Skip navigation

HT5784: About the security content of OS X Mountain Lion v10.8.4 and Security Update 2013-002

Learn about About the security content of OS X Mountain Lion v10.8.4 and Security Update 2013-002

HT5784 Why does Apple only "update" to already outdated versions

1010 Views 10 Replies Latest reply: Oct 27, 2013 7:28 AM by clemensg RSS
clemensg Calculating status...
Currently Being Moderated
Jun 5, 2013 3:45 AM

Hi, why can't Apple update to current stable versions of OpenSSL (1.0.1e), Ruby (2.0), Rails (3.2.13), etc. Why can't Apple ship current stable versions of all the command line tools like emacs, vi, zsh, ruby, python, etc. And Rails 2 must be a joke, that's extremely outdated. Why is this?

I don't understand it. Sure I can upgrade my userland myself with Homebrew, etc. but it would be nice if Apple won't forget the pro users and therefore will ship a modern userland.

It looks like there was a time when current versions were shipped, but now it's not interesting anymore and only security fixes are released.

Any thoughts on that?

Regards,

Clemens

OS X Mountain Lion (10.8.4)
  • BobHarris Level 6 Level 6 (12,505 points)

    Unix command line tools are not Apple's core business. Consumer (as in the general public, not pros) are Apple's target, and that audience has made them a success. Not the command line user.

     

    Minor Mac OS X updates (10.8.1, 10.8.2, …) will want to avoid destabilizing any scripts that depend on an open source command. And you have to admit, many open source projects are perfectly happy to change how options work on a command or utility just because they think it is a good idea.

     

    Changes to command line utilities as part of a major Mac OS X releases will not touch any open source project that has switched to a restrictive license, such as GPL 3, as Apple does not wish to be forced to open source all of Mac OS X. This is why some packages use BSD versions, instead of GNU versions, or have been replaced by Apple written versions, such as Samba.

  • Mark Jalbert Level 5 Level 5 (4,385 points)

    OS X/Darwin follows the design philosophy of it's cousin FreeBSD. The base system is only upgraded when a new OS version is released. Upgrades may or may not be the latest version of a software package. If the tool does it job and does it well then it may not be upgraded. The idea is " the lastest version may not equate to a better version" or "if it ain't broke, then don't fix it". So, the base system on your version of OS X will only be patched when there is a security concern or severe bug.

  • FireballDWF Calculating status...

    OS X Mavericks counts as a "new OS version", right?  The version of openssl included is 0.9.8y, while 1.0.1e was released 2/11/2013, which includes significant improvements like TLS 1.2 with more secure ciphers.  Given consumer's privacy concerns related to NSA snooping, Apple should be working on upgrading the version of openssl they support in OSX.

  • etresoft Level 7 Level 7 (23,895 points)

    OpenSSL 0.9.8y includes all of the current security fixes in 1.0.1e. Newer versions of OpenSSL are adding new features. Any actual vulnerabilities always get applied to the 0.9.8 branch as well.

     

    The Mac is not Linux. It is a completely different world. The last time Apple actually adopted a new security protocol was in 2002. Then, when Apple actually turned off support for the old protocol in 2011 I think, every 3rd party NAS and AFP file server in the world promptly stopped working with OS X. Ironically, they all used Linux and were running a version of OpenSSL "newer" than Apple's.

     

    Rest assured that Apple is not going to include any insecure system software. If and when Apple need to update OpenSSL, it will. You can also rest assured that the NSA doesn't care about consumer activity. They have other interests.

     

    https://discussions.apple.com/message/18517221#18517221

  • Mark Jalbert Level 5 Level 5 (4,385 points)
    [KSH_93u+] $ /usr/bin/openssl version
    OpenSSL 0.9.8y 5 Feb 2013
    

    I guess 0.9.8y was also released about the same time (supplied by Apple- OS 10.6.8). If you feel that you need a version greater than supplied by the distribution then you can always "roll your own" or used a package management system to keep the software to the highest current version.

  • etresoft Level 7 Level 7 (23,895 points)

    clemensg wrote:

     

    But the majority is still very old.

    The bash version used in Mavericks is 6 years old.

     

    That is a completely different issue. Bash, and a few other key pieces of open source software, switched to the GPLv3 license sometime in 2007. That license was designed specifically to keep Apple from using the software.

     

    The version of bash on Mavericks is all that you will ever, ever get unless you build your own. I suggest trying out zsh which is under no such licensing contraints. The lastest version of zsh is included in Mavericks.

     

    Do you think it helps to create a feature request to update OpenSSL, etc. at radar.apple.com ? (I am thinking about Mac OS X 10.10)

    That would be a good idea. While I understand Apple's approach, it isn't great from a marketing perspective. Apple really does need to switch to the latest OpenSSL, even if only for appearance's sake.

  • Mark Jalbert Level 5 Level 5 (4,385 points)

    Hi clemensg,

    Simply compiling one piece of software isn't as trivial as one may think. I don't think Apple's software engineers are lazy. In fact, I may have found the answer to why openssl was not upgraded- http://curl.haxx.se/mail/archive-2013-10/0036.html

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.