had released any products. Prizing their independence, Warnock and Geschke turned down the offer, but later accepted a $2.5 million investment in return for 20% of Adobe. (Apple cashed out in 1989.) In 1998, when Adobe was experiencing a rare downturn in its business, it was even the target of a hostile takeover bid by its smaller rival Quark.

Brendan Dawes (2019):

No longer will you find Adobe Photoshop or Illustrator on any of the Macs I use. You will find Premiere but that’s only kept around in case I need to load an old project. After twenty three years of using Adobe products in a professional capacity, I’ve now moved away from them as a company as I find there subscription model not something I can partake in, especially when they can suddenly decide to switch off older versions of the CS suite, making those programs you might use everyday useless — unless you stump up more money.

Via Colin Devroe (2019):

I think the Adobe products are worth the price tag. I think most software is, in fact, under-priced. But the way they’ve been treating their longest, most faithful, customers is beginning to wear people down. This isn’t an issue of price or value.

I think we’re going to see either Adobe acquiring more of their competitors through brute force, or they will need to make some adjustments to their model over the next 5 years.

People are still grumbling about Adobe and subscriptions years later, but most seem to be paying. Rather than Adobe making adjustments, it seems like more companies are following their lead. However, there is more competition now, e.g. from Affinity and Figma, which Adobe is in the process of acquiring.

Like many, I’m conflicted about Adobe. The apps themselves continue to work well for me, but the associated installers and daemons seem to be increasingly bloated and janky.

Paul Bischoff (via Hacker News):

Nearly 7.5 million Adobe Creative Cloud user records were left exposed to anyone with a web browser, including email addresses, account information, and which Adobe products they use.

Deceptive Patterns (Hacker News):

How Adobe tricks users into a 12 month contract.


It took me a while to get the facts, but it turns out that by clicking “Start free trial”, we are tied into an annual contract.

If we want to leave, we have to pay 50% of the outstanding ANNUAL BALANCE!

Marc Edwards:

Adobe’s sub cancellation policy would have to be the single worst decision the company has made in its entire history.

Are Sundnes:

So, I wanted to cancel a couple of our @Adobe licenses. I’m THIS close to cancelling all of them. What the hell is up with this?


I can afford Adobe software. I just can’t afford their bullshit.

Marc Edwards:

The script for cancelling your Adobe CC sub is: I’m changing jobs and my new employer already has a sub for me, so I don’t need my current one. If they ask who the company is, say you can’t tell them because you’ve signed an NDA.

Managing subscriptions is one problem that the App Store does do a good job of solving. But the main Adobe apps are not in the Mac App Store.

And the grass may not be much greener with Figma…


We had to migrate files across different accounts. The only way we found possible was to add the origin account as editor and transfer the files and ownership. Anything else resulted in losing edit privileges during the process.

A month later, we get a notice that we owe 15$.

During the interaction of adding another editor, we never got any feedback from Figma about that costing an extra 15$.

Now, we got a ticket about the issue but, as usual, it delays days to be handled (another drawback that needs to be addressed).

Last but not least, even the editor account that was paid for one year in advance is now locked.


Now it is way too easy to add editors unintentionally and there is no warning about extra change for each one of them. I understand that it’s very beneficial for the company but not very friendly for designers, especially freelancers that are working with different external teams. I’m keeping getting charged for people I accidentally gave editing rights some time ago.


Tuesday, July 4, 2023

Instagram Threads

Amanda Silberling:

Instagram’s rumored Twitter competitor just dropped on the iOS App Store in the U.S. The app will be called Threads, and according to App Store data, it’s expected to launch on July 6.

It’s a good time for Instagram to enter the fray — this past weekend, as Twitter fumbled the bag with rate-limit errors, competitors like Spill, Bluesky and Post saw significant growth. But Threads could have a leg up, since it directly ports over your Instagram followers and following lists. Instead of rebuilding a community from scratch, Threads users will already have their existing Instagram circles there from the get-go.

