Why does Apple only "update" to already outdated versions

Unix command line tools are not Apple's core business. Consumer (as in the general public, not pros) are Apple's target, and that audience has made them a success. Not the command line user.

Minor Mac OS X updates (10.8.1, 10.8.2, …) will want to avoid destabilizing any scripts that depend on an open source command. And you have to admit, many open source projects are perfectly happy to change how options work on a command or utility just because they think it is a good idea.

Changes to command line utilities as part of a major Mac OS X releases will not touch any open source project that has switched to a restrictive license, such as GPL 3, as Apple does not wish to be forced to open source all of Mac OS X. This is why some packages use BSD versions, instead of GNU versions, or have been replaced by Apple written versions, such as Samba.

OS X/Darwin follows the design philosophy of it's cousin FreeBSD. The base system is only upgraded when a new OS version is released. Upgrades may or may not be the latest version of a software package. If the tool does it job and does it well then it may not be upgraded. The idea is " the lastest version may not equate to a better version" or "if it ain't broke, then don't fix it". So, the base system on your version of OS X will only be patched when there is a security concern or severe bug.

OS X Mavericks counts as a "new OS version", right? The version of openssl included is 0.9.8y, while 1.0.1e was released 2/11/2013, which includes significant improvements like TLS 1.2 with more secure ciphers. Given consumer's privacy concerns related to NSA snooping, Apple should be working on upgrading the version of openssl they support in OSX.

OpenSSL 0.9.8y includes all of the current security fixes in 1.0.1e. Newer versions of OpenSSL are adding new features. Any actual vulnerabilities always get applied to the 0.9.8 branch as well.

The Mac is not Linux. It is a completely different world. The last time Apple actually adopted a new security protocol was in 2002. Then, when Apple actually turned off support for the old protocol in 2011 I think, every 3rd party NAS and AFP file server in the world promptly stopped working with OS X. Ironically, they all used Linux and were running a version of OpenSSL "newer" than Apple's.

Rest assured that Apple is not going to include any insecure system software. If and when Apple need to update OpenSSL, it will. You can also rest assured that the NSA doesn't care about consumer activity. They have other interests.

https://discussions.apple.com/thread/3982687?answerId=18517221022#18517221022

[KSH_93u+] $ /usr/bin/openssl version
OpenSSL 0.9.8y 5 Feb 2013

I guess 0.9.8y was also released about the same time (supplied by Apple- OS 10.6.8). If you feel that you need a version greater than supplied by the distribution then you can always "roll your own" or used a package management system to keep the software to the highest current version.

clemensg wrote:

But the majority is still very old. 😟

The bash version used in Mavericks is 6 years old.

That is a completely different issue. Bash, and a few other key pieces of open source software, switched to the GPLv3 license sometime in 2007. That license was designed specifically to keep Apple from using the software.

The version of bash on Mavericks is all that you will ever, ever get unless you build your own. I suggest trying out zsh which is under no such licensing contraints. The lastest version of zsh is included in Mavericks.

Do you think it helps to create a feature request to update OpenSSL, etc. at radar.apple.com ? (I am thinking about Mac OS X 10.10)

That would be a good idea. While I understand Apple's approach, it isn't great from a marketing perspective. Apple really does need to switch to the latest OpenSSL, even if only for appearance's sake.

Hi clemensg,

Simply compiling one piece of software isn't as trivial as one may think. I don't think Apple's software engineers are lazy. In fact, I may have found the answer to why openssl was not upgraded- http://curl.haxx.se/mail/archive-2013-10/0036.html