Archive for November 30, 2023

Thursday, November 30, 2023


Romain Dillet (via Jason Snell):

While Amazon’s Kindle is the clear leader and Rakuten’s Kobo the obvious challenger, Vivlio has been building an open European alternative to these two tech giants. And it proves that you can compete with tech giants with a team of 35 as long as you have a distinct strategy with different goals.


From the very beginning, Vivlio bet that the book industry would remain fragmented — building yet-another-Amazon wouldn’t be a winning move. Vivlio signed a handful of partnerships with small and big chain bookstores so that it could run their e-book stores for them.


Vivlio contributed to Readium LCP, an open-source DRM solution that doesn’t require an Adobe account (or any third-party account). Many companies and public institutions have embraced LCP in recent years. Adobe’s DRM is still the leading protection system, but this technical move contributes to the open ecosystem philosophy behind Vivlio.


Vivlio partners with PocketBook for its e-book readers. But these devices aren’t just rebranded PocketBook devices, as the company adds a software layer so that they work with the entire Vivlio ecosystem. For instance, you can log in to your bookstore account directly on your Vivlio e-reader. All your purchases are automatically synchronized with your device and Vivlio’s cloud storage.

MarsEdit 5.1

Daniel Jalkut:

The addition of Mastodon support is a natural extension of the new Micropost Panel which was introduced in MarsEdit 5. I’ve prioritized the feedback of many users and added the ability to resize, add images, view character count, and more.

This is a welcome addition, although I haven’t settled on exactly how I want to use it yet. I like the support for multiple Mastodon accounts, the editor, and the way it can maintain a local archive. However, I still use Mona for most of my product-related posting because it can handle boosts, which MarsEdit neither posts nor archives.

HTML Entities are now ignored by syntax-highlighting and live spell checking

This doesn’t yet work for entities inside of HTML tags. I look forward to that being handled in a future version.

Fix a bug that sometimes caused spell checking to fail in Plain Text editing mode


Fix a crash that could occur when undoing text changes in the Plain Text editor

These two were affecting me a lot, and it’s great to have them fixed.


Update (2023-12-12): MarsEdit 5.1.1:

Fix syntax highlighting of [and spell checking with] entity references within HTML blocks

Fix a bug in which published posts sometimes remained in Local Drafts folder

Disk Images in Sonoma

Howard Oakley:

Band size is the maximum size of each band file, and determines two things: the number of band files, and how efficiently the whole sparse bundle can change in size. In most cases, the default is 8.4 MB, which generally works well for all but the largest of sparse bundles. There’s one important limit to bear in mind when setting band size: all the bands of a sparse bundle are stored inside a single folder. If the number of bands reaches the maximum for a single folder for the host file system, then it will start to fail, and you could lose part or all of its contents. Currently, in macOS with HFS+ or APFS, that critical number is believed to be 100,000 (an empirical guesstimate). So whatever you do, ensure that your sparse bundle will never need 100,000 or more band files, as that could spell disaster.


Note, though, that setting too small a band size may limit the maximum size for the whole sparse bundle. When creating very large sparse bundles, macOS may restrict their size if the chosen band size is too small.


This stopped working by macOS Ventura 13.3.1, since when hdiutil still goes through the same sequence but the password remains unchanged. As of Sonoma 14.1.1 this remains broken, as Apple has still not fixed this bug.


macOS 14.1.2

Juli Clover (release notes, security, developer, enterprise, full installer, M3, IPSW, M3):

According to Apple’s security support page, the update fixes two vulnerabilities that Apple says were exploited on versions of iOS earlier than iOS 16.7.1.

See also: Mr. Macintosh and Howard Oakley.


Update (2023-12-08): Nick Heer:

According to Project Zero’s spreadsheet, Apple patched ten zero-days in 2022, thirteen in 2021, three in 2020, two in 2019, three in 2016, and none in 2018, 2017, 2015, and 2014. It seems like a similar story across the board: the 2014 spreadsheet contains just eleven entries total, while the 2023 sheet contains fifty-six so far.

Howard Oakley:

It has been more than four months since Apple last released a Rapid Security Response (RSR), but last week’s Sonoma update to version 14.1.2 looked like it should have come as one. It fixed two vulnerabilities, both in WebKit, that were already being exploited in older versions of iOS. Does the fact that it didn’t come as an RSR indicate that Apple has given up with them already?


If that was the complete account of what Apple yet again glosses over as “important bug fixes and security updates”, maybe. But there was slightly more to the 14.1.2 update than just those two patches to WebKit. Also updated, albeit with small changes in build number, are /System/Library/CoreServices/UAUPlugins/SafariUserAccountUpdater.bundle and /System/Library/PrivateFrameworks/SafariSafeBrowsing.framework. Whether Apple was alluding to those as “important bug fixes” or they were consequences of the fixes to WebKit we’ll never know, but it’s clear that the 14.1.2 update again required more than an RSR.

Howard Oakley:

We’re currently in another phase when that’s the case: while those Macs released before September should now be running macOS 14.1.2 build 23B92, M3 models from November have their own build number of 23B2091.

This means that if you have an M3 and an older model, they’re running incompatible releases of macOS.


There are other differences that are harder to explain, like an apparently much newer build of the News app, which has reached 3529.0.3 on all other Macs, but the M3’s build number is given as 5323, as do all the private frameworks that support it, despite having the same version number of 9.1.

Howard Oakley:

The red menu bar usually appears when switching between Stage contents, shown here when bringing the X (formerly Twitter) app and Safari onto the Stage. While the new windows appear correctly, instead of switching to the correct menu for either of them, the menu bar turns red and loses the menus that should appear at the left, for the front app.

iOS 17.1.2 and iPadOS 17.1.2

Juli Clover (release notes, security, developer):

iOS 17.1.2 includes important security fixes. Specifically, the update addresses vulnerabilities that may have been exploited in earlier versions of iOS.

Processing web content may disclose sensitive information.


Processing web content may lead to arbitrary code execution.