Threads (Hacker News):

Say more with Threads — Instagram’s text-based conversation app

Threads is where communities come together to discuss everything from the topics you care about today to what’ll be trending tomorrow. Whatever it is you’re interested in, you can follow and connect directly with your favorite creators and others who love the same things — or build a loyal following of your own to share your ideas, opinions and creativity with the world.

Dare Obasanjo:

This table is basically a list of features used by the app framed in the scariest way possible.

Colin Devroe:

The “Data linked to you” for Threads on the iOS App Store is because they are using Instagram as their authentication service. The two accounts are inexorably linked. If you use IG at all Meta already has this access/info.


Update (2023-07-06): Ivan Mehta:

Notably, Instagram head Adam Mosseri said in a post that there will be no ActivityPub support at launch. ActivityPub is a protocol that is used to post on decentralized networks like Mastodon. But the platform plans to allow interactions with other fediverse servers in the future.


As I alluded to in my previous post on the Fediverse and Mastodon (as before, used interchangeably here, deal with it), the prospect of Meta’s new “Project 92″/”Threads” being ActivityPub compatible has led a not-insubstantial quantity of existing Mastodon users to react with incredible fury and calls for the entire thing to be blocked by all other servers (“defederated”), in theory thus smothering it at birth while also protecting existing Mastodon users’ personal data, in this reading meaning their profile information and posts. Those who have tried to adopt a “wait and see” approach, or correspond with Meta to try and figure out what their intentions are, have been pilloried and in some cases received death threats.


There’s no secret backdoor in the ActivityPub spec that can be used to deliver adverts to be displayed in users’ feeds on other servers; and if Meta tried to create one, it would be easily defeated by those servers simply ignoring it.


The final point is that Meta does not need to run its own ActivityPub server to achieve all this stuff. ActivityPub is not secure in the slightest and is actually kind of a privacy nightmare. Frankly, there are worse and more obviously harmful actors already using AP than Meta[…]


It does not obviously help Meta in any way to have interoperability with ActivityPub. Threads would probably gain a lot of users whether it had ActivityPub or not, simply by virtue of a popup appearing in the Instagram and Facebook apps advertising it. While I’m sure it’s comforting for the people who subscribe to one or more of the above conspiracy theories to believe that actually Mastodon is really interesting and consequential, the reality is that Meta doesn’t need them.

Chris Hannah:

Regarding ActivityPub and the Fediverse, my opinion is that if Threads fully supports the protocol, then that is surely a good thing. Because, apart from major social networks simply not existing, having them work with an open standard is surely a pretty cool thing.

I do not doubt that some people will not want to have their instance to connect to Threads. This is a totally valid opinion, and I’m sure there will still be options for this.

However, I’m guessing a lot of Mastodon instances won’t block Threads. Which means, if you know people that didn’t make the jump to Mastodon, you may now be able to communicate with them this way.

Nick Heer:

My guess is that it looks good for Meta to look open and friendly right now — just look at how it has marketed the “metaverse”. I do not think most people care, but I think Meta believes it is good for its reputation.

Juli Clover:

Meta today officially launched Threads, the new social media app that it has been working on as an alternative to Twitter. Threads was meant to launch on Thursday, but the company pushed it live early due to the excitement surrounding its debut.


According to Meta, the app does not appear to be using any data to track users across websites and apps owned by other companies at this time, which makes it more private than Twitter, Facebook, and Instagram.

John Gruber (Mastodon):

The iOS app only supports an iPhone layout. I suppose I should not find this surprising, given that 13 years after launching, Instagram’s iOS app still doesn’t support the iPad natively, but somehow I do find this surprising. What a fucking mystery for the ages it is that Instagram won’t make iPad apps.


The website is view-only. You can’t log in, post, or reply. No indication whether this is temporary or by design.


Much better would be a URL format that includes the username of the poster, so you can tell who posted it just by looking at the URL.


Over 5 million people signed up for Threads in the first 4 hours after launch. (There are about 1.2 million active Mastodon users.)


