You're joking, right? When I use software and I look at the version number, I like to know that it is what it says it is. If they are going to patch the vulnerability, then I want to know if they have done so.

Besides which, this whole question is missing the point somewhat. There is no easy way of updating the system supplied tools like git, even if you wanted to. The latest version of git is v2.8, and I think it would be grand if we could use a version less than 6 months old!

Hell, the same goes with any other system software.

Welcome to the wonderful world of distros. The big ones backport stuff and lie about version numbering, and somehow that is a feature.

>The latest version of git is v2.8, and I think it would be grand if we could use a version less than 6 months old!

Exactly. Apple are update nazis themselves (support for old versions is being dropped quickly and users are forced to update), so they should at least apply the same logic to system tools.

Inability to manually update the copy of a tool located in /usr is par for the course with most Linux distributions - in that case the kernel won't stop you from replacing the files (unless your distro has the root FS mounted RO), but the package manager will typically replace them right back the next time there's a minor update (same for OS X updates pre-SIP), and it's easy to accidentally break things. Instead, the recommended method is to generally install non-distro software in /usr/local or elsewhere and put the location on your PATH. Which, of course, works just as well on OS X, and it's what Homebrew and MacPorts do. I don't see the problem.

With Linux you don't have this problem at all.

1. add a repository with up-to-date version

2. update the system

It couldn't be any simpler.

Right, if its so easy then why don't Apple update git more frequently then?

Perhaps they should. But then again, a large percentage of Linux users use distros that lag even further behind (albeit arguably with a better security fix backporting process)... stability is valuable too.

I'm not sure about this. Anyone who wants to use a decent Linux distro will get fairly frequent updates - Fedora, Debian, SuSE, Ubuntu and even Slackware get frequent updates and Fedora, Debian and SuSE are well known for backporting security fixes.

Apple are known to be tardy in taking their time to release security fixes unfortunately. This whole point might be mitigated if they were more responsive, but they aren't terribly. Your average Linux distro is far faster at updates even on LTS releases than Apple...

Windows is still targeted far more than Mac, it could be argued that the lack of impetus originates from this phenomenon.

I'm worried about when (not "if") this changes, people are snapping up Macs all around me and thusly the platform won't be protected from worms due to" hacker disinterest" forever.

Windows has UAC that does something similar, and the Windows\System32 directory can't be written to by an ordinary user. The malware I see doesn't install in this directory, but in Program Files - and they can't really lock this down.

The way that folks get themselves into a mess and get malware installed are largely via programs with network access. Locking down the /usr directory isn't going to prevent this sort of thing from occuring - what will stop it is not allowing users to run as admins by default, which OS X is doing already.

At which point, the way malware will get installed is via software vulnerabilities, in things like git. It won't be occurring because Apple stopped me from turning off the execute flag on potentially vulnerable programs like the git that they install by default.

> the Windows\System32 directory can't be written to by an ordinary user.

You need to be able take claim ownership from TrustedInstaller, so administrators only: yes (you'll need to acquire a UAC token, but the GUI prompts you automatically). You'll also need to turn off installation integrity to prevent Windows from replacing the file. All documented. It isn't obfuscated in any way whatsoever and I figured it out first time in 2 minutes with no Google.

Security through obfuscation is known to be a broken concept.

Yep, I know. What you are basically saying is that you need to turn off some settings and security mechanisms to bypass the integrity of the system. Which is precisely what most folks are doing on OS X - except they have to reboot their system, which I personally find insane. But given this, I don't see the point you are making.

Isn't this security through obfuscation precisely what Apple are doing right now?

I think we may be arguing the same point.

I suspect so, too :-)

HN users checked for backports and said "doesn't look like they did".