Howard Oakley:
In addition to Sequoia VMs on Apple silicon Macs being able to use services such as iCloud using Apple ID, they now appear able to support full-strength FileVault when Apple ID is activated. This contrasts with FileVault supported by previous macOS guests, which appears comparable to that provided by Intel Macs without T2 chips, or on external disks of any Mac, in that the Secure Enclave isn’t involved in protecting their encryption keys, as explained in Apple’s Platform Security Guide. Thus an attacker who has access to an older VM could copy that and attempt to gain access by brute force.
[…]
The best that a VM has been able to offer before Sequoia is relative privacy, but little more protection than already available on the host’s internal SSD. That assumes you store your VMs on the internal Data volume, which isn’t good practice in terms of snapshots and backups, as those will be significantly larger as a result. Storing VMs externally benefits from encrypted APFS, but that’s not as robust as full-strength FileVault.
If you want to set up a private VM using lightweight virtualisation on Apple silicon[…]
Previously:
FileVault Mac macOS 15 Sequoia Secure Enclave Virtualization
John Brayton:
Unread for Mac is a native Mac app. The user interface is built with AppKit and a touch of SwiftUI.
[…]
Like on iPhone and iPad, on Mac you can easily switch between showing feed text, webpage text, or both for an individual article.
The latter is for feeds that contain only a summary.
Unread is a free app. Premium features are available with a subscription.
The subscription is $4.99/month or $29.99/year. An interesting feature is “Save to Unread,” which lets you add random (non-feed) pages from your Web browser to read in the app.
It’s not AppleScriptable, so it can’t work with EagleFiler’s capture key, but it does work the share extension so that you can save articles after reading them.
See also: Niléane Dorffer.
Previously:
EagleFiler Feedbin Mac Mac App macOS 14 Sonoma RSS Unread App
Quinn:
I don’t think we ever documented this officially, but to understand this choice you have to look at the history of macOS. Traditional Mac OS did not use paths a lot. Rather, files were identified by an FSSpec
, which contains a volume identifier, a directory ID, and a name. The directory ID was an HFS [Plus] catalogue node ID (CNID), which is kinda like an inode number.
Additionally, starting with System 7 it was possible to track a file with a volume identifier and the file ID, that is, the CNID of the file itself.
This was quite tricky to support on a Unix-y platform like Mac OS X. At the lowest levels of the system you needed the ability to manipulate files based on CNIDs rather than paths. For an explanation of how this was done, see QA1113 The “/.vol” directory and “volfs” (note, however, that volfs
is no longer a thing and the same functionality is now implemented in a very different way).
[…]
So far, so much obscure backward compatibility. However, since we made the decision to use file URLs we’ve exploited that to significant advantage[…]
Via Matt Gallagher:
There’s a lesson about attaching data (like security attributes) to an opaque interface (like NSURL
). Because my mental model of NSURL
is as plain RFC-3986 storage, these attributes are easy to lose and the security behaviours are easy to forget, when moving data around an app (I wish we received a bookmark type that made this explicit).
Jim Luther:
The original proposal was not to use a NS
/CFString
object encapsulating the path or a NS
/CFURL
object, and instead use a new object type to identify a file’s location, to cache properties, etc. That idea was vetoed in early API reviews because there were already API that took file locations as paths or URLs. We were told to pick path or URL. We chose URL objects over string objects.
I still think a new object type would have been cleaner and better in the long run. 🤷♂️
[…]
FSRef
s were not objects so they didn’t fit into the Cocoa (or CoreFoundation)API memory model. They were also a fixed size glob of memory so expanding their functionality was very difficult. One of the things I did in my last year at Apple was to make the old Carbon File Manager work well with APFS and its 64-bit inode numbers. That meant making shoehorning 64-bit file and folder ids into FSRef
s and translating them to 32-bit ids for the old File Manager API. Fun hacking 😀
Previously:
Apple File System (APFS) Carbon Cocoa File System History Mac macOS 14 Sonoma System 7 URL
Howard Oakley:
What is different is that restoring a whole volume from a snapshot is a one-way trip, and there is no undo. This is because snapshots subsequent to that used to restore from will be removed, and you won’t then be able to ‘roll forward’ to a later snapshot. That contrasts with a normal backup, where items remain available from any other backup that is retained in the backup store.
[…]
Because snapshots share the same container as the current volume, and share many file extents with them, they are prone to common errors. In particular, common file extents make it more likely that faults occurring in extents and data storage will affect them both. This is particularly important as one of the most common file system errors that corrupts data in files occurs when extents for two separate files overlap. A snapshot is thus more vulnerable than a backup on a different disk, or even one in a different container on the same physical store.
[…]
Snapshots do have one specific advantage over backups when it comes to their coverage. As they include the whole file system metadata for the volume, no items present in that volume are excluded from its snapshots. If you want to restore an item that has been excluded from backups made of any volume, you can therefore do that from its latest snapshot, if that item was present in the volume at the time that was made.
The only disadvantage to this is that snapshots can be disproportionately large compared to volume backups.
Snapshots are a great tool, but they don’t replace backups. The combination can be powerful. All my clone backups are now to APFS drives that make a new snapshot for each backup. I would like to be able to restore previous versions of files or folders from a year ago or more. Every once in a while I archive a clone drive and stop updating it. But I don’t have enough drives in rotation to keep a version for each week or month. Snapshots make that possible, albeit with less redundancy. Unfortunately, Mac backup software has kind of regressed in that it no longer provides great tools for browsing and searching old versions, but at least with snapshots we can easily and efficiently store them.
Previously:
Apple File System (APFS) Backup Carbon Copy Cloner Mac macOS 14 Sonoma SuperDuper Time Machine