If you’re the sort of person who wants a quiet timeline comprised only of posts from carefully curated accounts, Threads is not for you, and probably never will be. But the sort of people who like Twitter’s “For You” feed and trending topics in the sidebar might find Threads more fun.

Chris Hannah:

I was expecting it to be “Twitter, by Instagram”, with emphasis on the Twitter. Instead, it’s the other way around.

To me, Threads takes one of the most annoying parts of Instagram, the algorithmic timeline, makes it worse, and then provides it as the foundation of a new social network.

Riley Testut:

Yup, Threads is the real deal alright. Already following many of my friends that never made it to Twitter (let alone Mastodon) 🙏

Eugen Rochko:

There’s been a lot of speculation around what Threads will be and what it means for Mastodon. We’ve put together some of the most common questions and our responses based on what was launched today.

Jeff Johnson:

The fact that Threads shipped without a chronological timeline tells you everything you need to know about that “service”.

M.G. Siegler:

I both thought Meta should try to go after Facebook (yet again). And thought it might actually work this time. But I honestly didn’t expect Threads to be this good, this fast.

Tim Hardwick:

But users thinking of installing the social media app just to check it out should be aware that you can’t delete your Threads profile without also deleting your Instagram account.

Matt Birchler:

First, Threads is a massive hit. It looks like over 20 million people (update: 30 million) have joined the service already in the first 12 hours since launch. That’s not Instagram users automatically migrated, that’s real people (and many brands) installing the app and setting up an account. That’s astounding uptake, even for a company like Meta with billions of users.


We’ll see how sticky Threads is beyond the first few days, but my hot take right now is that Bluesky is toast. I would say it still has a chance if Threads was 100% its own thing, but Threads’ upcoming ActivityPub integration is going to help nerds feel better about using Mastodon (or other ActivityPub networks), and everyone else will either switch to Threads or stay on Twitter. I really don’t know where Bluesky fits into this anymore.

Dave Winer:

No web browser interface?

Tons of bugs! Surprising they shipped in this shape.

Bait and switch -- ActivityPub support real soon now.

Update (2023-07-07): Mario Guzman:

I have a bad feeling that Threads is going to be huge. Literally people I know who said they don’t care to be on a microblogging platform like Twitter legit signed up day one like my brother, my realtor, old coworkers… AND THEY ARE USING IT. I can’t be the only one who is seeing this.

Max Tani:

Twitter is threatening legal action against Meta over its new text-based “Twitter killer” platform, accusing the social media giant of poaching former employees to create a “copycat” application.

Ish Abazz:

I had no idea that Threads was a reboot.

Update (2023-07-10): Jay Peters and Jon Porter:

Instagram’s new Threads app has already surpassed 100 million users, meaning it reached the milestone dramatically faster than even ChatGPT.


Users aren’t just signing up: they’re posting, too. As of Thursday, my colleague Alex Heath reported that there have already been more than 95 million posts and 190 million likes shared on the app.

Binyamin Goldman:

It is mind-boggling to me that the same people that consistently question the Instagram merger and support big tech regulation do not see the issue with Meta using its market position to dominate an existing social networking space overnight. It is ok to not like Elon Twitter and hold this opinion. Threads becoming the fastest-growing app overnight despite missing many key features is a sign of market foreclosure and one of the clearest abuses of a dominant position in tech I think we’ve ever seen.

Perhaps this is one reason they pre-announced support for ActivityPub.

Update (2023-07-13): Mysk:

The fake “Threads for Insta” was downloaded at least 300,000 times before Apple quietly removed it. Isn’t the App Store obliged to explain why the app was removed, at least only to the victims who downloaded it? This will raise awareness and educate users about avoiding such scams.

Update (2023-07-27): John Gruber:

To get to the Following [chronological] timeline in Instagram, tap the Instagram logo of the Home tab; that presents a menu with options for “Following” and “Favorites”.


The much-requested Threads web app is coming soon, apparently.

