10 Replies Latest reply: Oct 27, 2013 7:28 AM by clemensg
clemensg Level 1 Level 1 (0 points)

Hi, why can't Apple update to current stable versions of OpenSSL (1.0.1e), Ruby (2.0), Rails (3.2.13), etc. Why can't Apple ship current stable versions of all the command line tools like emacs, vi, zsh, ruby, python, etc. And Rails 2 must be a joke, that's extremely outdated. Why is this?

I don't understand it. Sure I can upgrade my userland myself with Homebrew, etc. but it would be nice if Apple won't forget the pro users and therefore will ship a modern userland.

It looks like there was a time when current versions were shipped, but now it's not interesting anymore and only security fixes are released.

Any thoughts on that?

Regards,

Clemens


OS X Mountain Lion (10.8.4)
  • BobHarris Level 6 Level 6 (14,930 points)

    Unix command line tools are not Apple's core business. Consumer (as in the general public, not pros) are Apple's target, and that audience has made them a success. Not the command line user.

     

    Minor Mac OS X updates (10.8.1, 10.8.2, …) will want to avoid destabilizing any scripts that depend on an open source command. And you have to admit, many open source projects are perfectly happy to change how options work on a command or utility just because they think it is a good idea.

     

    Changes to command line utilities as part of a major Mac OS X releases will not touch any open source project that has switched to a restrictive license, such as GPL 3, as Apple does not wish to be forced to open source all of Mac OS X. This is why some packages use BSD versions, instead of GNU versions, or have been replaced by Apple written versions, such as Samba.

  • Mark Jalbert Level 5 Level 5 (4,575 points)

    OS X/Darwin follows the design philosophy of it's cousin FreeBSD. The base system is only upgraded when a new OS version is released. Upgrades may or may not be the latest version of a software package. If the tool does it job and does it well then it may not be upgraded. The idea is " the lastest version may not equate to a better version" or "if it ain't broke, then don't fix it". So, the base system on your version of OS X will only be patched when there is a security concern or severe bug.

  • FireballDWF Level 1 Level 1 (0 points)

    OS X Mavericks counts as a "new OS version", right?  The version of openssl included is 0.9.8y, while 1.0.1e was released 2/11/2013, which includes significant improvements like TLS 1.2 with more secure ciphers.  Given consumer's privacy concerns related to NSA snooping, Apple should be working on upgrading the version of openssl they support in OSX.

  • clemensg Level 1 Level 1 (0 points)

    Right, I don't understand why Apple did not update OpenSSL. Is it just because Apple's core OS developers were too lazy to update their patches to apply on 1.0.1e?

     

    Even FreeBSD updated OpenSSL with FreeBSD 10.

     

    Major releases have the benefit of being able to update major system components. Why stay at the 0.9.8 branch?

    There are too many important improvements and features in 1.0.1e... Apple engineers should know that.. FireballDWF mentioned TLS 1.2.. this is a very important feature! Especially considering the latest NSA leaks.

     

    To say something positive: Apple did update some packages, for example curl.

     

    But the majority is still very old.

    The bash version used in Mavericks is 6 years old..

     

    Do you think it helps to create a feature request to update OpenSSL, etc. at radar.apple.com ? (I am thinking about Mac OS X 10.10)

  • etresoft Level 7 Level 7 (25,950 points)

    OpenSSL 0.9.8y includes all of the current security fixes in 1.0.1e. Newer versions of OpenSSL are adding new features. Any actual vulnerabilities always get applied to the 0.9.8 branch as well.

     

    The Mac is not Linux. It is a completely different world. The last time Apple actually adopted a new security protocol was in 2002. Then, when Apple actually turned off support for the old protocol in 2011 I think, every 3rd party NAS and AFP file server in the world promptly stopped working with OS X. Ironically, they all used Linux and were running a version of OpenSSL "newer" than Apple's.

     

    Rest assured that Apple is not going to include any insecure system software. If and when Apple need to update OpenSSL, it will. You can also rest assured that the NSA doesn't care about consumer activity. They have other interests.

     

    https://discussions.apple.com/message/18517221#18517221

  • Mark Jalbert Level 5 Level 5 (4,575 points)
    [KSH_93u+] $ /usr/bin/openssl version
    OpenSSL 0.9.8y 5 Feb 2013
    

    I guess 0.9.8y was also released about the same time (supplied by Apple- OS 10.6.8). If you feel that you need a version greater than supplied by the distribution then you can always "roll your own" or used a package management system to keep the software to the highest current version.

  • clemensg Level 1 Level 1 (0 points)

    @etresoft: My point was: It's about new features, which can in fact also be security-relevant. TLS 1.2 for example is a new feature and a big security enhancement. New security protocols cannot be introduced as bug fix releases to old branches.

     

    Look, I know that the 0.9.8 branch receives security fixes, but using TLS 1.2 will improve security of HTTPS / IMAPS / etc.

    Mavericks would have been a chance to update to 1.0.1e, but Apple did not take it. Maybe they do for 10.10.. I'll create a feature request.

     

    @Mark Jalbert: Of course, I use Homebrew for that. But it's not about me and my system, this is a general criticism: I want OS X to be more secure for the average user, not only for a hand full of people who roll their own OpenSSL...

  • etresoft Level 7 Level 7 (25,950 points)

    clemensg wrote:

     

    But the majority is still very old.

    The bash version used in Mavericks is 6 years old.

     

    That is a completely different issue. Bash, and a few other key pieces of open source software, switched to the GPLv3 license sometime in 2007. That license was designed specifically to keep Apple from using the software.

     

    The version of bash on Mavericks is all that you will ever, ever get unless you build your own. I suggest trying out zsh which is under no such licensing contraints. The lastest version of zsh is included in Mavericks.

     

    Do you think it helps to create a feature request to update OpenSSL, etc. at radar.apple.com ? (I am thinking about Mac OS X 10.10)

    That would be a good idea. While I understand Apple's approach, it isn't great from a marketing perspective. Apple really does need to switch to the latest OpenSSL, even if only for appearance's sake.

  • Mark Jalbert Level 5 Level 5 (4,575 points)

    Hi clemensg,

    Simply compiling one piece of software isn't as trivial as one may think. I don't think Apple's software engineers are lazy. In fact, I may have found the answer to why openssl was not upgraded- http://curl.haxx.se/mail/archive-2013-10/0036.html

  • clemensg Level 1 Level 1 (0 points)

    That's an interesting point, thanks: They switched to their own implementation, which already supports TLS 1.2. In that case, I understand why they don't care anymore about OpenSSL.

     

    Is this the backend used instead of OpenSSL?

    https://developer.apple.com/library/mac/documentation/security/Reference/secureT ransportRef/Reference/reference.html

    (Maybe not up to date)