Abusive Web Notifications

Adam Engst:

These attempts to phish you by notification are malware, plain and simple—the form known as adware. The alerts try to trick users into visiting a fake website and entering login credentials or credit card information to facilitate identity theft, just like a phishing attempt via email. Attempting to eliminate the notifications by running anti-malware apps like Malwarebytes, DetectX Swift, or VirusBarrier won’t work.


Unlike regular malware, notification adware doesn’t require an infection, so anti-malware software has nothing to find or remove. Instead, notification adware exploits the capability of Web browsers to let websites display system-level notifications just like native apps. No one would intentionally sign up for adware notifications, of course, but websites can—and increasingly do—ask users if they’d like to receive notifications.

There are also fake notifications that appear within the browser window and look like system notifications—but usually using the design of a few years ago. These will show up without any prompting and are good at tricking people, in my experience.


The Trouble With Mac Gaming

John Voorhees:

Quinn Nelson of Snazzy Labs has an excellent video about the trouble with gaming on the Mac. The video’s title says it all: “Macs Can Game. But Apple Can’t.” As Nelson explains, it’s not the hardware or the software that’s holding the platform back. It’s the size of the Mac market and the lack of any apparent strategy to attract more than a few big-name game studios to the Mac.

John Siracusa:

I’m not linking this @snazzyq video just because it agrees with everything I’ve been saying for years on @atpfm about Apple and gaming…but it’s also not a coincidence that so many knowledgeable people have the same thoughts on the subject.

Peter Cohen:

So Game Porting Toolkit a starting point for Mac games, not an endpoint. In fact, getting games working on the Mac platform has never really been the issue. I’ve been covering this scene now for 30 years. Finding someone to convert game code to run on the Mac isn’t the problem. Game devs today are better at building portable code than they used to, and the tools they rely on are better at targeting multiple platforms, too.

Business is the issue that’s stymied Mac games over the years. Game publishers often avoid the Mac platform because they don’t see the revenue potential. The counterargument is that Mac users don’t buy enough games because they aren’t out at the same time or in the same quantity as Windows. It’s a bit of a chicken and egg conundrum.


After Apple announced Game Porting Toolkit, I did a straw poll of veteran Mac game developers. General consensus was interest, but eye rolls too. The mood can be summarized as, “We’ll see how long this lasts.”

What do they mean? Apple’s infamous for shifting priorities after announcing new game technology and walking away from it.

See also: Microsoft’s gaming strategy.


Update (2023-07-10): See also: Accidental Tech Podcast.

Update (2023-08-04): Samuel Axon (Hacker News):

Apple’s macOS has been the second most popular operating system on the Steam game distribution platform for a long time, but that has now changed. Linux has surpassed macOS for the No. 2 spot, according to Steam’s July user hardware survey.

Update (2023-08-09): mikeymikey:

Mac is at 1.84%, Linux is at 1.96% - but 42% of that is Steam Deck

So really the breakdown would be more accurate as:

  • 1.84% Mac
  • 1.14% Linux
  • 0.82% Steam Deck

If we’re gonna play perspective games, I’d much rather paint this as “Valve’s successful launch of their own gaming console has already almost equaled the total number of active Steam Linux users” 🙃

Jan Ekholm:

The alternative interpretation is that “company launches marginal handheld devices, almost eclipses Apple’s all efforts in a year”. The gist here was however that Apple is so inept when it comes to gaming that it’s comical.

Colin Cornaby:

Kind of worried Blizzard is just starting to let the Mac go in their few remaining games. World of Warcraft has a few glaring and obvious graphical issues in the Metal renderer that have survived for months now. My gear isn’t even textured on the character screen.

Roger Ogden:

As I understand it, the Metal version of WoW would not exist if it wasn’t one person’s passion project. It’s apparently no one’s job to maintain a Metal version of the game, and that makes me sad.

AutoCAD Perpetual Licenses Can No Longer Be Activated

Steve Johnson (in 2016):

Hidden in amongst a bunch of the usual highly dubious subscription statements from Carl Bass is an announcement that spells doom for Autodesk perpetual license owners.


Translation: Autodesk is going to drive up prices of maintenance subscription (perpetual license keeping-up-to-date fee) to match the much higher prices of product subscription (rental). Maintenance subscription will then be merged into oblivion. Your return on your long-term investment in Autodesk software will be zero.

What if you don’t want maintenance updates—can you keep using what you have?

Ian Davis:

my permanent standalone autocad product license has become invalid. and as of a couple of months ago, is no longer supported. so I can’t get a new standalone permanent license. they will however sign me up for current software on a subscription basis.

Via Louis Rossmann (Hacker News):

If you have older versions, their activation system doesn’t appear to work the way that it used to, you have to do manual activation. And what gets particularly more annoying is some people need activation codes, some people don’t, but more importantly, if you move on to a new computer, this appears to be the case that I’ve confirmed with several people who are actually using this software. You can use it as long as you like, but if you move to a new computer, you have to move the license as well, using the license transfer utility. If you no longer have access to the old license installation, you’re out of luck. Autodesk won’t supply you a new activation code.

In other words, even if you only want to restore from a backup and run an old version of the app on old hardware with an old OS, that may no longer be possible.

Monday, July 3, 2023

S3 Files 2023.1

Anders Borum:

Today I’m launching S3 Files, a client for S3 compatible storage inside the Files app, share sheet, shortcuts and the Finder on Mac.

It’s a universal app that costs $14.99 (lifetime) or $2.99 monthly:

Our innovative “Smart Upload” feature allows you to use the share sheet and services menu for efficient uploads. Remembering the target directory for each file type, this feature guarantees swift and efficient uploads of files & folders.

With extensive S3 compatibility, our app works effortlessly with platforms like AWS S3, BackBlaze B2, CloudFlare R2, Digital Ocean Spaces, MinIO, Wasabi, and more.

Our “Controlled Sharing” feature lets you generate shareable links for others to view & download files with the option to limit access up to 7 days.


Update (2023-08-10): Anders Borum:

Objects in Glacier or Glacier Deep Archive have a small icon in Finder/Files app and can be restored from context menu.

Zig Proposal to Drop LLVM

Loris Cro and Andrew Kelley (in 2020):

In the early days, Zig was but a thin frontend in front of LLVM. This was instrumental for getting started quickly and filling in gaps of Andrew’s knowledge as a compiler developer. Now, the training wheels of the bicycle are coming off, and LLVM is transitioning into an optional component.


The move to a self-hosted compiler for Zig has similar advantages for the core contributors, but it also makes LLVM an optional dependency, increases compilation speed (instead of losing it), and adds an amazing feature for debug builds of your code: incremental compilation with in-place binary patching, another unique Zig feature.

Andrew Kelley (via Hacker News):

This issue is to fully eliminate LLVM, Clang, and LLD libraries from the Zig project.


In exchange, Zig gains these benefits:

  • All our bugs are belong to us.
  • The compiler becomes trivial to build from source and to bootstrap with only a C compiler on the host system.
  • We stop dealing with annoying problems introduced by Linux distributions and package managers such as Homebrew related to LLVM, Clang, and LLD. There have been and continue to be many.
  • The Zig compiler binary goes from about 150 MiB to 5 MiB.
  • Compilation speed is increased by orders of magnitude.
  • We can implement our own optimization passes that push the state of the art of computing forward.
  • We can attract research projects such as alive2
  • We can attract direct contributions from Intel, ARM, RISC-V chip manufacturers, etc., who have a vested interest in making our machine code better on their CPUs.

At least initially, Zig would lose support for C++ and Objective-C, along with less popular architectures.

Aryan Ebrahimpour (via Hacker News):

The Zig programming language has garnered considerable attention as a new systems programming language, positioning itself as the better C. But how does Zig achieve this? In this blog post, our aim is to examine some of the issues associated with C and explore how Zig intends to address them.


Apple Resisting Further Changes to Anti-Steering Rules

Stephanie Bodoni:

Apple Inc. is set for a showdown with European Union antitrust regulators, insisting it doesn’t need to make any more changes to its App Store after it was hit by formal charges over its treatment of music streaming rivals such as Spotify Technology SA.


Apple considers it already addressed any possible competition concerns over the past two years with changes that create a fair balance between the interests of Apple and app developers[…]


Spotify says that Apple’s anti-steering rules prohibit it and other developers “from telling consumers about any deals or promotions through their own apps.”

“These rules still exist today and Apple’s supposed changes in fact change nothing at all and are just for show,” Spotify said in a statement.


Update (2023-07-07): Juli Clover:

Spotify has not allowed customers to sign up for a Spotify Premium subscription through the App Store for the last seven years. App Store Spotify subscriptions were in fact only available for a two-year period between 2014 and 2016, but some longtime subscribers have continued to pay for Spotify through the App Store since that time.

In emails to customers, Spotify says that it is no longer accepting Apple’s billing service as a payment method.

Twitter Now Requires Logging In

Jess Weatherbed:

If you currently try to access Twitter without logging in to your user account, you’ll be unable to see any of the content that was previously available to the wider public. Instead, you’ll meet a Twitter window that asks you to either sign in to the platform or create a new account, effectively blocking you from viewing tweets and user profiles or browsing through threads unless you’re a registered Twitter user.


Twitter owner Elon Musk tweeted, claiming in a reply that the change is a “Temporary emergency measure,” blaming “data pillaging” for degrading the service for all users.

Amanda Silberling (Hacker News):

Like many of Twitter’s recent changes, this could easily backfire. If tweets aren’t publicly accessible, search engine algorithms could rank the site’s content lower, meaning that fewer people would be directed to the site from Google. Also, it’s just kind of annoying.

It also breaks Nitter, which is what I was using to get RSS feeds, since I don’t want to use the official client or Web site. I may check now and then to see if there’s anything interesting at the top of my timeline, but it’s no longer practical for me to be a completionist.

Ivan Mehta:

Over the weekend, Elon Musk limited the number of tweets users can read in a day, which he said was to prevent data scraping. While this measure has affected all Twitter users, TweetDeck users in particular are today reporting major problems, including notifications and entire columns failing to load.

Musk initially enforced read-limits of 6,000 daily posts for verified users and 600 daily posts for unverified users. Hours later, he increased these limits to 10,000 tweets and 1,000 tweets, respectively. Given that TweetDeck loads up multiple tweets through various columns simultaneously, it’s likely that the effects of the read restrictions are amplified within TweetDeck.

John Gruber:

The bigger, more fundamental change Musk instituted over the weekend is making it such that tweets aren’t visible unless you’re logged in to a Twitter account. This broke all sorts of things. Messaging apps (like Apple’s Messages) can no longer render preview cards for tweets, for one thing. Closer to home, it broke the @daringfireball auto-posting account. More amusingly, as documented by Sheldon Chang, this change completely broke Twitter itself — some part of the Rube Goldberg-ian machine that assembles users’ timeline feeds was itself subjected to these rate limits, so Twitter wound up DDOSing itself. It’s like a gasoline company instituting rations that stranded its own fleet of tanker trucks.


Now it’s a walled garden, like most of Facebook, available only to logged-in users. I suspect this change will prevent the Internet Archive from caching tweets, too. That just sucks.


Update (2023-07-06): Craig Hockenberry:

Take a moment and sign out of Twitter. I had no idea what was really going on until I did that (browser cookies from Twitter 1.0 were still around).

Now I see that 17 years of content I’ve generated has vanished from the public Internet.

Christopher Mackay:

People who spent years building websites that regularly linked-out to Twitter — now full of effectively dead links.

Update (2023-07-13): Stefan Labbé (via Hacker News):

A B.C. government Twitter account updating residents about driving conditions reached its tweet limit on a weekend it was sharing information about wildfire evacuations.


“It's kind of the end of public alerting through social media,” said Ryan Reynolds, an emergency preparedness consultant with Resilience Mapping Canada.

“These limits basically mean that we can't distribute that information quickly and easily at any scale.”